why non exportable keys?

why non exportable keys?

am 11.03.2006 16:20:19 von dirbb10023

why is there this feature in certificate creation? can it really stop
someone determined from exporting his/her private key?

thx

Re: why non exportable keys?

am 13.03.2006 05:41:30 von Alun

In article <1142090419.674470.100780@z34g2000cwc.googlegroups.com>, "dirbb"
wrote:
>why is there this feature in certificate creation? can it really stop
>someone determined from exporting his/her private key?

It at least makes it "hard", in the sense that they have to spend hours trying
to figure out where the key is stored, and to debug the process that decrypts
data, looking for the moment when the private key is being used. This is not
an automatable process, as far as I know.

In some cases, when the certificate is stored on a hardware device that does
the encryption, it can make it "impossible" to discover the key.

"hard" and "impossible" are relative values of difficulty that are difficult
to gauge.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Re: why non exportable keys?

am 14.03.2006 23:41:47 von Eric Lalitte

"dirbb" wrote in message
news:1142090419.674470.100780@z34g2000cwc.googlegroups.com
> why is there this feature in certificate creation?

Because they like to lie a lot to sell more products ?

Anyway, if the system can have access to the certificate without giving
any passphrase, then you can do exactly the same.
The only reason why it is hard to do it is the it is not(badly)
documented.

> can it really stop someone determined from exporting his/her private
> key?

No, and it can't stop any worm or virus to get and mail it anywhere.

Aurelien Bordes just made the poc in a french security magazine.

You can get the slides from the presentation of Aurelien Bordes and
Eric Detoisien presenting the flaw in hacklu meeting:


Anyway, this doesn't seem to afraid anybody more than that. Many
companies can use a PKI based on the principle that their private
keys aren't exportable, because it is just written in the software...

It is a chance that my anti-virus blocks 100% of known and unknown
virus, if not, I could have my private keys stolen ! ;-))



--
Posted via Mailgate.ORG Server - http://www.Mailgate.ORG