How to protect the private key ! - Openssl

This is a discussion on How to protect the private key ! - Openssl ; Hi, I have a client/server application, where client authenticate itself by signing a random string (sent by server) using its private key. Whole logic is working fine for me. I am using PEM_read_PrivateKey() function to read the private key from ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: How to protect the private key !

  1. How to protect the private key !

    Hi,

    I have a client/server application, where client authenticate itself by
    signing a random string (sent by server) using its private key. Whole logic
    is working fine for me. I am using PEM_read_PrivateKey() function to read
    the private key from the key file which is stored on the disk.

    As per the current mechanism PEM file needs to be the part of the client
    bundle, but that is not good for the safety of the client's private key (as
    this way key file will be visible to all the users of the application). I
    am looking for some mechanism to directly hardcode the key in the code &
    directly read it from there. Can anyone give me some idea on this. What
    format I can use to specify the PEM data in the code & what APIs can be used
    to read the private key directly from the memory buffer.

    Looking for some valueable comments from you. Thanks

    Cheers !


  2. Re: How to protect the private key !

    * Dan Ribe wrote on Mon, Sep 15, 2008 at 15:18 +0530:
    > I have a client/server application, where client authenticate itself by
    > signing a random string (sent by server) using its private key. Whole logic
    > is working fine for me. I am using PEM_read_PrivateKey() function to read
    > the private key from the key file which is stored on the disk.
    >
    > As per the current mechanism PEM file needs to be the part of the client
    > bundle, but that is not good for the safety of the client's private key (as
    > this way key file will be visible to all the users of the application). I
    > am looking for some mechanism to directly hardcode the key in the code &
    > directly read it from there. Can anyone give me some idea on this. What
    > format I can use to specify the PEM data in the code & what APIs can be used
    > to read the private key directly from the memory buffer.


    So you want to have your binary -x only and configure that users
    are not able to access the running process in some way? Or do you
    just want to hide the file to avoid that someone accidently finds
    a `private.key' file?

    If this obscurity is sufficient, you may put the key in a
    subdirectory, remove the -wr flag from the directory and read the
    key from a file with a `difficult' name. This in case you want
    to protect for safety (from beeing accidently deleted or so).
    Users cannot read it because they don't know how it is called
    without looking what file the binary is opening.

    If you hardcode the key, may get difficulties when you want to
    change it and you distribute if with the binary, which means,
    users must not have access to installers etc (which usually is
    not considered secret). Also, local users may find ways to avoid
    system restrictions, such as using boot disks or unscrewing the
    internal hard disk and connecting it to another computer.

    If you want to protect the key from the user for security (from
    beeing known to the users), then I think you need some hardware
    protecting it, for instance a smart card, which is much harder to
    attack.

    oki,

    Steffen
















    --

    About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them.
    www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: How to protect the private key !

    On Mon September 15 2008, Dan Ribe wrote:
    > Hi,
    >
    > I have a client/server application, where client authenticate itself by
    > signing a random string (sent by server) using its private key. Whole logic
    > is working fine for me. I am using PEM_read_PrivateKey() function to read
    > the private key from the key file which is stored on the disk.
    >
    > As per the current mechanism PEM file needs to be the part of the client
    > bundle, but that is not good for the safety of the client's private key (as
    > this way key file will be visible to all the users of the application). I
    > am looking for some mechanism to directly hardcode the key in the code &
    > directly read it from there. Can anyone give me some idea on this.
    >


    You can get a modest level of protection by using any system of public key
    encryption to encrypt the actual private key file, then only ship the
    encrypted private key and the public key used to decode it.
    Here: "ship" includes hardcoding both as blobs in the actual application code.

    Not bullet-proof, but enough to keep it safe from casual observation.

    Mike
    > What
    > format I can use to specify the PEM data in the code & what APIs can be used
    > to read the private key directly from the memory buffer.
    >
    > Looking for some valueable comments from you. Thanks
    >
    > Cheers !
    >



    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  4. RE: How to protect the private key !

    How does this proposal change anything? Instead of locating the 'main" key,
    the adversary will be looking for the "encrypting" key - after finding which
    the task of unwrapping the "main" one becomes trivial.

    Hardware crypto cards would be the best solution for security-conscious
    designer.

    -----Original Message-----
    From: owner-openssl-users@openssl.org
    [mailtowner-openssl-users@openssl.org] On Behalf Of Michael S. Zick
    Sent: Monday, September 15, 2008 08:22
    To: openssl-users@openssl.org
    Subject: Re: How to protect the private key !

    On Mon September 15 2008, Dan Ribe wrote:
    > Hi,
    >
    > I have a client/server application, where client authenticate itself
    > by signing a random string (sent by server) using its private key.
    > Whole logic is working fine for me. I am using PEM_read_PrivateKey()
    > function to read the private key from the key file which is stored on the

    disk.
    >
    > As per the current mechanism PEM file needs to be the part of the
    > client bundle, but that is not good for the safety of the client's
    > private key (as this way key file will be visible to all the users of
    > the application). I am looking for some mechanism to directly
    > hardcode the key in the code & directly read it from there. Can anyone

    give me some idea on this.
    >


    You can get a modest level of protection by using any system of public key
    encryption to encrypt the actual private key file, then only ship the
    encrypted private key and the public key used to decode it.
    Here: "ship" includes hardcoding both as blobs in the actual application
    code.

    Not bullet-proof, but enough to keep it safe from casual observation.

    Mike
    > What
    > format I can use to specify the PEM data in the code & what APIs can
    > be used to read the private key directly from the memory buffer.
    >
    > Looking for some valueable comments from you. Thanks
    >
    > Cheers !
    >



    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  5. Re: How to protect the private key !

    On Mon September 15 2008, Mouse wrote:
    > How does this proposal change anything?
    >


    It removes the private key from casual observation. As stated.

    > Instead of locating the 'main" key,
    > the adversary will be looking for the "encrypting" key - after finding which
    > the task of unwrapping the "main" one becomes trivial.
    >


    Granted, but the post did not predicate an adversarial situation,
    only casual disclosure.

    > Hardware crypto cards would be the best solution for security-conscious
    > designer.
    >


    Better, but requires additional assets to the openSSL package.
    Like the cards and the card reader.

    Since the scenario predicates a client/server application, then leveraging
    that scenario and not distributing _anything_ that is "private" would lead
    to a better solution. See any of the established secure protocols for ideas.

    But again, both are outside of the scope of the original post (ship with application).

    Mike
    > -----Original Message-----
    > From: owner-openssl-users@openssl.org
    > [mailtowner-openssl-users@openssl.org] On Behalf Of Michael S. Zick
    > Sent: Monday, September 15, 2008 08:22
    > To: openssl-users@openssl.org
    > Subject: Re: How to protect the private key !
    >
    > On Mon September 15 2008, Dan Ribe wrote:
    > > Hi,
    > >
    > > I have a client/server application, where client authenticate itself
    > > by signing a random string (sent by server) using its private key.
    > > Whole logic is working fine for me. I am using PEM_read_PrivateKey()
    > > function to read the private key from the key file which is stored on the

    > disk.
    > >
    > > As per the current mechanism PEM file needs to be the part of the
    > > client bundle, but that is not good for the safety of the client's
    > > private key (as this way key file will be visible to all the users of
    > > the application). I am looking for some mechanism to directly
    > > hardcode the key in the code & directly read it from there. Can anyone

    > give me some idea on this.
    > >

    >
    > You can get a modest level of protection by using any system of public key
    > encryption to encrypt the actual private key file, then only ship the
    > encrypted private key and the public key used to decode it.
    > Here: "ship" includes hardcoding both as blobs in the actual application
    > code.
    >
    > Not bullet-proof, but enough to keep it safe from casual observation.
    >
    > Mike
    > > What
    > > format I can use to specify the PEM data in the code & what APIs can
    > > be used to read the private key directly from the memory buffer.
    > >
    > > Looking for some valueable comments from you. Thanks
    > >
    > > Cheers !
    > >

    >
    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >



    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  6. RE: How to protect the private key !


    > As per the current mechanism PEM file needs to be the part
    > of the client bundle, but that is not good for the safety
    > of the client's private key (as this way key file will be
    > visible to all the users of the application).


    This private key identifies someone who is a user of the application. So why
    shouldn't it be visible to all the users of the application?

    > I am looking for some mechanism to directly hardcode the
    > key in the code & directly read it from there.


    That would mean that anyone with access to the code would be entitled to the
    private key. Yet these seem to be the same people you are trying to keep the
    key from.

    > Can anyone give me some idea on this. What format I can
    > use to specify the PEM data in the code & what APIs can
    > be used to read the private key directly from the memory buffer.


    In order to distinguish people authorized to use the private key from what
    exactly?

    You need to explain your threat model.

    If you're trying to stop people from giving your software, and thus the
    private key, away, you need to use some kind of hardware-based lock. If you
    want to stop the same people from accessing the same resource two different
    ways, you need some kind of obscurity.

    DS


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  7. Re: How to protect the private key !

    I am using the private key just to authenticate the client. Once server has
    authenticated the client (by using the public key of client), it will give
    access to that client. So I will say that in this case users of my client
    application need not to have access to the private key (becasue this
    authentication process is kind of transparent to them).

    If I will place the private key in some file (in the app bundle), then there
    are chances of its misuse. I mean someone can write a client, can
    authenticate it using the key & can get access to the server functionality,
    which it not desirable !

    So what I am looking for is a way to specify the private key directly on the
    code, so that is hidden from the outside world & yet client is able to
    authenticate itself by using it.

    Please suggest & let me know if you need any other information from my side.

    Cheers !

    On Tue, Sep 16, 2008 at 1:29 AM, David Schwartz wrote:

    >
    > > As per the current mechanism PEM file needs to be the part
    > > of the client bundle, but that is not good for the safety
    > > of the client's private key (as this way key file will be
    > > visible to all the users of the application).

    >
    > This private key identifies someone who is a user of the application. So
    > why
    > shouldn't it be visible to all the users of the application?
    >
    > > I am looking for some mechanism to directly hardcode the
    > > key in the code & directly read it from there.

    >
    > That would mean that anyone with access to the code would be entitled to
    > the
    > private key. Yet these seem to be the same people you are trying to keep
    > the
    > key from.
    >
    > > Can anyone give me some idea on this. What format I can
    > > use to specify the PEM data in the code & what APIs can
    > > be used to read the private key directly from the memory buffer.

    >
    > In order to distinguish people authorized to use the private key from what
    > exactly?
    >
    > You need to explain your threat model.
    >
    > If you're trying to stop people from giving your software, and thus the
    > private key, away, you need to use some kind of hardware-based lock. If you
    > want to stop the same people from accessing the same resource two different
    > ways, you need some kind of obscurity.
    >
    > DS
    >
    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >



  8. Re: How to protect the private key !

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Dan Ribe schrieb:
    | I am using the private key just to authenticate the client. Once server
    | has authenticated the client (by using the public key of client), it
    | will give access to that client. So I will say that in this case users
    | of my client application need not to have access to the private key
    | (becasue this authentication process is kind of transparent to them).
    |
    | If I will place the private key in some file (in the app bundle), then
    | there are chances of its misuse. I mean someone can write a client, can
    | authenticate it using the key & can get access to the server
    | functionality, which it not desirable !

    But you are aware that a dedicated attacker is still be able to
    disassemble the program and get the key from there ?

    If you can live with this risk, you can store the key as binary and read
    it with the d2i_[Auto]PrivateKey() functions...

    Goetz

    - --
    DMCA: The greed of the few outweighs the freedom of the many
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.4-svn0 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFI0N4p2iGqZUF3qPYRAgTOAJ94WvfqoipoKe3OHB1YWM UhIv/ORgCbBUjV
    Mpsr5CfkUIytzXOhCXGsPYI=
    =pR13
    -----END PGP SIGNATURE-----
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  9. RE: How to protect the private key !


    Dan Ribe:

    > I am using the private key just to authenticate the client.
    > Once server has authenticated the client (by using the public
    > key of client), it will give access to that client.


    So you want the server to condition access to a resource based on what
    software is being used, and to reject even people who *have* your software
    just because they're not *using* it?

    In other words, you don't want to separate people who can do X from people
    who can't do X. You want to separate people who can do X from other people
    who can do X based on what software they use to do X. Cryptography cannot do
    this. Over the wire, there is no way to tell what software you used to
    execute an algorithm, only what algorithm you executed.

    > So I will say that in this case users of my client application
    > need not to have access to the private key (becasue this
    > authentication process is kind of transparent to them).


    But they do need access to the private key, otherwise they can't perform the
    authentication. It's transparent to them, so they don't need to know they
    have access to the key, but they need it. Without access to the key, they
    can't participate in this process.

    > If I will place the private key in some file (in the app bundle),
    > then there are chances of its misuse. I mean someone can write a
    > client, can authenticate it using the key & can get access to the
    > server functionality, which it not desirable !


    Someone who could do all that could just as well give copies of the client
    to the same undesirable agents. They could then authenticate using the key
    and can get access to the server functionality.

    To protect the server functionality from people who shouldn't be able to use
    it, you need to control who gets access, not what software they use.

    Any mechanism by which they could get a private key could also deliver them
    the whole client software package.

    > So what I am looking for is a way to specify the private key
    > directly on the code, so that is hidden from the outside world
    > & yet client is able to authenticate itself by using it.


    That would change nothing. If what you suggested was perfectly possibly,
    anyone could get access to the server functionality just by getting the
    client package. If you simply include the private key in the client package,
    then anyone can access the server functionality just by getting the client
    key. In both cases, precisely the same things safeguard the server.

    > Please suggest & let me know if you need any other information from my

    side.

    Cyptography can help you authorize one agent and not authorize another based
    on what the first agent knows or can do that the second cannot. But it
    really cannot do much to help you authorize and de-authorize the same agent
    based on what software or hardware it uses to perform an operation it knows
    how to perform.

    It sounds like you need dongles, not keys.

    DS


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  10. Re: How to protect the private key !

    On Wed 17 Sep 2008 (09:38 -0700), David Schwartz wrote:
    >
    > Dan Ribe:
    >
    > > I am using the private key just to authenticate the client.
    > > Once server has authenticated the client (by using the public
    > > key of client), it will give access to that client.


    If the application is a single process that does not offer shell
    escapes, then one method is the following:

    Give users ordinary login access, users of the application get
    membership in a specific group - say app_grp.
    Run the application under a different user ID, say app_adm.
    Make the application suid app_adm, executable only by app_adm:adm_grp
    (permissions 4550). Make the private key file owned by and read-only
    for app_adm, permissions 0400.

    Now users who are allowed to run the app login as themselves and can
    execute the program, but can't read the keyfile, only the program
    itself can do that. Users not allowed to use the program can neither
    start it nor read the keyfile.

    --
    Jim Segrave jes@j-e-s.net


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  11. Re: How to protect the private key !


    Hi,

    I did not know about the function EVP_PKEY *PEM'_read_PrivateKey(FILE *fp,
    EVP_PKEY **pkey,pem_password_callback function *cb,void *u ) and it's
    exactly what I need to use (very similar situation like the author of this
    thread).

    However, how could I use the EVP_PKEY after that ? Is there an equivalent
    function to SSL_CTX_use_PrivateKey_file() to use that EVP_PKEY ?

    Also, after creating a key with openssl (with -passout parameter), is the
    certificate creation process is the same ? Will I have to enter the key's
    password during the certificate creation ?


    Lars Kühl wrote:
    >
    > Am Montag, 15. September 2008 11:48:15 schrieb Dan Ribe:
    >> Hi,
    >>
    >> I have a client/server application, where client authenticate itself by
    >> signing a random string (sent by server) using its private key. Whole
    >> logic
    >> is working fine for me. I am using PEM_read_PrivateKey() function to read
    >> the private key from the key file which is stored on the disk.
    >>
    >> As per the current mechanism PEM file needs to be the part of the client
    >> bundle, but that is not good for the safety of the client's private key
    >> (as
    >> this way key file will be visible to all the users of the application).
    >> I
    >> am looking for some mechanism to directly hardcode the key in the code &
    >> directly read it from there. Can anyone give me some idea on this. What
    >> format I can use to specify the PEM data in the code & what APIs can be
    >> used to read the private key directly from the memory buffer.
    >>
    >> Looking for some valueable comments from you. Thanks
    >>
    >> Cheers !

    >
    >
    > Hi Dan,
    > you can encrypt the .pem file and then use a pem_password_callback
    > function()
    > to enter the password in the call EVP_PKEY *PEM'_read_PrivateKey(FILE *fp,
    > EVP_PKEY **pkey,pem_password_callback function *cb,void *u ).
    > So you add a symetric key to the sourcecode, or you can ask the user for
    > a
    > password.
    >
    > If you use openssl to generate the keyfiles then you can use the
    > parameter "-passout pass:" to encrypt the file within the key
    > generation.
    >
    > For security the best option would be to use a smartcard to sign the data..
    >
    > Cheers!
    > Lars
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >


    --
    View this message in context: http://www.nabble.com/How-to-protect...p20346930.html
    Sent from the OpenSSL - User mailing list archive at Nabble.com.
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  12. Re: How to protect the private key !

    2008/11/5 BiGNoRm6969

    >
    > Hi,
    >
    > I did not know about the function EVP_PKEY *PEM'_read_PrivateKey(FILE *fp,
    > EVP_PKEY **pkey,pem_password_callback function *cb,void *u ) and it's
    > exactly what I need to use (very similar situation like the author of this
    > thread).
    >
    > However, how could I use the EVP_PKEY after that ? Is there an equivalent
    > function to SSL_CTX_use_PrivateKey_file() to use that EVP_PKEY ?
    >
    > Also, after creating a key with openssl (with -passout parameter), is the
    > certificate creation process is the same ? Will I have to enter the key's
    > password during the certificate creation ?
    >
    >

    Hi
    To use the EVP_PKEY object you can simply call the function

    SSL_CTX_use_PrivateKey (SSL_CTX *ctx, EVP_PKEY *pkey)

    Cheers
    Matteo


+ Reply to Thread