Secure Private Key Storage for UNIX? 95
An anonymous reader asks: "Microsoft Windows, from 2000 forward (except ME) offers secure certificate and private storage at the OS level in what is called a protected store. Offline, it's encrypted by a combination of the user's password and a session key stored on the filesystem. When the OS is running, the private keys stored are available to the logged in user, optionally encrypted with another password. The keys are stored in protected memory, so no applications can access them without going through the Microsoft CAPI calls. This code also is FIPS 140-1 level 1 (the best one can get for software cryptography modules) compliant." Does any other OS provide this kind of feature at the OS-level? If so, who? If not, why?
This functionality (especially certified FIPS 140-1 or FIPS 140-2) would be nice to see in UNIX variants. MacOS's key-chain functionality is similar, but stores at the application level, and is not FIPS compliant. An implementation of the protected store functionality will allow applications like Firefox, Thunderbird and gpg to have one common place to obtain private keys and certificates rather than maintaining their own individual key-stores. An additional application for this would be the ability to use hardware PKCS #11 tokens.
I am wondering why this functionality does not exist at the OS level in most OSes except Windows. A number of applications on many platforms have this functionality, but its at the app level, with their own key-stores, and not a standard at the OS level."
I am wondering why this functionality does not exist at the OS level in most OSes except Windows. A number of applications on many platforms have this functionality, but its at the app level, with their own key-stores, and not a standard at the OS level."
Well duh.. (Score:4, Insightful)
Re: (Score:3, Informative)
He didn't specify Linux, he said UNIX.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1, Funny)
Re: (Score:1, Flamebait)
Re: (Score:2, Insightful)
You may be correct in your facts, but that's immaterial when you stoop to personal attacks and condescending attitude. A mature response would include correcting facts with cited sources.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
AIX is far from dead, whatever you may want to believe.
Re: (Score:2)
Re: (Score:2)
Seriously, AIX and HP-UX both have kick-ass volume management. Check out Dynamic Root Disk from HP... whoa, cool! And it only works if you have a real LVM
Re: (Score:2, Interesting)
If you have more that say a dozen processes mmaping a file and one of those procs makes a change all the others _MUST_ be interrupted to have their in proc. memory cleaned up. This becomes an even larger problem when you have hundreds of procs mmaping the same file.
Re: (Score:3, Informative)
HP has 3 (4?) flavors of UNIX:
http://welcome.hp.com/country/us/en/prodserv/serve rs.html [hp.com]
HP-UX, Linux, Tru64
They also have UnixWare, though I'm not sure if that's UNIX or an application suite for UNIX, or something that is "kinda like but not really" UNIX.
VMS is not UNIX, so I won't count that.
Given that these are "for sale", I don't think "dead" is quite the appropriate term.
You can drop out Linux since it's not a IBM creation, reducing their number of Unix OSes by 1, but th
Re: (Score:1)
Re: (Score:2, Interesting)
But seriously, I've wondered about the same question as the OP and have never found anything good. The closest was setting file system permissions on the key file as someone else mentioned.
Is it not possible?
Re: (Score:2)
The centralized aspect of Microsoft's solution is the only thing that is seriously different on Linux.. as it is hard to get distributed developers not to duplicate each other's work.
The keys are encrypted in much the same way.
Re: (Score:1)
It's not really more secure.. if anything it's less secure, it's just more convenient sometimes.
MS needs to use "protected memory" arises only because in windows, you don't necessarily need to be root to mess with other process' memory areas. If a skilled hacker needed to access that memory store badly enough, they could very likely write a kernel driver or otherwise patch the OS to open the little hole they need.
Since the encryption of your certificate is bound to your login password, what do you
Re: (Score:2)
Seriously, this is a somewhat complicated operation, and there's little that the kernel can do to keep your data private that an application would be unable to do. Getting access to another process's memory is not a trivial task; it probably requires some trickery with the MMU, and the kernel's in the way. So you could ask for a system call to prevent this from happening, but is there anything else the kernel can do for itself that it can't do for ap
Is windows key storage FIPS compliant?? (Score:1)
OS X Keychain is not "application level" (Score:5, Informative)
Much like KDE's kwalletmanager (Score:5, Informative)
Lack of central planning is the problem here (Score:3, Insightful)
this has more to do with the situation that Linux desktop systems don't necessarily have a centrally-planned infrastructure in the manner of Windows or MacOS X, rather than that they haven't addressed this problem at all.
This lack of a centrally-planned infrastructure is exactly the problem in this case. Some developers, especially government contractors, want assurance of the quality of code, and their idea of assurance is papers stating that a corporation has put money into improving and certifying a given solution to a given government-approved standard.
Keychain is at the application level? (Score:4, Informative)
I'm not sure what they're trying to claim here, but unless their definition of OS means "kernel", the Mac OS X (and classic Mac OS, AFAIK) keychain most certainly is an OS-level service. Keychain items can be shared among all applications, though most applications limit access to these items to a list of trusted applications for obvious security reasons.
I don't know about the question of protected memory or FIPS certification, but the rest of this question just seemed like FUD to me.
Re: (Score:1, Troll)
Re: (Score:1)
I can't find the button that silences the person asking the original question. Is it because I'm using this damn Lunix thing? Another bloody feature it doesn't provide.
I'm just curious - did you come here and post because you work in the field of security and were interested in the question? Or did you come here just to disrupt the discussion with your two "Lunix zealots - LOL!" oneliners? If it's the latter, as it s
Re: (Score:2)
chmod 600 (Score:2, Informative)
Just make sure to store the key encrypted with a passphrase
FIPS Levels (Score:3, Insightful)
That's odd, OpenSSL was just certified to level 2 (FIPS 140-2). [linux.com]
Re: (Score:1, Funny)
Yeah? My cryptography goes to 11.
No (Score:5, Informative)
Eggs and baskets (Score:5, Insightful)
An implementation of the protected store functionality will allow applications like Firefox, Thunderbird and gpg to have one common place to obtain private keys and certificates rather than maintaining their own individual key-stores.
Maybe it's just me, but I think that putting all your eggs in one basket is not smart. All it would take would be on critical vulnerability to be discovered and all of a sudden a potential attacker can get to all of your keys. Not good if you ask me.
Re:Eggs and baskets (Score:5, Informative)
I disagree. Right now, we're putting all our eggs in a bunch of half-assed baskets woven from tissue paper and lunchmeat. I'd much rather trust one well-audited, well-engineered solution than the 100 home rolled ones we have to trust now.
KDE does this now with KWallet (although without the spiffy kernel-level protections the author claims that Windows supports). If I'm writing a KDE application, I don't have to worry about getting password storage right - some other folks who know a whole lot more about the problem have already taken care of it for me.
I think this is good in the same way that using libc's strncmp is better than writing your own. Sure, there might be some undiscovered flaw lurking that's just waiting to open our systems to the world, and an environment of heterogeneous strncmp implementations would keep a successful attack from owning everything that links to libc. And yet, I have a lot of faith that the libc version is much better than anything I'm likely to come up with on my own.
Finally, if an error in strncmp were to be discovered, an upgrade of one library file would fix every dynamically linked program on my system. If each of those programs used their own, then each one would have to be audited to make sure they weren't broken in a similar way. In the same way, an upgrade to KWallet helps every program that uses it. Other programs have to hope that new vulnerabilities are specific to KWallet's own code and not a more general problem.
The Unix way is to build a tool that does one thing supremely well, then trust it. I think this is a prime candidate for the same treatment.
By the way, I'm only using KWallet as an example because I'm familiar with it; I'd be even more interested in Theo de Raadt getting a wild hair and writing OpenSecureStore some weekend.
Re: (Score:1)
I don't know whether it is just you, but I'm sure I'm not with you.
First, the eggs are "quantum encumbered", breaking one in a basket is equivalent to breaking the corresponding one in another basket. Most of the time, if you configure multiple ways store keys to access something sensitive (say, a server), the same access required in multiple ways, so you end up having the key (or keys of equivalent functionalities)
Aladdin eToken (Score:2)
They are quite good if you don't need frequent encryptions and signatures, well supported by openssh, opensc and openssl, less with gnupg, and firefox but I didn't experiment much.
Just be sure to use the 32K version as the 64K version lacks support.
If not, why? (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
Just wondering...
Trusted Platform Module (Score:2)
How's that 'final arbiter' stuff work with virtualization?
The TPM distinguishes virtualization from running on bare hardware by logging boot time activity. If the hypervisor passes TPM calls through to the TPM hardware, then the TPM will show that two operating systems are loaded (the host and the client), and apps running on the emulated OS can detect this. If the hypervisor emulates a TPM, then Trusted Computing Group will sign the emulated TPM's public key with an "emulator" signature (not a "hardware" signature), and apps running on the emulated OS can detect
Re: (Score:2)
Re:Protected memory (Score:4, Interesting)
You can play games with hypervisors (can protect memory even from 'ring 0') or treacherous computing chips, or things like USB keystores with biometric authentication. But on vanilla 80386 machines, the best you're going to get is the OS to memlock() a few pages so they can't get swapped out to disk.
Re: (Score:2)
Re: (Score:2)
I saw a couple people bring up the VM point... presumably if you're doing advanced things like running in a VM, you are aware that the hosted OS is vulnerable to any malicious programs in the host. Since the point of this system is to protect a user's data from malicious apps rather than from themselves (a la AACS), I wouldn't call that as big of a deal.
Re: (Score:3, Funny)
Re: (Score:1)
Say that out loud a few times.
Re: (Score:1)
Re: (Score:1)
Linux Kernel keyring; openCryptoki (Score:5, Informative)
Re: (Score:2)
Re:Linux Kernel keyring; openCryptoki (Score:5, Interesting)
Having developed for embedded systems, I'm amazed at how well DRAM can retain data. I've had it such that RAM disks were preserved after power cycles (~1 second without power, and SDRAM controllers not initialized until many milliseconds after powerup). There was at one point a hack we had to implement in the bootloader to clear a bit of memory so a power cycle really would start clean.
Heck, it's a great way when debugging - the OS could log all messages to the screen, but that greatly slows down operations. So we log into a circular RAM buffer. When the board crashes, we power cycle, then inspect the RAM buffer for the last few messages written.
Out of curiousity, I once experimented to see how long the data was retained - I wrote a data pattern to RAM, looked at it back, then removed power for varying lengths of time. It can take anywhere from a few seconds to a minute before the data gets hopelessly corrupted. But before then, if you knew what you were looking for, you could find it.
Windows encryption trustworthy? (Score:1)
From " Vista encryption 'no threat' to computer forensics [theregister.co.uk]":
Re: (Score:1)
However if every Windows user used these features maximally, these forensics people would probably be singing a different tune...
Re: (Score:1)
I would hope so. In fact the next sentence in the article was Mr Thompson saying that "sometimes people use file wiping utilities or other tools but often they are not configured properly. People accept the default settings, which can leave fragments of data." So, yeah. Idiocy is its own rewar^W punishment. But the article also mentioned earlier that this BitLocker supports a second "recovery" key, so who knows how secure it is even if you use it right?
Re: (Score:1)
This sounds to me more like a key that IT keeps hidden away until an investigation (government or otherwise) needs to be done.
Even setting this aside, I think you're on the right track: the only people who really know how secure it is are the people who wrote it. And let's not count out exploits...
Re: (Score:2)
Most likely, but I've heard enough about administrative backdoors in products to be suspicious. Of course, those are just secret passwords, not decryption keys, so it's not the same issue. But I'd be very suspicious of BitLocker, that in non-corporate environments, your copy of the OS might come conveniently pre-configured with a recovery key that only the OEM knows about.
Not sure what's out there for OSX. Their standard FileVault supports a recovery password
Well... (Score:2)
Re: (Score:3, Insightful)
People who need such protection all encrypt whole file system and do not bother with only password/key storage. Linux/UNIX does that for all time I know (Crypto Loop patches is probably oldest patch set for Linux). Windows/Vista I heard can this now. MacOS X allows only to encrypt user home directory what is sufficient in most situations - since keys belonging to user are always saved in user's home directory.
That protection was needed by Windows XP and earlier since it didn't supported FS encryption. A
Not necessarily provided... (Score:2)
Most security doctrines operate with the conviction that physical access to the box, along with enough time and resources, negates all possible security measures.
Smart Card (Score:2)
Re: (Score:3, Interesting)
True, a smart card (compared to a normal PC) sucks less, but it still sucks.
Re: (Score:2)
Hmm... another comment that shows how little anybody here knows anything about security hard- and software.
There are so many different types of smartcards. And those with validated key protection schemes (CC, FIPS, etc.) you will not get at at all. But if you are only willing to pay for a memory card I would consider 5 Minutes rather long.
mfg lutz
Re: (Score:2)
And, of course, you're omniscient, so you know everything.
And those with validated key protection schemes (CC, FIPS, etc.) you will not get at at all.
Bullshit. Tamper resistance on these devices is a joke. Data can be sniffed, either on board or between devices. Biometrics are spoofable. PINs are simple. Keys can be found.
Worshiping at the altar of Common Criteria and FIPS does little more than assure
Re: (Score:2)
not possible (Score:2)
Just as some of the keys for HD DVDs have been found, given a determined adversary, your private key will be found.
We can talk about "less vulnerable" private key storage, but I don't think that's what you had in mind.
I think we did this first... (Score:3, Insightful)
... but what's magical about the "OS level"? According to Microsoft, Internet Explorer is part of the OS, so anything they say about "OS level" is really irrelevant.
We've been mounting home directories on encrypted filesystems for decades, so that's one way to do this. OS X has this built in and very easy to enable.
Which is pretty much how we do this already; just read the file. If the user had a passphrase, use that to decrypt it.
Well, on Unix, no application can access any other application's memory, period. End of story.
There are ways around this -- you could do tricks with kernel memory, or you could read it off the swapfile. However, I believe there is a way to request that a specific chunk of memory never be swapped out, and while it's in RAM, if your kernel's safe, your app is safe. And it's always possible to run without swap, or encrypt your swap.
On Windows, I believe you can "attach" to a running process with a debugger. On Unix, if you want to debug, you have to start the app in a debugger, because once it's running, the app's memory is its own. Only way you can "attach" then is if the app specifically has a way to do that -- for instance, browser plugins are essentially an app deliberately loading code from somewhere else into itself and running it. But if an app doesn't go out of its way to let you in, you aren't getting in, and if your kernel is owned, so are you, even on Windows.
What does FIPS compliance mean?
And once again, "application level" is a pointless distinction. Yes, there are mechanisms for storing keys at the kernel level, but in my mind, that's less secure because it's much more complex for no good reason.
So have them all use libgpg or something. But what is the advantage?
In Thunderbird, I have a PGP key that I sign my mail with, and I have a password that I use to connect to the server. In Firefox, I have an entirely different set of passwords, and the public keys to some Certificate Authorities. Firefox needs none of the Thunderbird keys/passwords, and vice versa. On the commandline, I have an ssh key, which I use to shell in to other boxes -- which is a key that I don't use in Firefox or Thunderbird.
What's the advantage of putting these all in the same app? And what's the advantage of that app being "OS level"?
Ultimately, the only advantage I see is with something like OpenID. It'd be nice if I could use the same keys I use with ssh to gain access to my OpenID server. Unfortunately, I haven't managed to get my hands on a working server implementation of OpenID, so that's moot.
Re: (Score:3, Informative)
On Windows, I believe you can "attach" to a running process with a debugger. On Unix, if you want to debug, you have to start the app in a debugger, because once it's running, the app's memory is its own. Only way you can "attach" then is if the app specifically has a way to do that -- for instance, browser plugins are essentially an app deliberately loading
code from somewhere else into itself and running it. But if an app doesn't go out of its way to let you in, you aren't getting in, and if your kernel is owned, so are you, even on Windows.
huh?
what about
strace -p pid
gdb program pid
Attaching debugger to running process in Linux (Score:4, Informative)
SanityInAnarchy has apparently not been doing a lot of development in a UNIX environment. While I don't blame him/her for potentially missing out on the ptrace syscall, as it's not mentioned in Stevens' Advanced Programming in the UNIX Environment, I do find it a bit sad that he/she makes such bold statements about the security of a computer system without checking at least the valid command line parameters to one of the tools he is referring to. Luckily an Anonymous Coward already told the world about two of these.
For those not familiar with the ptrace syscall, here is some info about linux ptrace:
Detecting that you're being traced is possible, but it equally possible to circumvent possible detection by tracing at the correct time, deliver spoofed signals, modifying memory in the traced process to avoid being detected. In short: if you cannot trust your system administrator and yourself (at least all processes running as you) you are out of luck as to local security. Network security is one step worse, in that you have to trust even more persons.
Oh, and don't use trustno1 as password!
Re: (Score:2)
Re: (Score:2)
That's why man gdb says:
You can, instead, specify a process ID as a second argument, if you want to debug a running process:
gdb program 1234
Re: (Score:2)
It does seem I was entirely wrong about "attaching" to a running process. Fortunately for me, it doesn't actually affect me, as I don't use passphrases much. If you have physical access, or if you have my local user account, you've 0wned me already.
Re: (Score:2)
I apologize.
Secstore & Factotum are exactly you need (Score:2)
For Lunix :
http://swtch.com/plan9port/man/man1/secstored.htm
http://swtch.com/plan9port/man/man4/factotum.html [swtch.com]
in which you can store *any* data, factotum will get the individual keys out for you
Plan 9's Factotum (Score:2, Interesting)
Re: (Score:2)
Hardware Security Modules (Score:1)
For example the IBM 4764 Cryptographic Coprocessor? They're expensive, but more secure than anything a basic machine / operating system could provide. But if you're developing a system that actually has a need for secure keys then surely a price worth paying?
In my view, anything like this built into the operating system is a "poor mans" secure store. Something a home use might like, but certainly not something you'd want to use
Encrypted keys in memory? You sure? (Score:1)
Wait - *you* the user needs to supply a password to access it, so it looks secure, but the actual key, in memory, is kept in the clear, unencrypted. Don't think just because the system asks for a password that your data is actually secured.