Securing a system against this kind of attack can be done in several ways, depending on the level of assurance you desire. You might start out with Tripwire:
https://en.wikipedia.org/wiki/Open_Source_Tripwire http://www.tripwire.org/ You could also implement mandatory access control and ACLs using either grsecurity or SELinux: http://grsecurity.net/ http://www.cs.virginia.edu/~jcg8f/SELinux%20grsecurity%20paper.pdf https://en.wikipedia.org/wiki/Security-Enhanced_Linux Personally I prefer grsecurity, but it is not supported in mainline by any major distribution that I am aware of. You'll have to patch, build, and and support your own kernel image in order to use it. SELinux is supported out of the box on CentOS 6 and 7, so it would probably be a good place to start. If your concern is solely in the realm of protecting your RSA keys, you might consider some HSM product from e.g. Yubico: https://www.yubico.com/ https://en.wikipedia.org/wiki/Hardware_security_module These tiny USB keys store the RSA keys on a secure element which is physically tamper-resistant. The key material never leaves the hardware token. However, you'd probably have to write a custom provider for OpenSSL, and the throughput would probably only be sufficient for a very small amount of traffic. If you need something that can handle a higher load, you might consider purchasing one of Cavium's cards: http://www.cavium.com/overview.html However, they are 10 gigabit passthrough devices and will unwrap / re-wrap the SSL session in hardware. They are not cheap. Good luck! On Mon, Jul 20, 2015 at 11:46 PM, James <james.arivazha...@gmail.com> wrote: > Hi there, > I have a concern regarding the private keys we use in the https (say > apache) server. > The https server links with openssl.so file, and uses the APIs provided by > it. > If some one build their own openssl and add few lines to print the keys > during encrypt and decrypt and put in the library in the LD_LIBRARY_PATH, > may result in compromising the security of the keys. > > Does any of you faced this problem and if you could share the solution it > would be helpful. > > regards, > James Arivazhagan Ponnusamy > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > >
_______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
