Re: RFC: encrypted serverkeys WHY??

Wed, 10 Mar 1999 09:03:42 -0500 

On Wed, Mar 10, 1999, Steffen Dettmer wrote:

> It's recommned to use DES3-encrypted RSA Serverkeys with mod_ssl.
> To steal this key, a hacker needs root permissions.
> But if a hacker has root permission, it's easy to steal the DES3
> passphrase too. I think at least somewhere in (RAM) memory the key is
> decrypted, since the server needs the key. 

Correct, it has to be in OpenSSL's memory areas in unencrypted version, of
course.

> I think that the key is
> somewhere in a core dump from httpd - and so the hacker could analyze it
> and could steal the key.

That's why most Unix platforms do not create core files for daemon processes
running under or started as UID=0 (root).

> A different way would be to use a patched httpd/OpenSSL, which dumps all
> passphrases is a file or so.
> 
> All-in-all I think it's not more secure to use a DES3 key, since the
> hacker who is able to get the keyfile, is able to get the passphrase too,
> ain't???

Not really, because neither mod_ssl nor OpenSSL stores the pass phrase.
Only the key itself is stored in memory.

> So I cannot see the need for a passphrase at all...
> What does the list mean to this question?

Yes and no. When you've the key unencrypted on the filesystem, the attacker
just needs root access and can immediately read your key from disk.  When
you've it encrypted he also has to steal it from the running process. Sure,
both isn't to hard, but at least the second thing is a little bit harder. But
to make it short: Yes, the argument that one can say the pass phrase stuff is
not needed at all could be considered a reasonable argument. 

One thing is actually true: You always have to protect the webserver machine
itself as best as it can be. Just using a pass phrase on the keys is not
enough, of course.

BTW, a few months ago we had a long thread about this topic.
Look inside the sw-mod-ssl mailing list archives for details.

                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]

Reply via email to