Displaying 2 results from an estimated 2 matches for "fosdem'15".
2016 Jan 15
4
Proposal: always handle keys in separate process
How about using the existing OpenSSH client's PKCS#11 support to
isolate keying material in a dedicated process?
A similar approach, "Practical key privilege separation using Caml
Crush", was discussed at FOSDEM'15 with a focus on
Heatbleed [1][2] but the ideas and principles are the same.
Now this is easily done using the following available components:
- SoftHSM to store the crypto keys
- Caml-Crush server components load the SoftHSM middleware (access
the keys) in a dedicated process
- SSH cl...
2016 Jan 14
4
Proposal: always handle keys in separate process
Hello,
in light of the recent CVE-2016-0777, I came up with the following idea,
that would have lessened its impact. Feel free to ignore or flame me,
maybe its stupid or I missed something :)
- private key material should only ever be handled in a separate process
from the SSH client. ssh-agent (maybe slightly extended) seems the
logical choice.
- in places where the client currently reads