headers
Ivanko B | 21 Apr 2012 17:06
Picon

Is crossplatform in-memory file or file descriptor possible ?

so that can be used as a way of passing password to OpenSSL.
Mainly needed to  provide secure way of passing private key after
decrypting encrypted file presenting the key.

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
Permalink | Reply |
headers
Martin Schreiber | 21 Apr 2012 18:28
Picon

Re: Is crossplatform in-memory file or file descriptor possible ?

On Saturday 21 April 2012 17:06:18 Ivanko B wrote:
> so that can be used as a way of passing password to OpenSSL.
> Mainly needed to  provide secure way of passing private key after
> decrypting encrypted file presenting the key.
>
I don't understand, please explain. Maybe you should use asymmetric encryption 
like for example pgp.
It is planned to add combined asymmetric/symmetric encryption to 
topensslcryptohandler probably with EVP_seal*.
http://linux.die.net/man/3/evp_sealinit

Martin

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
Permalink | Reply |
headers
Ivanko B | 21 Apr 2012 19:05
Picon

Re: Is crossplatform in-memory file or file descriptor possible ?

me mean operating on decrypted private keys with software expecting
them to be files (easy to steal ).

2012/4/21, Martin Schreiber <mse00000@...>:
> On Saturday 21 April 2012 17:06:18 Ivanko B wrote:
>> so that can be used as a way of passing password to OpenSSL.
>> Mainly needed to  provide secure way of passing private key after
>> decrypting encrypted file presenting the key.
>>
> I don't understand, please explain. Maybe you should use asymmetric
> encryption
> like for example pgp.
> It is planned to add combined asymmetric/symmetric encryption to
> topensslcryptohandler probably with EVP_seal*.
> http://linux.die.net/man/3/evp_sealinit
>
> Martin
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> mseide-msegui-talk mailing list
> mseide-msegui-talk@...
> https://lists.sourceforge.net/lists/listinfo/mseide-msegui-talk
>

------------------------------------------------------------------------------
(Continue reading)

Permalink | Reply |
headers
Martin Schreiber | 21 Apr 2012 19:38
Picon

Re: Is crossplatform in-memory file or file descriptor possible ?

On Saturday 21 April 2012 19:05:48 Ivanko B wrote:
> me mean operating on decrypted private keys with software expecting
> them to be files (easy to steal ).
>
The encrypted key should be decrypted by OpenSSL which asks for the key-key, I 
don't know. You probably should ask a security expert.

Martin

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
Permalink | Reply |
headers
Ivanko B | 21 Apr 2012 21:52
Picon

Re: Is crossplatform in-memory file or file descriptor possible ?

It's best to decrypt keys etc sensitive session data to a temporary
in-memory files.
Say we have encrypted private keys, certificates etc but need to call
OpenSSL (Stunnel) etc expecting the key be present by files. So, we'll
have to decrypt the files thus there'll be plain versions of them on
filesystem which is insecure...

=============
in win32 :

http://blogs.msdn.com/b/khen1234/archive/2006/01/30/519483.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/aa366556(v=vs.85).aspx
http://stackoverflow.com/questions/3980035/performance-of-win32-memory-mapped-files-vs-crt-fopen-fread

in LINUX : mmap, tmpfs, cramfs, ramfs but all they mean custom kernel.

2012/4/21, Ivanko B <ivankob4mse2@...>:
> me mean operating on decrypted private keys with software expecting
> them to be files (easy to steal ).
>
>
> 2012/4/21, Martin Schreiber <mse00000@...>:
>> On Saturday 21 April 2012 17:06:18 Ivanko B wrote:
>>> so that can be used as a way of passing password to OpenSSL.
>>> Mainly needed to  provide secure way of passing private key after
>>> decrypting encrypted file presenting the key.
>>>
>> I don't understand, please explain. Maybe you should use asymmetric
>> encryption
>> like for example pgp.
(Continue reading)

Permalink | Reply |
headers
Martin Schreiber | 22 Apr 2012 08:22
Picon

Re: Is crossplatform in-memory file or file descriptor possible ?

On Saturday 21 April 2012 21:52:11 Ivanko B wrote:
> It's best to decrypt keys etc sensitive session data to a temporary
> in-memory files.
> Say we have encrypted private keys, certificates etc but need to call
> OpenSSL (Stunnel) etc expecting the key be present by files. So, we'll
> have to decrypt the files thus there'll be plain versions of them on
> filesystem which is insecure...
>
Why don't you let OpenSSL decrypt the key files?

Martin

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
Permalink | Reply |
headers
Ivanko B | 22 Apr 2012 13:39
Picon

Re: Is crossplatform in-memory file or file descriptor possible ?

Because it'll decrypt them to plain files on file system (best is a
temporary file ) so that they be used further by SSL services. The
idea is to decrypt not to real file system (where thay can be easily
stolen by modern malware) but to pseudo (in-memory) files which can't
be read & passed to subprocess (as files since most SSL services
expect them to be files) but the application itself.

2012/4/22, Martin Schreiber <mse00000@...>:
> On Saturday 21 April 2012 21:52:11 Ivanko B wrote:
>> It's best to decrypt keys etc sensitive session data to a temporary
>> in-memory files.
>> Say we have encrypted private keys, certificates etc but need to call
>> OpenSSL (Stunnel) etc expecting the key be present by files. So, we'll
>> have to decrypt the files thus there'll be plain versions of them on
>> filesystem which is insecure...
>>
> Why don't you let OpenSSL decrypt the key files?
>
> Martin
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> mseide-msegui-talk mailing list
> mseide-msegui-talk@...
> https://lists.sourceforge.net/lists/listinfo/mseide-msegui-talk
>
(Continue reading)

Permalink | Reply |
headers
Martin Schreiber | 22 Apr 2012 13:54
Picon

Re: Is crossplatform in-memory file or file descriptor possible ?

On Sunday 22 April 2012 13:39:32 Ivanko B wrote:
> Because it'll decrypt them to plain files on file system (best is a
> temporary file ) so that they be used further by SSL services.

AFAIK OpenSSL decrypts encrypted private keys directly into the internal data 
structures without intermedate file.

Martin

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
Permalink | Reply |
headers
Ivanko B | 22 Apr 2012 23:20
Picon

Re: Is crossplatform in-memory file or file descriptor possible ?

AFAIK OpenSSL decrypts encrypted private keys directly into the internal data
 structures without intermedate file.
=========
Sure, but not only private keys but some other SSL related files - for
instance, local CA files, some sensitive data in certificate files
etc.

2012/4/22, Martin Schreiber <mse00000@...>:
> On Sunday 22 April 2012 13:39:32 Ivanko B wrote:
>> Because it'll decrypt them to plain files on file system (best is a
>> temporary file ) so that they be used further by SSL services.
>
> AFAIK OpenSSL decrypts encrypted private keys directly into the internal
> data
> structures without intermedate file.
>
> Martin
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> mseide-msegui-talk mailing list
> mseide-msegui-talk@...
> https://lists.sourceforge.net/lists/listinfo/mseide-msegui-talk
>

------------------------------------------------------------------------------
(Continue reading)

Permalink | Reply |
headers
Martin Schreiber | 23 Apr 2012 07:13
Picon

Re: Is crossplatform in-memory file or file descriptor possible ?

On Sunday 22 April 2012 23:20:16 Ivanko B wrote:
> AFAIK OpenSSL decrypts encrypted private keys directly into the internal
> data structures without intermedate file.
> =========
> Sure, but not only private keys but some other SSL related files - for
> instance, local CA files, some sensitive data in certificate files
> etc.
>
I don't understand, what means "not only private keys"?
http://www.openssl.org/docs/HOWTO/keys.txt

Martin

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
Permalink | Reply |
headers
Ivanko B | 23 Apr 2012 08:51
Picon

Re: Is crossplatform in-memory file or file descriptor possible ?

Local CA files etc files planned to be more secure ( additional
encryption layer/pass ).

2012/4/23, Martin Schreiber <mse00000@...>:
> On Sunday 22 April 2012 23:20:16 Ivanko B wrote:
>> AFAIK OpenSSL decrypts encrypted private keys directly into the internal
>> data structures without intermedate file.
>> =========
>> Sure, but not only private keys but some other SSL related files - for
>> instance, local CA files, some sensitive data in certificate files
>> etc.
>>
> I don't understand, what means "not only private keys"?
> http://www.openssl.org/docs/HOWTO/keys.txt
>
> Martin
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> mseide-msegui-talk mailing list
> mseide-msegui-talk@...
> https://lists.sourceforge.net/lists/listinfo/mseide-msegui-talk
>

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
(Continue reading)

Permalink | Reply |
headers
Martin Schreiber | 23 Apr 2012 09:04
Picon

Re: Is crossplatform in-memory file or file descriptor possible ?

On Monday 23 April 2012 08:51:16 Ivanko B wrote:
> Local CA files etc files planned to be more secure ( additional
> encryption layer/pass ).
>
I still don't understand. Please be more verbose in future. openssl stores 
private key files in DER or PEM format where the key usually is protected by 
a symmetrical encryption for example des3.
http://www.openssl.org/docs/apps/pkey.html#

Martin

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
Permalink | Reply |
headers
Ivanko B | 23 Apr 2012 10:34
Picon

Re: Is crossplatform in-memory file or file descriptor possible ?

I still don't understand. Please be more verbose in future. openssl stores
 private key files in DER or PEM format where the key usually is protected by
 a symmetrical encryption for example des3.
=================
For instance, we have:
 - private key => DES3 password protected
 - certificate => plain text
 - local CA file => plain text
It's the state OpnnSSL expects the files to be/

And we need:
- certificate &  local CA file => encrypted
- private key => possible one more encrypting pass (together with cert & CA)

The issue is that  to have the files available to OpenSSL we'll need
to decrypt the encrypted ones, it'll result in their plain versions
available on file system. Me wonder is it possible to cope this threat
?

2012/4/23, Martin Schreiber <mse00000@...>:
> On Monday 23 April 2012 08:51:16 Ivanko B wrote:
>> Local CA files etc files planned to be more secure ( additional
>> encryption layer/pass ).
>>
> I still don't understand. Please be more verbose in future. openssl stores
> private key files in DER or PEM format where the key usually is protected by
> a symmetrical encryption for example des3.
> http://www.openssl.org/docs/apps/pkey.html#
>
> Martin
(Continue reading)

Permalink | Reply |
headers
Martin Schreiber | 23 Apr 2012 11:18
Picon

Re: Is crossplatform in-memory file or file descriptor possible ?

On Monday 23 April 2012 10:34:20 Ivanko B wrote:
> I still don't understand. Please be more verbose in future. openssl stores
>  private key files in DER or PEM format where the key usually is protected
> by a symmetrical encryption for example des3.
> =================
> For instance, we have:
>  - private key => DES3 password protected
>  - certificate => plain text
>  - local CA file => plain text
> It's the state OpnnSSL expects the files to be/
>
> And we need:
> - certificate &  local CA file => encrypted
> - private key => possible one more encrypting pass (together with cert &
> CA)
>
> The issue is that  to have the files available to OpenSSL we'll need
> to decrypt the encrypted ones, it'll result in their plain versions
> available on file system. Me wonder is it possible to cope this threat
> ?
>
For which openssl function? Sockets, file encryption, other?

Martin

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
(Continue reading)

Permalink | Reply |
headers
Ivanko B | 23 Apr 2012 11:56
Picon

Re: Is crossplatform in-memory file or file descriptor possible ?

Handling keys & certificates.

2012/4/23, Martin Schreiber <mse00000@...>:
> On Monday 23 April 2012 10:34:20 Ivanko B wrote:
>> I still don't understand. Please be more verbose in future. openssl
>> stores
>>  private key files in DER or PEM format where the key usually is
>> protected
>> by a symmetrical encryption for example des3.
>> =================
>> For instance, we have:
>>  - private key => DES3 password protected
>>  - certificate => plain text
>>  - local CA file => plain text
>> It's the state OpnnSSL expects the files to be/
>>
>> And we need:
>> - certificate &  local CA file => encrypted
>> - private key => possible one more encrypting pass (together with cert &
>> CA)
>>
>> The issue is that  to have the files available to OpenSSL we'll need
>> to decrypt the encrypted ones, it'll result in their plain versions
>> available on file system. Me wonder is it possible to cope this threat
>> ?
>>
> For which openssl function? Sockets, file encryption, other?
>
> Martin
>
(Continue reading)

Permalink | Reply |

Gmane