[openssl-users] Regarding the security of the keys
Mike Mohr
akihana at gmail.com
Tue Jul 21 07:53:51 UTC 2015
Securing a system against this kind of attack can be done in several ways,
depending on the level of assurance you desire. You might start out with
Tripwire:
https://en.wikipedia.org/wiki/Open_Source_Tripwire
http://www.tripwire.org/
You could also implement mandatory access control and ACLs using either
grsecurity or SELinux:
http://grsecurity.net/
http://www.cs.virginia.edu/~jcg8f/SELinux%20grsecurity%20paper.pdf
https://en.wikipedia.org/wiki/Security-Enhanced_Linux
Personally I prefer grsecurity, but it is not supported in mainline by any
major distribution that I am aware of. You'll have to patch, build, and
and support your own kernel image in order to use it. SELinux is supported
out of the box on CentOS 6 and 7, so it would probably be a good place to
start.
If your concern is solely in the realm of protecting your RSA keys, you
might consider some HSM product from e.g. Yubico:
https://www.yubico.com/
https://en.wikipedia.org/wiki/Hardware_security_module
These tiny USB keys store the RSA keys on a secure element which is
physically tamper-resistant. The key material never leaves the hardware
token. However, you'd probably have to write a custom provider for
OpenSSL, and the throughput would probably only be sufficient for a very
small amount of traffic. If you need something that can handle a higher
load, you might consider purchasing one of Cavium's cards:
http://www.cavium.com/overview.html
However, they are 10 gigabit passthrough devices and will unwrap / re-wrap
the SSL session in hardware. They are not cheap.
Good luck!
On Mon, Jul 20, 2015 at 11:46 PM, James <james.arivazhagan at gmail.com> wrote:
> Hi there,
> I have a concern regarding the private keys we use in the https (say
> apache) server.
> The https server links with openssl.so file, and uses the APIs provided by
> it.
> If some one build their own openssl and add few lines to print the keys
> during encrypt and decrypt and put in the library in the LD_LIBRARY_PATH,
> may result in compromising the security of the keys.
>
> Does any of you faced this problem and if you could share the solution it
> would be helpful.
>
> regards,
> James Arivazhagan Ponnusamy
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150721/f599c79e/attachment-0001.html>
More information about the openssl-users
mailing list