-
Notifications
You must be signed in to change notification settings - Fork 2
Well know security issues
Joël Jungo edited this page Feb 27, 2016
·
4 revisions
During its starting (only), the Stunnel proxy seems to want to load a RSA private key. This means that Stunnel asks our HSM to send it the RSA private key, and this is forbidden in our concept. We found that Stunnel does not perform any RSA encryption/decryption with this dummy key during a TLS establishment. Our workaround is to create a pair of dummy keys for each useful RSA pair of keys. Dummy keys are made like this:
Definition:
q: prime1
p: prime2
d: private key exponent
e: public exponent
n: modulus
pub key: (n,e)
priv key: (n,d)
Useful keys:
rng = Random.new().read
rsa_key = RSA.generate(size, rng)
rsa_priv = rsa_key.exportKey("PEM")
rsa_pub = rsa_key.publickey().exportKey("PEM")
Dummy keys:
n = rsa_key.__getattr__('n')
e = rsa_key.__getattr__('e')
d = <hardcoded value>
p = <hardcoded value>
q = <hardcoded value>
dummy_key = RSA.construct((n, e, d, p, q, 0))
rsa_priv_dum = dummy_key.exportKey("PEM")
rsa_pub_dum = dummy_key.publickey().exportKey("PEM")
Yes, RSA are stored in plain text into the database, and we're working on a secure way to encrypt them.
- Overview
- [Install & Setup] (https://github.com/jjungo/solhsm-core/wiki/install-&-Setup)
- [Spec] (https://github.com/jjungo/solhsm-core/wiki/Spec)
- Internal stuff
- Well know security issues
- [Todo] (https://github.com/jjungo/solhsm-core/wiki/Todos)
- [Troubleshooting] (https://github.com/jjungo/solhsm-core/wiki/Troubleshooting)