Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure Private Key Storage for UNIX?

Posted by Cliff on from the kernel-level-key-ring dept.

An anonymous reader asks: "Microsoft Windows, from 2000 forward (except ME) offers secure certificate and private storage at the OS level in what is called a protected store. Offline, it's encrypted by a combination of the user's password and a session key stored on the filesystem. When the OS is running, the private keys stored are available to the logged in user, optionally encrypted with another password. The keys are stored in protected memory, so no applications can access them without going through the Microsoft CAPI calls. This code also is FIPS 140-1 level 1 (the best one can get for software cryptography modules) compliant." Does any other OS provide this kind of feature at the OS-level? If so, who? If not, why? This functionality (especially certified FIPS 140-1 or FIPS 140-2) would be nice to see in UNIX variants. MacOS's key-chain functionality is similar, but stores at the application level, and is not FIPS compliant. An implementation of the protected store functionality will allow applications like Firefox, Thunderbird and gpg to have one common place to obtain private keys and certificates rather than maintaining their own individual key-stores. An additional application for this would be the ability to use hardware PKCS #11 tokens.

I am wondering why this functionality does not exist at the OS level in most OSes except Windows. A number of applications on many platforms have this functionality, but its at the app level, with their own key-stores, and not a standard at the OS level."

95 comments

  1. Well duh.. by QuantumG · · Score: 3, Insightful

    on Windows it is centralized and conforms to government requirements because, get this, Windows development is centralized, and Microsoft sell Windows to governments. Amazing huh? Now, of course, if you think this is important, and can code, you might feel like going and writing a daemon for handing out certificates. Hardening it against attack, etc. Then go write the support into all these various programs that use certificates. But unless you're willing to do that, we'll just have to wait until Red Hat, Novell, or whoever go for some government contracts that require this level of certification.

    --
    How we know is more important than what we know.
    1. Re:Well duh.. by RollingThunder · · Score: 2, Informative

      I'm pretty sure that Sun, IBM, and HP sell their UNIX systems to the government, and centrally develop those too.

      He didn't specify Linux, he said UNIX.

    2. Re:Well duh.. by QuantumG · · Score: 1

      IBM and HP don't have UNIX systems anymore.. and for all I know Solaris has something similar to this.. in any case, gpg isn't going to be top on the list of applications used in a government contract.

      --
      How we know is more important than what we know.
    3. Re:Well duh.. by endofbroadcast · · Score: 1

      They what? They don't have UNIX systems anymore? When did this happen? HP-UX isn't just 4 letters with a dash in the middle. It's a currently developed/supported OS and is widely used in government systems.

    4. Re:Well duh.. by QuantumG · · Score: 1

      HP-UX is dead.. as is AIX.. try to keep up.

      --
      How we know is more important than what we know.
    5. Re:Well duh.. by tritab · · Score: 2, Interesting

      Wow, this is the closest I've seen to anyone on Slashdot admitting that Microsoft did something better than any Unix / Linux system in a long time!

      But seriously, I've wondered about the same question as the OP and have never found anything good. The closest was setting file system permissions on the key file as someone else mentioned.

      Is it not possible?

    6. Re:Well duh.. by QuantumG · · Score: 1

      What are you talking about exactly?

      The centralized aspect of Microsoft's solution is the only thing that is seriously different on Linux.. as it is hard to get distributed developers not to duplicate each other's work.

      The keys are encrypted in much the same way.

      --
      How we know is more important than what we know.
    7. Re:Well duh.. by endofbroadcast · · Score: 0, Flamebait

      Oops. I confused your stupidity for ignorance. Howabout you keep up with the industry, bucko. Your personal opinion means nothing when going up against cold hard facts, you pompous, overbearing windbag. HP-UX is heavily used, and if you just don't want to accept that fact you can curl up with your security blanket, scream "Mama!" and wait for the anal thermometer, because you are a friggin' child. So chill with the semi-coherant B.S. and actualy contribute to the discussion without being a total elitist nerd spitting out nonsense.

      Get with the program, buddy, and grow up.

      I AM in the know. I DO work for the government, and I KNOW what I'm talking about. Your snotnosed attitude merely shows that you're ignorant of the reality of the situation. Congratulations on proving just how stupid you really are. Bravo, buddy.

    8. Re:Well duh.. by Anonymous Coward · · Score: 1, Funny

      Jesus christ chill dude. Go smoke a jay.

    9. Re:Well duh.. by QuantumG · · Score: 0, Flamebait

      I DO work for the government I can tell by your maturity.
      --
      How we know is more important than what we know.
    10. Re:Well duh.. by mysidia · · Score: 1

      It's not really more secure.. if anything it's less secure, it's just more convenient sometimes.

      MS needs to use "protected memory" arises only because in windows, you don't necessarily need to be root to mess with other process' memory areas. If a skilled hacker needed to access that memory store badly enough, they could very likely write a kernel driver or otherwise patch the OS to open the little hole they need.

      Since the encryption of your certificate is bound to your login password, what do you think happens when an administrator needs to reset your password?

      Perhaps to mitigate that someone else figured out your login password, compromised your account and changed the password on you.

      Now _you_ have permanently lost access to all your encrypted files, AND, the hacker possibly already has copies.

      That's why PGP is nice. You can have multiple private keys, and you can set different passphrases for access to them, independent of your login password.

      For casual surfing, you don't need access to your encrypted file stores, it makes sense to require additional credentials before you want to go open a confidential document.

    11. Re:Well duh.. by Anonymous Coward · · Score: 0, Flamebait

      Funny... I could tell from his lack thereof.

    12. Re:Well duh.. by endofbroadcast · · Score: 0, Flamebait

      What is that supposed to mean? Just because I called you out on your ignorance of the subject matter doesn't make me immature. It just makes me correct. And now that you don't have a valid argument you have to sink to snide, backhanded comments. Have you ever had to defend a position using facts and not just a snotty attitude?

    13. Re:Well duh.. by finkployd · · Score: 1

      IBM and HP don't have UNIX systems anymore.

      I have a lot of clients on AIX who will be shocked about that.

      And before any of you start in on how AIX sucks, it has a logical volume manager that kicks the crap out of the toy that Linux has.

      Finkployd

    14. Re:Well duh.. by dhasenan · · Score: 1

      What can the kernel do for you that an application cannot?

      Seriously, this is a somewhat complicated operation, and there's little that the kernel can do to keep your data private that an application would be unable to do. Getting access to another process's memory is not a trivial task; it probably requires some trickery with the MMU, and the kernel's in the way. So you could ask for a system call to prevent this from happening, but is there anything else the kernel can do for itself that it can't do for applications?

    15. Re:Well duh.. by nbvb · · Score: 1

      Linux: "This is the year of Linux on the Desktop" for almost 15 years running .....

      Seriously, AIX and HP-UX both have kick-ass volume management. Check out Dynamic Root Disk from HP... whoa, cool! And it only works if you have a real LVM ...

    16. Re:Well duh.. by Anonymous Coward · · Score: 0

      Next time keep your rage to yourself and just post a "you're wrong" with many relevant links. You would do well to get some facts yourself; a "I DO work in government" claim is not a very solid proof of anything.

    17. Re:Well duh.. by Anonymous Coward · · Score: 2, Insightful

      Um, dude... Your post was 100% "immature asshole."

      You may be correct in your facts, but that's immaterial when you stoop to personal attacks and condescending attitude. A mature response would include correcting facts with cited sources.

    18. Re:Well duh.. by Richard_at_work · · Score: 1

      AIX is dead? Huh? We just bought three 550 systems a month or so ago and they all came with AIX 5, absolutely no problems ordering them and having it preinstalled.

      AIX is far from dead, whatever you may want to believe.

    19. Re:Well duh.. by jimstapleton · · Score: 2, Informative

      So, is this just a hallucination?

      HP has 3 (4?) flavors of UNIX:
      http://welcome.hp.com/country/us/en/prodserv/serve rs.html
      HP-UX, Linux, Tru64

      They also have UnixWare, though I'm not sure if that's UNIX or an application suite for UNIX, or something that is "kinda like but not really" UNIX.

      VMS is not UNIX, so I won't count that.

      Given that these are "for sale", I don't think "dead" is quite the appropriate term.
      You can drop out Linux since it's not a IBM creation, reducing their number of Unix OSes by 1, but that's still a positive number.

      We use all of the above (except UnixWare) and many more where I work, in various places (LARGE organization).

      As for IBM, AIX and Linux. I5 might be a Unix OS also, but I'm not familiar with it.
      http://www-03.ibm.com/systems/i/os/

      Also for sale. And AIX is also still used (they have AIX server in various places in the organization where I work also)

      --
      34486853790
      Connection too slow for X forwarding? Try "ssh -CX user@host"
    20. Re:Well duh.. by hb253 · · Score: 1

      I bump into this kind of ignorance a lot, especially from people who've only ever worked with Microsoft products. When I tell them about "Product X" they'll say something like "I didn't think anybody used that anymore" or "what idiot still uses that outdated system", etc, etc. It's maddening but what to do about it? You can't legislate awareness.

      --
      Self awareness - try it!
    21. Re:Well duh.. by linkages · · Score: 2, Interesting

      If only AIX's memory management was as good as its logical volume manager. mmap on AIX is just broken when it comes to performance.
      If you have more that say a dozen processes mmaping a file and one of those procs makes a change all the others _MUST_ be interrupted to have their in proc. memory cleaned up. This becomes an even larger problem when you have hundreds of procs mmaping the same file.

    22. Re:Well duh.. by jack_csk · · Score: 1

      By UnixWare, do you mean this product from our friend in Utah? For some, UnixWare is considered the directly-inherited child of AT&T's Unix. However, it's a POS comparing to AIX and Linux

    23. Re:Well duh.. by Hack'n'Slash · · Score: 1

      No, ranting and name calling reflect very poorly on a person's level of maturity.

  2. OS X Keychain is not "application level" by Anonymous Coward · · Score: 5, Informative

    On OS X, the keychain data (certificates, keys, etc) is not managed at the application level. There is a system daemon, securityd, that applications talk to if they need passwords or need data signed / decrypted or if they need credentials for a particular service.

  3. Keychain is at the application level? by dgatwood · · Score: 3, Informative

    I'm not sure what they're trying to claim here, but unless their definition of OS means "kernel", the Mac OS X (and classic Mac OS, AFAIK) keychain most certainly is an OS-level service. Keychain items can be shared among all applications, though most applications limit access to these items to a list of trusted applications for obvious security reasons.

    I don't know about the question of protected memory or FIPS certification, but the rest of this question just seemed like FUD to me.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  4. uh, what? by Anonymous Coward · · Score: 0

    I'm sorry, why is this article posted? For the sole purpose of bashing unix? Someone get the firehose.

    1. Re:uh, what? by Goaway · · Score: 0, Troll

      Oh no! Somebody asked something of Linux that it doesn't provide! Better silence him, quick!

    2. Re:uh, what? by Slashcrap · · Score: 1

      Oh no! Somebody asked something of Linux that it doesn't provide! Better silence him, quick!

      I can't find the button that silences the person asking the original question. Is it because I'm using this damn Lunix thing? Another bloody feature it doesn't provide.

      I'm just curious - did you come here and post because you work in the field of security and were interested in the question? Or did you come here just to disrupt the discussion with your two "Lunix zealots - LOL!" oneliners? If it's the latter, as it so clearly is, doesn't that make you much worse than the people you're so ineptly trying to mock?

      If you're planning to argue the former, please include in your reply a short analysis of the problems with any secure key storage scheme which relies on the OS kernel being able to protect its memory against all attackers. Thanks in advance.

    3. Re:uh, what? by Goaway · · Score: 1

      I'm pretty sure I "came here" for the same reason most people do, to read news. The occasional poking fun at the zealots is merely a small amusement on the side, and helps one stay sane reading this site.

  5. chmod 600 by Anonymous Coward · · Score: 2, Informative

    chmod 600 crypt.key

    Just make sure to store the key encrypted with a passphrase :)

    1. Re:chmod 600 by Anonymous Coward · · Score: 0

      The problem with your solution: if the computer goes offline, the files are easily readable by removing the hard drive, or by using a live cd. Really, the entire drive should be encrypted.

  6. FIPS Levels by Jherek+Carnelian · · Score: 3, Insightful

    This code also is FIPS 140-1 level 1 (the best one can get for software cryptography modules) compliant."

    That's odd, OpenSSL was just certified to level 2 (FIPS 140-2).
    1. Re:FIPS Levels by Anonymous Coward · · Score: 1, Funny

      That's odd, OpenSSL was just certified to level 2 (FIPS 140-2).

      Yeah? My cryptography goes to 11.

    2. Re:FIPS Levels by Anonymous Coward · · Score: 0

      Mod points, mod points, wherefor art thou mod points...

  7. Eggs and baskets by El+Cubano · · Score: 4, Insightful

    An implementation of the protected store functionality will allow applications like Firefox, Thunderbird and gpg to have one common place to obtain private keys and certificates rather than maintaining their own individual key-stores.

    Maybe it's just me, but I think that putting all your eggs in one basket is not smart. All it would take would be on critical vulnerability to be discovered and all of a sudden a potential attacker can get to all of your keys. Not good if you ask me.

    1. Re:Eggs and baskets by Just+Some+Guy · · Score: 5, Informative

      Maybe it's just me, but I think that putting all your eggs in one basket is not smart. All it would take would be on critical vulnerability to be discovered and all of a sudden a potential attacker can get to all of your keys. Not good if you ask me.

      I disagree. Right now, we're putting all our eggs in a bunch of half-assed baskets woven from tissue paper and lunchmeat. I'd much rather trust one well-audited, well-engineered solution than the 100 home rolled ones we have to trust now.

      KDE does this now with KWallet (although without the spiffy kernel-level protections the author claims that Windows supports). If I'm writing a KDE application, I don't have to worry about getting password storage right - some other folks who know a whole lot more about the problem have already taken care of it for me.

      I think this is good in the same way that using libc's strncmp is better than writing your own. Sure, there might be some undiscovered flaw lurking that's just waiting to open our systems to the world, and an environment of heterogeneous strncmp implementations would keep a successful attack from owning everything that links to libc. And yet, I have a lot of faith that the libc version is much better than anything I'm likely to come up with on my own.

      Finally, if an error in strncmp were to be discovered, an upgrade of one library file would fix every dynamically linked program on my system. If each of those programs used their own, then each one would have to be audited to make sure they weren't broken in a similar way. In the same way, an upgrade to KWallet helps every program that uses it. Other programs have to hope that new vulnerabilities are specific to KWallet's own code and not a more general problem.

      The Unix way is to build a tool that does one thing supremely well, then trust it. I think this is a prime candidate for the same treatment.

      By the way, I'm only using KWallet as an example because I'm familiar with it; I'd be even more interested in Theo de Raadt getting a wild hair and writing OpenSecureStore some weekend.

      --
      Dewey, what part of this looks like authorities should be involved?
    2. Re:Eggs and baskets by Anonymous Coward · · Score: 0

      You're right! Putting a copy of all your eggs into a dozen different baskets is the much better plan. Why spend all your time and energy developing a security plan for one important basket, when its so much more productive to develop a security plan for several equally important baskets?

    3. Re:Eggs and baskets by IkeTo · · Score: 1

      > Maybe it's just me, but I think that putting all your eggs in one basket is not smart.

      I don't know whether it is just you, but I'm sure I'm not with you.

      First, the eggs are "quantum encumbered", breaking one in a basket is equivalent to breaking the corresponding one in another basket. Most of the time, if you configure multiple ways store keys to access something sensitive (say, a server), the same access required in multiple ways, so you end up having the key (or keys of equivalent functionalities) in multiple places, breaking any of them allows attacker to access what you considered sensitive.

      Second, the baskets are quantum encumbered as well, in such a way that if one breaks, the probability that the other will break as well is higher. This is because in an open-source world, code get shared.

      Third, you have about the same amount of time to care the baskets no matter how many baskets you want to manage. No matter whether you have a single key ring application or 3, you only want to update your computer once per day, you only have those few hundred (say) of security experts capable of looking for security holes, etc.

      So I'll instead take the mantra "keep all your eggs in the same basket, and look after it carefully" instead of "keep your eggs in many different baskets".

    4. Re:Eggs and baskets by Anonymous Coward · · Score: 0

      Yes, good points, but if my way is better than yours and yours is compromised, I am still secure. I believe that is why some run 'alternative' software like MacOSX or Opera. Not that it always helps...

  8. Much like KDE's kwalletmanager by Straker+Skunk · · Score: 4, Informative

    Same idea in KDE, and I'm sure GNOME has a similar mechanism. Whether these are "OS-level" or "application-level" is a subtler question, but this has more to do with the situation that Linux desktop systems don't necessarily have a centrally-planned infrastructure in the manner of Windows or MacOS X, rather than that they haven't addressed this problem at all.

    --
    iSKUNK!
  9. Aladdin eToken by Vihai · · Score: 1

    They are quite good if you don't need frequent encryptions and signatures, well supported by openssh, opensc and openssl, less with gnupg, and firefox but I didn't experiment much.

    Just be sure to use the 32K version as the 64K version lacks support.

  10. If not, why? by HomelessInLaJolla · · Score: 1, Insightful
    Poor supplicant. You will never reach enlightenment if you still place your trust in secure keys and encryption algorithms. Have not the radar gun vs. radar detectors taught you anything? Has not copy protection taught you anything? Has not DVD, Blu-Ray, or iTunes taught you anything? Has not closed hardware taught you anything? These things are intricacies and crusades of people who are paid to assert that they have completed an impossible task. You ask for feats of engineering when reverse engineering is just as important.

    I will happily compile secure libraries, encryption algorithms, and maintain a basic level of privacy measures. I will never ever ever be deluded to think that "protected memory" is indeed protected, that "FIPS 140-1 level 1" is "the best one can get", or that "compliant" means anything other than sophisticated sounding advertising.

    This functionality (especially certified FIPS 140-1 or FIPS 140-2) would be nice to see in UNIX variants I'm sure that somewhere someone has made a program which you can pipe data to and from or which you can use as a wrapper around your network transactions (a la tcpwrapper).

    An additional application for this would be the ability to use hardware PKCS #11 tokens At one time railroad lines had two different track spacings and some roundhouses sported heavy machinery which could quickly change the wheelbases on locomotives and the train cars. Be careful of integration. There is profit motive in change (for the sake of change) and integration makes change very slow and painful.
    --
    the NPG electrode was replaced with carbon blac
  11. No by John.P.Jones · · Score: 4, Informative

    OpenSSL was just certified FIPS 140-2, that is NOT however level 2 it is version 2 of the standard. It was certified FIPS 140-2 level 1.

    1. Re:No by Anonymous Coward · · Score: 0

      And supposedly, certified in a way that if incorporated into an application, requires the application to be separately FIPS 140-2 certified.

  12. Protected memory by Gothmolly · · Score: 0, Troll

    The keys are stored in protected memory, so no applications can access them without going through the Microsoft CAPI calls.

    Rollofle, rollofle, rollofle.

    Sorry, now that I have that out of my system, consider if anything MS produces truly uses protected memory. Or maybe it does, but then you install some nefarious software, and that runs as system, and it hacks your buzzord-compliant encryption, and your game, as they say, is over.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Protected memory by Skreems · · Score: 1

      The thing is, this should be possible in theory. The operating system is the final arbiter of all ring 0 operations, and enforcing protected memory should be one of the basic things it does.

      --
      Slashdot needs a "-1, Wrong" moderation option.
      The Urban Hippie
    2. Re:Protected memory by Goaway · · Score: 2, Funny

      Yes, when there is no actual Microsoft vulnerability available, the crafty Slashdotter can just imagine that one exists, and still get that refershing feeling of superiority!

    3. Re:Protected memory by Phillup · · Score: 1

      The operating system is the final arbiter of all ring 0 operations, and enforcing protected memory should be one of the basic things it does. How's that 'final arbiter' stuff work with virtualization?

      Just wondering...
      --

      --Phillip

      Can you say BIRTH TAX
    4. Re:Protected memory by Harik · · Score: 3, Interesting

      Er, Lots of stuff lives in ring0, and any vulnerability in ANY of it removes your "protected memory".

      You can play games with hypervisors (can protect memory even from 'ring 0') or treacherous computing chips, or things like USB keystores with biometric authentication. But on vanilla 80386 machines, the best you're going to get is the OS to memlock() a few pages so they can't get swapped out to disk.

    5. Re:Protected memory by Gothmolly · · Score: 1

      Yes, when there is no actual Microsoft vulnerability

      Say that out loud a few times.

      --
      I want to delete my account but Slashdot doesn't allow it.
    6. Re:Protected memory by SirTalon42 · · Score: 1

      That'll protect against everything, yep... except other drivers... or DMA devices (I remember a while back someone created a USB device that when it was plugged into the computer could arbitrarily access all data in RAM because of problems with the USB stack), or having the OS ran in a VM, or simply using a key logger to capture the password. I've only seen the Windows password stuff come up a couple times (when writing a VBA application of all things!) and it didn't come up in the 'secure desktop' or anything so it most likely would have been vulnerable to any key logger.

    7. Re:Protected memory by Skreems · · Score: 1

      Well... I did say "in theory" :-) Allowing unrestricted access for any code labeled "driver" is just a blatantly retarded idea.

      I saw a couple people bring up the VM point... presumably if you're doing advanced things like running in a VM, you are aware that the hosted OS is vulnerable to any malicious programs in the host. Since the point of this system is to protect a user's data from malicious apps rather than from themselves (a la AACS), I wouldn't call that as big of a deal.

      --
      Slashdot needs a "-1, Wrong" moderation option.
      The Urban Hippie
    8. Re:Protected memory by poopdeville · · Score: 1

      i am in ur memoriez, hacking all ur encryption.

      --
      After all, I am strangely colored.
    9. Re:Protected memory by the_B0fh · · Score: 1

      Do people really not keep up with these kinds of shit? Go read Peter Gutmann's breakms paper, all 3 of them.

  13. Linux Kernel keyring; openCryptoki by omnirealm · · Score: 5, Informative

    Current versions of the Linux kernel have a key retention feature. For PKCS#11, there is openCryptoki.

    --
    An unjust law is no law at all. - St. Augustine
    1. Re:Linux Kernel keyring; openCryptoki by Wonko+the+Sane · · Score: 1

      Any idea if that mechanism addresses the DRAM "memory" effect described in this paper: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_ del.html?

    2. Re:Linux Kernel keyring; openCryptoki by tlhIngan · · Score: 4, Interesting

      Any idea if that mechanism addresses the DRAM "memory" effect described in this paper: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_ del.html?


      Having developed for embedded systems, I'm amazed at how well DRAM can retain data. I've had it such that RAM disks were preserved after power cycles (~1 second without power, and SDRAM controllers not initialized until many milliseconds after powerup). There was at one point a hack we had to implement in the bootloader to clear a bit of memory so a power cycle really would start clean.

      Heck, it's a great way when debugging - the OS could log all messages to the screen, but that greatly slows down operations. So we log into a circular RAM buffer. When the board crashes, we power cycle, then inspect the RAM buffer for the last few messages written.

      Out of curiousity, I once experimented to see how long the data was retained - I wrote a data pattern to RAM, looked at it back, then removed power for varying lengths of time. It can take anywhere from a few seconds to a minute before the data gets hopelessly corrupted. But before then, if you knew what you were looking for, you could find it.
    3. Re:Linux Kernel keyring; openCryptoki by Anonymous Coward · · Score: 0

      Same here with my notebook. Sometimes I can still see the last screen from graphics mode (i.e. the logout screen) when it is switched in to graphis again after a power cycle.

  14. What about by ET_Fleshy · · Score: 0, Offtopic

    truecrypt?

  15. Windows encryption trustworthy? by J'raxis · · Score: 1

    From "Vista encryption 'no threat' to computer forensics":

    We're seeing the same concerns with Vista as we saw with XP over the idea that built-in encryption features might frustrate law enforcement efforts. In practice XP has not proved to be a problem for computer forensics and we don't think Vista will be either," said Bill Thompson, director of professional development and training at Guidance Software.
    --
    Liberty in your lifetime
    1. Re:Windows encryption trustworthy? by ClamIAm · · Score: 1

      Um, Windows's crypto features don't hurt forensics work mostly because nobody uses them. I'm not sure if you're aware of this, but security systems tend not to work when you don't turn them on.

      However if every Windows user used these features maximally, these forensics people would probably be singing a different tune...

    2. Re:Windows encryption trustworthy? by J'raxis · · Score: 1

      I would hope so. In fact the next sentence in the article was Mr Thompson saying that "sometimes people use file wiping utilities or other tools but often they are not configured properly. People accept the default settings, which can leave fragments of data." So, yeah. Idiocy is its own rewar^W punishment. But the article also mentioned earlier that this BitLocker supports a second "recovery" key, so who knows how secure it is even if you use it right?

      --
      Liberty in your lifetime
    3. Re:Windows encryption trustworthy? by ClamIAm · · Score: 1
      Well, about the "recovery key":

      However, in corporate environments a BitLocker recovery key can be used to allow examination of target devices.

      This sounds to me more like a key that IT keeps hidden away until an investigation (government or otherwise) needs to be done.

      Even setting this aside, I think you're on the right track: the only people who really know how secure it is are the people who wrote it. And let's not count out exploits...
    4. Re:Windows encryption trustworthy? by J'raxis · · Score: 1

      Most likely, but I've heard enough about administrative backdoors in products to be suspicious. Of course, those are just secret passwords, not decryption keys, so it's not the same issue. But I'd be very suspicious of BitLocker, that in non-corporate environments, your copy of the OS might come conveniently pre-configured with a recovery key that only the OEM knows about.

      Not sure what's out there for OSX. Their standard FileVault supports a recovery password so it goes in the same boat as BitLocker in my opinion.
      --
      Liberty in your lifetime
  16. Well... by nacturation · · Score: 1

    It sounds like Linux needs a good dose of DRM to keep those keys secure.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  17. Loopback filesystems? by Anonymous Coward · · Score: 0

    How about storing private keys in a small encrypted loopback filesystem? With something like pam_mount the password for the filesystem can also act as the user password.

    1. Re:Loopback filesystems? by ThePhilips · · Score: 2, Insightful

      People who need such protection all encrypt whole file system and do not bother with only password/key storage. Linux/UNIX does that for all time I know (Crypto Loop patches is probably oldest patch set for Linux). Windows/Vista I heard can this now. MacOS X allows only to encrypt user home directory what is sufficient in most situations - since keys belonging to user are always saved in user's home directory.

      That protection was needed by Windows XP and earlier since it didn't supported FS encryption. And even then people were selling special solutions with transparent hard drive encryption: BIOS asks for password and gives it to the hard drive and Windows goes on booting as usual.

      --
      All hope abandon ye who enter here.
  18. Not necessarily provided... by Kalzus · · Score: 1

    ...in that form because it's rather domain-specific to Windows. But there are hardware devices out there and drivers that provide interfaces to said harware to provide similar bits.

    Most security doctrines operate with the conviction that physical access to the box, along with enough time and resources, negates all possible security measures.

    --
    "The Devil does not know a lot because He's the Devil, He knows a lot because he's old." -- unknown
  19. Lack of central planning is the problem here by tepples · · Score: 2, Insightful

    this has more to do with the situation that Linux desktop systems don't necessarily have a centrally-planned infrastructure in the manner of Windows or MacOS X, rather than that they haven't addressed this problem at all. This lack of a centrally-planned infrastructure is exactly the problem in this case. Some developers, especially government contractors, want assurance of the quality of code, and their idea of assurance is papers stating that a corporation has put money into improving and certifying a given solution to a given government-approved standard.
  20. Trusted Platform Module by tepples · · Score: 1

    How's that 'final arbiter' stuff work with virtualization? The TPM distinguishes virtualization from running on bare hardware by logging boot time activity. If the hypervisor passes TPM calls through to the TPM hardware, then the TPM will show that two operating systems are loaded (the host and the client), and apps running on the emulated OS can detect this. If the hypervisor emulates a TPM, then Trusted Computing Group will sign the emulated TPM's public key with an "emulator" signature (not a "hardware" signature), and apps running on the emulated OS can detect this as well.
    1. Re:Trusted Platform Module by _damnit_ · · Score: 1

      Very nice. Wish I had mod points. What if you are using plain BIOS motherboard with no TPM? Good question. I suppose running on vmware or other vm would invalidate any certification based on running bare metal.

      --


      _damnit_

      It's my job to freeze you. -- Logan's Run
  21. Smart Card by Jeffrey+Baker · · Score: 1

    A smart card is the best place to keep your private keys. The key is generated on the card, and never leaves. It is not even possible to get private keys off a smart card, except (perhaps) with an electron microscope.

    1. Re:Smart Card by mr_death · · Score: 2, Interesting

      At the RSA conference three years ago, you could bring your smart card to many booths and they would extract the private key in less than 5 minutes. I have no reason to believe that the problem has become any harder.

      True, a smart card (compared to a normal PC) sucks less, but it still sucks.

      --
      It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
    2. Re:Smart Card by 12dec0de · · Score: 1

      True, a smart card (compared to a normal PC) sucks less, but it still sucks.

      Hmm... another comment that shows how little anybody here knows anything about security hard- and software.

      There are so many different types of smartcards. And those with validated key protection schemes (CC, FIPS, etc.) you will not get at at all. But if you are only willing to pay for a memory card I would consider 5 Minutes rather long.

      mfg lutz
    3. Re:Smart Card by mr_death · · Score: 1

      Hmm... another comment that shows how little anybody here knows anything about security hard- and software.

      And, of course, you're omniscient, so you know everything.

      And those with validated key protection schemes (CC, FIPS, etc.) you will not get at at all.

      Bullshit. Tamper resistance on these devices is a joke. Data can be sniffed, either on board or between devices. Biometrics are spoofable. PINs are simple. Keys can be found.

      Worshiping at the altar of Common Criteria and FIPS does little more than assure you didn't do something really stupid. Those standards are not sufficient for real security.

      But, of course, you're free to keep deluding yourself.

      --
      It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
    4. Re:Smart Card by corychristison · · Score: 1

      Smart Card
      Oh neat! Is that one of those new fangled daemons for them new fangled Smart Car's I've been hearing so much about?

      ;-)
  22. not possible by mr_death · · Score: 1

    Any current operating system (yes, linux too) has too many built-in security holes (inadvertent or otherwise), which makes secure storage of anything, including private keys, a joke. At some point, the key must appear in the clear to be useful; for that time, the key is vulnerable to sniffing.

    Just as some of the keys for HD DVDs have been found, given a determined adversary, your private key will be found.

    We can talk about "less vulnerable" private key storage, but I don't think that's what you had in mind.

    --
    It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
  23. I think we did this first... by SanityInAnarchy · · Score: 2, Insightful

    ... but what's magical about the "OS level"? According to Microsoft, Internet Explorer is part of the OS, so anything they say about "OS level" is really irrelevant.

    Offline, it's encrypted by a combination of the user's password and a session key stored on the filesystem.

    We've been mounting home directories on encrypted filesystems for decades, so that's one way to do this. OS X has this built in and very easy to enable.

    When the OS is running, the private keys stored are available to the logged in user, optionally encrypted with another password.

    Which is pretty much how we do this already; just read the file. If the user had a passphrase, use that to decrypt it.

    The keys are stored in protected memory, so no applications can access them without going through the Microsoft CAPI calls.

    Well, on Unix, no application can access any other application's memory, period. End of story.

    There are ways around this -- you could do tricks with kernel memory, or you could read it off the swapfile. However, I believe there is a way to request that a specific chunk of memory never be swapped out, and while it's in RAM, if your kernel's safe, your app is safe. And it's always possible to run without swap, or encrypt your swap.

    On Windows, I believe you can "attach" to a running process with a debugger. On Unix, if you want to debug, you have to start the app in a debugger, because once it's running, the app's memory is its own. Only way you can "attach" then is if the app specifically has a way to do that -- for instance, browser plugins are essentially an app deliberately loading code from somewhere else into itself and running it. But if an app doesn't go out of its way to let you in, you aren't getting in, and if your kernel is owned, so are you, even on Windows.

    MacOS's key-chain functionality is similar, but stores at the application level, and is not FIPS compliant.

    What does FIPS compliance mean?

    And once again, "application level" is a pointless distinction. Yes, there are mechanisms for storing keys at the kernel level, but in my mind, that's less secure because it's much more complex for no good reason.

    An implementation of the protected store functionality will allow applications like Firefox, Thunderbird and gpg to have one common place to obtain private keys and certificates rather than maintaining their own individual key-stores.

    So have them all use libgpg or something. But what is the advantage?

    In Thunderbird, I have a PGP key that I sign my mail with, and I have a password that I use to connect to the server. In Firefox, I have an entirely different set of passwords, and the public keys to some Certificate Authorities. Firefox needs none of the Thunderbird keys/passwords, and vice versa. On the commandline, I have an ssh key, which I use to shell in to other boxes -- which is a key that I don't use in Firefox or Thunderbird.

    What's the advantage of putting these all in the same app? And what's the advantage of that app being "OS level"?

    Ultimately, the only advantage I see is with something like OpenID. It'd be nice if I could use the same keys I use with ssh to gain access to my OpenID server. Unfortunately, I haven't managed to get my hands on a working server implementation of OpenID, so that's moot.

    --
    Don't thank God, thank a doctor!
    1. Re:I think we did this first... by Anonymous Coward · · Score: 3, Informative

      On Windows, I believe you can "attach" to a running process with a debugger. On Unix, if you want to debug, you have to start the app in a debugger, because once it's running, the app's memory is its own. Only way you can "attach" then is if the app specifically has a way to do that -- for instance, browser plugins are essentially an app deliberately loading
      code from somewhere else into itself and running it. But if an app doesn't go out of its way to let you in, you aren't getting in, and if your kernel is owned, so are you, even on Windows. huh?

      what about
        strace -p pid
        gdb program pid
    2. Re:I think we did this first... by jallen02 · · Score: 1

      The advantage is that it takes advantages of Windows authentication to do all of the encryption operations so it greatly reduces the overhead for the programmers dealing with the DPAPI. It really seems like an easy thing to dismiss, but then you have to consider how horribly most developers screw up crypto in their applications and the DPAPI makes a lot more sense.

    3. Re:I think we did this first... by rastos1 · · Score: 1

      On Windows, I believe you can "attach" to a running process with a debugger. On Unix, if you want to debug, you have to start the app in a debugger, because once it's running, the app's memory is its own.
      That's why man gdb says:

      You can, instead, specify a process ID as a second argument, if you want to debug a running process:

      gdb program 1234

      An implementation of the protected store functionality will allow applications like Firefox, Thunderbird and gpg to have one common place to obtain private keys and certificates rather than maintaining their own individual key-stores.
      So have them all use libgpg or something. But what is the advantage?
      FAQ. There is no libgpg, and probably never will be.
    4. Re:I think we did this first... by SanityInAnarchy · · Score: 1

      Aha. Then libssl, which seems to be used by everything but gpg.

      It does seem I was entirely wrong about "attaching" to a running process. Fortunately for me, it doesn't actually affect me, as I don't use passphrases much. If you have physical access, or if you have my local user account, you've 0wned me already.

      --
      Don't thank God, thank a doctor!
    5. Re:I think we did this first... by Anonymous Coward · · Score: 0

      OpenID is a web-based authentication method only. It relies on HTTP redirects.

  24. Secstore & Factotum are exactly you need by DrSkwid · · Score: 1


    For Lunix :
    http://swtch.com/plan9port/man/man1/secstored.html
    http://swtch.com/plan9port/man/man4/factotum.html

    in which you can store *any* data, factotum will get the individual keys out for you

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  25. Plan 9's Factotum by Darren+Bane · · Score: 2, Interesting

    Plan 9 has such a central key repository. It's called Factotum, and the best description is the USENIX paper. It has been ported to other UNIX-likes by the plan9port project.

    --
    Darren Bane
    1. Re:Plan 9's Factotum by Bob+Uhl · · Score: 1

      Plan 9 did a lot of stuff well & smartly, generally out-Unixing Unix. Unfortunately, it came along too late--and was proprietary for too long--making its market impact pretty much nil. Which once again proves that if one wants to change the world, one really ought to free one's code.

  26. Hardware Security Modules by gzunk · · Score: 1

    Maybe it's not in Unix because there are better alternatives for "real" systems?

    For example the IBM 4764 Cryptographic Coprocessor? They're expensive, but more secure than anything a basic machine / operating system could provide. But if you're developing a system that actually has a need for secure keys then surely a price worth paying?

    In my view, anything like this built into the operating system is a "poor mans" secure store. Something a home use might like, but certainly not something you'd want to use in a mission critical production system.

  27. Attaching debugger to running process in Linux by Hannes+Eriksson · · Score: 3, Informative

    SanityInAnarchy has apparently not been doing a lot of development in a UNIX environment. While I don't blame him/her for potentially missing out on the ptrace syscall, as it's not mentioned in Stevens' Advanced Programming in the UNIX Environment, I do find it a bit sad that he/she makes such bold statements about the security of a computer system without checking at least the valid command line parameters to one of the tools he is referring to. Luckily an Anonymous Coward already told the world about two of these.

    For those not familiar with the ptrace syscall, here is some info about linux ptrace:

    • You have to have super-user privileges, CAP_SYS_PTRACE capabilities or be able to send signals to the process to "attach to". The first parts means you is or have the permission of the system administrator or compromised the system. The last part basically means that you can also poke around at will in "your own" (or all processes for the same user account you've hacked) processes.
    • It is possible to read and write all process memory and registers. Basically, this means that you can run, you can obfuscate, but you cannot hide your crypto keys. Not from yourself or a particularly Evil sysadm, that is.
    • Even if the traced process receives a signal from the tracing, it is already too late to do anything about it once it regains control over it's operation.

    Detecting that you're being traced is possible, but it equally possible to circumvent possible detection by tracing at the correct time, deliver spoofed signals, modifying memory in the traced process to avoid being detected. In short: if you cannot trust your system administrator and yourself (at least all processes running as you) you are out of luck as to local security. Network security is one step worse, in that you have to trust even more persons.

    Oh, and don't use trustno1 as password!

    --
    Geek rants since like... 2000 or something.
  28. Is windows key storage FIPS compliant?? by durgaprasad_j · · Score: 1

    Because the author is saying that it uses password & some session key to encrypt. That means, it must be internally generating encryption key from password & encrypt. As for FIPS, password based key derivation functions are not allowed in FIPS mode [PBKDF. I think it is PKCS#5]. One key storage solution is using FIPS compliant hardware to store the keys [using pkcs#11].

  29. Encrypted keys in memory? You sure? by the_B0fh · · Score: 1

    According to the breakms papers from Peter Gutmann, the cryptoapi has to store the private keys in the clear, in memory, and this is true from windows 3.1 to XP. No idea about vista.

    Wait - *you* the user needs to supply a password to access it, so it looks secure, but the actual key, in memory, is kept in the clear, unencrypted. Don't think just because the system asks for a password that your data is actually secured.

  30. Re:I think we did this first... MOD THIS DOWN by Anonymous Coward · · Score: 0

    This is absolute rubbish. Why is it "3 insightful"?

    > On Unix, if you want to debug, you have to start the app in a debugger, because once it's running,
    > the app's memory is its own.

    I don't mind the poster being ignorant, but I do object to them getting modded up for it.

    gdb -p

  31. Windows is certified by the government... by Anonymous Coward · · Score: 0
    ...because they have ***EXCELLENT*** lobbyists that lobby to get whatever-microsoft-already-did to be the required feature in the Certifications.


    I currently work in government sales for software - and no matter how much you love Linux, IF YOU'RE SELLING TO THE FEDS PARTNER WITH MICROSOFT( OR ORACLE). Their lobbyists really are that good.


    Once there's legislation requiring your software's features - even if they're stupid ones and worse in all ways than similar features of competitors - you will win the sale. This is *especially* true if your competitor starts arguing that their software is better based on technical merits, and the government buyers start insisting that they replace their strong technology with weaker stuff to comply with the law

  32. Re:I think we did this first... MOD THIS DOWN by SanityInAnarchy · · Score: 1

    You're right, there needs to be a "-1 Wrong" mod for just this kind of stupidity.

    I apologize.

    --
    Don't thank God, thank a doctor!
  33. Dont be fooled!!! by Netino · · Score: 0

    That Windows key is *completely* accessible when Windows is off. When you mount the Windows filesystem (NTFS) via Linux, for example, the entries are encripted, by you can crack them in minutes. So, this is only security by obscurity. Regards, Netino