It sounds like the question is "how do I lock the client private key, so the user/attacker can't move it off the office PC?"
For the casual user, "If you do this, you'll lose your job" might work.
For a determined attacker, I can't see how any software-only solution
would work. Consider a hardware solution like a key pair locked
in a TPM.
--
Ken Goldman kg...@watson.ibm.com
914-784-7646 (863-7646)
tito
<tit...@gmail.com
> To
Sent by: openssl-users@openssl.org
owner-openssl-use cc
r...@openssl.org
Subject
Re: How to create a non exportable
07/14/2009 11:49 private key certificate using
PM openssl
Please respond to
openssl-us...@ope
nssl.org
Thanks a lot for the reply David.
First I will explain my threat model. I have got lot of employees who do
some transactions around the world sitting in their branch offices and I
need to authenticate them using DC. So they raise a request from their
browser and I provide them with a certificate from my openssl.The browser
will be in the PC of the office branches.
Now the threat is, If an agent export the certificate he acquired in a USB
or in someother way and goes to his home pc or somewhere else and he
imports the certificate to his personal PC and started doing
transactions.This cannot be allowed and the agent should do only
transactions from his office PC allotted to him.
As you have said,
simply graying out the option to export the key is sufficient.
But the agent is a franchisee and I cannot force them to install or do
something in their pcs,nor can I check whether they are ensuring the
instructions.So I cannot force or tell the agent to do some
configuration/modification in his PC or browser.
if he uninstalls and deletes the certificates/browser or change his PC ,I
shall issue him a new certificate.
He shouldnt be able to export/backup the private key or the certificate I
have issued to him.
Also this is not an issue in IE , as I can disable the option to export the
private key.So in IE, this requirement works well.
But I cannot enforce the agents to use Windows/Linux or IE /Mozilla.The
agents have the choice of infrastructure they can use.So I cannot enforce
them to use IE or Windows.
2009/7/15 David Schwartz <dav...@webmaster.com>
tito wrote:
> I have used SPKAC format to request a digital certificate from mozilla
> and signed the request with my master key from open ssl and imported it
> to my mozilla. I can readily export (backup)the private key +
certificate
> from mozilla and import it to some other system's mozilla browser. I
dont
> want this to happen. I dont want the private key to be exported. is
there
> any option in openssl to disable this.
It's not really possible to give you useful advice without understanding
your threat model. For example, would simply graying out the option to
export the key suffice? Or do you need to prevent the key from being
extracted even by a determined attacker? (For example, is simply shutting
off Mozilla's export option sufficient even if Mozilla is still capable
of
exporting the key?)
In principle, for Mozilla to prove it is entitled to use the certificate,
it
must perform operations using the private key. Unless the key is stored
in a
hardware token, there is no way to stop it from exporting the very same
private key data it is using to perform those key operations.
What is your outer problem? Are you trying to prevent against user error?
Are you trying to protect against malicious corruption of the browser by
a
determined attacker with access to the local system?
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-us...@openssl.org
Automated List Manager majord...@openssl.org
<<inline: graycol.gif>>
<<inline: pic04043.gif>>
<<inline: ecblank.gif>>
