+ Post New Thread
Results 1 to 10 of 10
*nix Thread, Certificate Authority in Technical; Just found this neat CA based on Knoppix and a usb drive for storing certificates simple offline CA heirachy. http://www.intrusion-lab.net/roca/ ...
  1. #1

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,329
    Thank Post
    622
    Thanked 1,578 Times in 1,415 Posts
    Rep Power
    413

    Certificate Authority

    Just found this neat CA based on Knoppix and a usb drive for storing certificates simple offline CA heirachy.

    http://www.intrusion-lab.net/roca/

    Ben

  2. #2


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,461
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195

    Re: Certificate Authority

    Neat. Have passed it on to our support chaps so we can recommend it to customers requiring extra tinfoil hat

  3. #3

    Join Date
    Mar 2006
    Posts
    537
    Thank Post
    2
    Thanked 3 Times in 2 Posts
    Rep Power
    19

    Re: Certificate Authority

    I'm not sure what the real advantage is. A hacker could still change settings in KNOPPIX's RAM disk FS. He could also playaround with the certificate on the USB drive.

    I suppose you'd save on the time taken to do a clean rebuild of the compromised box,

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Certificate Authority

    If you don't have the root CA you can't generate any certificates. Keep your USB disk in your safe.

  5. #5

    Join Date
    Mar 2006
    Posts
    537
    Thank Post
    2
    Thanked 3 Times in 2 Posts
    Rep Power
    19

    Re: Certificate Authority

    I suppose the crampness of a RAM disk would make job harder for a cracker but what's to stop them from hacking UNIONFS to point to their own subsituted root CA.

    Anyway why place a premium on the physical securiy of the root CA over that of servers. Once a cracker owns a domain controller or other central server it's game over.

  6. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Certificate Authority

    CA machines aren't usually connected to the rest of your LAN or indeed online at all. You generate your cert then take the cert off with USB or whatever then lock everything away again.

    Anyway why place a premium on the physical securiy
    There's no other way to access the machine.

    over that of servers
    Why choose?

  7. #7

    Join Date
    Mar 2006
    Posts
    537
    Thank Post
    2
    Thanked 3 Times in 2 Posts
    Rep Power
    19

    Re: Certificate Authority

    That's not fair Geoff! You twisted my words. My question was about emphasising the security of a root CA versus that of production servers.
    I understand totally the need for physical security of servers and as much as possible, securing clients.

    My concern more about the security of the ceritficiates presented to clients which they asked to trust. Sure the root might be safe but if a server is cracked can't it be made to preesent a subistitued certificate or would that require a complete rebuild of the server.

    Anyway, I am not secuirty expert. I just wanted to explore the limits of PKI deployment.

  8. #8

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Certificate Authority

    My concern more about the security of the ceritficiates presented to clients which they asked to trust
    You can deploy certifcates through active directory in relative safety.

    Sure the root might be safe but if a server is cracked can't it be made to preesent a subistitued certificate or would that require a complete rebuild of the server.
    You've misunderstood how PKI works. To effectively pull this off an attacker would have to replace:

    1) The root CA on both the client and server.
    2) the Private cert on the server.
    3) the Public cert on the client.

    If this isn't done the MD5/SHA1 fingerprints wont match and you'll get warned by your browser (or whatever application). However, if the attacker is in a position to do this then theres much more interesting games to be played.

    The only reasonable attack surrounding PKI is if an attacker comprimises the machine that generates the public/private certifcates. Allowing him to generate his own that are trusted by your machines (due to being signed by your root CA cert). This is why I recommended to keep the machine/data safe.

  9. #9

    Join Date
    Mar 2006
    Posts
    537
    Thank Post
    2
    Thanked 3 Times in 2 Posts
    Rep Power
    19

    Re: Certificate Authority

    Oh OK. That makes a lot more sense now. I'd still say server security is marginally more important. SSL only encrypts conmunication on the wire. Once you have the server you have one of the endpoints. Eve can pick up voicemail from Alice on Bob's home phone.

    Anyway Geoff guess you'd never thought you'd ever read yourself saying
    You can deploy certifcates through active directory in relative safety.

  10. #10

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Certificate Authority

    Once you have the server you have one of the endpoints.
    Oh I agree. If you've cracked the server it's game over. All the clients are at your mercy.

    Anyway Geoff guess you'd never thought you'd ever read yourself saying
    You can deploy certifcates through active directory in relative safety.
    Active Directory is a fine solution up to a point. It does have it's limitations of course, just like any system. As long as you don't hit them, carry on merrily.

SHARE:
+ Post New Thread

Similar Threads

  1. Web certificate
    By edie209 in forum Web Development
    Replies: 15
    Last Post: 16th May 2008, 10:17 AM
  2. Authority
    By Samson in forum General Chat
    Replies: 32
    Last Post: 6th July 2007, 01:48 PM
  3. Local Authority Specialist / ICT Consultant
    By tosca925 in forum Educational IT Jobs
    Replies: 4
    Last Post: 8th May 2007, 07:35 PM
  4. Affordable SSL certificate
    By meastaugh1 in forum Recommended Suppliers
    Replies: 6
    Last Post: 17th December 2006, 04:27 PM
  5. PNL Tools - Desktop Authority
    By Dos_Box in forum Recommended Suppliers
    Replies: 1
    Last Post: 22nd January 2006, 08:27 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •