Re: [Openca-Users] PKCS#12 downloads from pub interface

Tue, 27 Sep 2005 01:01:29 -0700 

Jason A. Pattie wrote:

>>>Hmmm . . . I can't tell you what that error means but I can tell you
>>>that we successfully download PKCS#12 packages from the pub interface.
>>>One does have to set the download passphrase from the RA interface
>>>first.  That confused us until we figured it out.  Good luck - John
>  
> Ahh.  Sounds like a plan.  I could never figure out what that password
> was.  I'll try figuring it out tomorrow.
> 
It should be mentioned in the documention - if not, we should fix this:
The idea ist the following:

        - the key is protected by its pin
          (which is given at request time or set by the ca)
        - if you download you have to give the key-pin as credential to
          get access to the key and for decryption

the problem with this workflow is the following:

        - the key-pin is exposed to brute-force attacs on the web
          this would be like, putting the key (even encrypted) somewhere
          and waiving - hey poeple come and try yourself ;)

therefore we decided to protect the key-pin with a separate download-pin
which has to be set from the ra-officer

        - so a possible mallicous user would first have to 'crack' the
          download pin to get any useful information about the
          correctness of the key-pin used at the webpage
        - in other words, he can't do a simple 'brute-force' attac on
          the key-pin, since its guarded by the download-pin

so the valid user needs two pins, first the key-pin and second the
download pin, the second one ist to protocet the key-pin and the key-pin
is the one which is used to encrypt and decrypt the key, the pkcs#12
file will be also encrypted with this key-pin, so for later use you need
this pin to access the data in the pkcs#12 file


Greetings
Dalini


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. 
Download it for free - -and be entered to win a 42" plasma tv or your very
own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to