Re: [openssl-users] Regarding the security of the keys

2015-07-22 Thread Frank Thater
Hi, I my opinion the only way to securely handle your keys is the usage of some kind of Hardware Security Module, e.g. www.smartcard-hsm.com www.yubico.com These lightweight HSMs provide a PKCS#11 interface which can be integrated using the PKCS#11 engine of OpenSSL. In addition the SmartCard-HS

Re: [openssl-users] Regarding the security of the keys

2015-07-21 Thread Mike Mohr
On Tue, Jul 21, 2015 at 9:46 PM, Salz, Rich wrote: > > > Actually that isn't quite right. A properly configured and > tuned RBAC policy, when combined with PaX, can very effectively limit all > userspace activity (including root access!). > > How do you know that the module is installed and actu

Re: [openssl-users] Regarding the security of the keys

2015-07-21 Thread Jeffrey Walton
> If some one build their own openssl and add few lines to print the keys > during encrypt and decrypt and put in the library in the LD_LIBRARY_PATH, > may result in compromising the security of the keys. > > Does any of you faced this problem and if you could share the solution it > would be helpf

Re: [openssl-users] Regarding the security of the keys

2015-07-21 Thread Salz, Rich
> Actually that isn't quite right.  A properly configured and tuned RBAC  > policy, when combined with PaX, can very effectively limit all userspace > activity (including root access!).  How do you know that the module is installed and actually doing things? How do you know what kernel is actua

Re: [openssl-users] Regarding the security of the keys

2015-07-21 Thread Mike Mohr
Actually that isn't quite right. A properly configured and tuned RBAC policy, when combined with PaX , can very effectively limit all userspace activity (including root access!). It

Re: [openssl-users] Regarding the security of the keys

2015-07-21 Thread Salz, Rich
> If some one build their own openssl and add few lines to print the keys > during encrypt and decrypt and put in the library in the LD_LIBRARY_PATH, may > result in compromising the security of the keys. Can anyone other than root do this? You have to trust root. They could just cat your key

Re: [openssl-users] Regarding the security of the keys

2015-07-21 Thread Mike Mohr
Securing a system against this kind of attack can be done in several ways, depending on the level of assurance you desire. You might start out with Tripwire: https://en.wikipedia.org/wiki/Open_Source_Tripwire http://www.tripwire.org/ You could also implement mandatory access control and ACLs usi

[openssl-users] Regarding the security of the keys

2015-07-20 Thread James
Hi there, I have a concern regarding the private keys we use in the https (say apache) server. The https server links with openssl.so file, and uses the APIs provided by it. If some one build their own openssl and add few lines to print the keys during encrypt and decrypt and put in the library in