On Wed, Dec 24, 2008 at 03:59:13PM -0500, Edward Diener wrote:
>
> I am working for an employer who will be selling a product to end users.
> The risk model is that my employer feels it would be bad if a hacker
> were able to easily understand where the client certs reside in the end
> user application and were able to use the client certs to communicate to
> the server, ie. if someone who buys the product were able to use the
> client certs in a destructive way. My employer has also been told by a
> Sun representative he knows that if the client certs are distributed in
> the directory of the application it is a serious security risk. So he
> has asked me to investigate alternative ways of distributing the client
> certs.
It sounds like you are trying to implement DRM with an application that is
running on untrusted hardware controlled by a potentially hostile user.
You want to ensure that only your code has access to your server, and not
modified or user developed code. This is a "whitebox" DRM problem.
Your problem is completely unrelated to SSL and certificates. You
need a DRM professional. This is likey not the right forum for help
with whitebox DRM. Unless you have trusted hardware, you need code
obfuscation techqniques that hide key material in code visible to the
attacker. There is some commercial software in this space, but none
in OpenSSL. Good luck.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
