That's all well and good for a Unix environment, but what about on Windows? No chown or chmod on there!
I believe that it is sometimes useful for the passphrase to be requested by Stunnel on startup (on the client side), but you all make valid points.
Paul.
--- Vasil Dimov vd@datamax.bg wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Jun 22, 2005 at 04:30:56PM -0700, Joseph Mocker wrote:
It depends on how the machine were broken.
Presumably if you
were that hell-bent on using passprhases on
private keys, you'd
likely isolate stunnel to run as an unpriviledged
user in a chrooted That is a good idea anyway :)
environment, and you may very well set the
coredump size to zero
and remove a debugger all together. So unless the
user was able
to break root, the effects of the break-in might
be minimized.
Private key stealing table:
- the key and the plain text file, holding the
password (if any) should always be chown root and chmod 400
- stunnel is the (unprivileged) user stunnel is
running as
- we assume that stunnel is running at the time of
breakage, because this is the worst case.
key storage \ break as root stunnel other user
unencrypted key YES YES NO
crypted key/password in text file YES YES NO
crypted key/password entered at startup YES YES NO
As we see there is no difference if the private key will be kept crypted or unencrypted with or without text file holding the passphrase.
What happens if the stunnel daemon is not running during the breakage? Note that this is an optimistic suggestion and we should not rely on it.
key storage \ break as root stunnel other user
unencrypted key YES NO NO
crypted key/password in text file YES NO NO
crypted key/password entered at startup NO NO NO
So the only difference in all cases is if stunnel is not running and the hacker gets root on the machine and the key is crypted and the password is entered at startup - then it will not be possible to steal the private key.
As a conclusion, it is obviously - that there is really no sense to keep the password in a text file and it makes a LITTLE sense if the password is entered at startup - in just one, rare, case this setup will save the private key.
-----BEGIN PGP SIGNATURE-----
iD8DBQFCunHRFw6SP/bBpCARAtN4AJ0TBfANXVyyLNKojIaFzb1E/7WBqQCeIcop rAqsbhJmK9oBYg/Rb9iJzSE= =rFAJ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
_________________________________________________________________ Sell your car for $9 on carpoint.com.au http://www.carpoint.com.au/sellyourcar
I believe there is one way the private key can be protected on Windows:
You could use the Windows file system encryption to only allow certain users (e.g. Stunnel) to access the file(s). Then, you can simply set Stunnel up so that it is launched with a "RunAs"... thus prompting the user for a password.
Paul.
From: Alaric Dailey alaricd@pengdows.com To: Paul Jones jonesy_boy10@hotmail.com CC: mock@misfit.dhs.org, colin@mms3.com, stunnel-users@mirt.net Subject: Re: [stunnel-users] Passphrase validation Date: Fri, 24 Jun 2005 08:06:42 -0500
<< multipart3 >> << smime.p7s >> _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
_________________________________________________________________ Have fun with your mobile! Ringtones, wallpapers, games and more. http://fun.mobiledownloads.com.au/191191/index.wl
-
Alaric Dailey -
Paul Jones