Re: FQDN

Fri, 25 Jul 2003 07:16:43 -0700 


> This is what I'm trying to prevent. after shake-hand and authentication
> by SSL, it is still not safe enough. because other poople and I share
> some common secrets (key and certificate), but if secrets are comprised,
> (I know that people don't like this idea of losing key, but it happened
> before and will happen in the future) then I'm in trouble. My question
> is: can we find a solution to such a scenario? Such as application level
> authentication.

If the keys to my car are stolen, can I find a way to keep someone
from driving it?

        1) put an additional lock on the car
                ie add some application-level authentication.
                Of course, this is recursive - what if the
                bad guy gets these keys too?  He got the first
                one, he can probably get the other ones too.

        2) change the lock
                ie once you know someone stole your key, you
                generate a new one and have a CRL issued for
                the old one so it's no good any more.


While you could add more and more #1 above to add security, the
fact that they're getting any of your keys indicates you are doing
a piss poor job of securing your machine and you're probably going
to be building in application-level authentication poorly too.
SSL relies on having everything about the algorithm public with
the exception of one thing: the private keys.

Deal with it - the private key must be private, or the game is lost.
This is a definition, it cannot be changed.

Security in depth is good, so feel free to layer on other controls
if it makes you feel better.  However if they got the key, then
either

        they have access to your machine on which it resides
                thus they could simply query the data right
                from your database, insert a kernel module to
                capture all data, etc
                
        they were given the key by someone inside your organization
                thus if you change the key, they'll get that one too

Protecting the private key is your most important task.  Period.
Doesn't this make sense?


--
Brian Hatch                  It compiles!
   Systems and                Let's ship it!
   Security Engineer          -- the Microsoft motto
http://www.ifokr.org/bri/

Every message PGP signed



Attachment:
pgp00000.pgp

Description: PGP signature
























					Reply via email to