[Libwebsockets] Private key in SSL

Bruce Perens bruce at perens.com
Fri Jun 10 07:05:07 CEST 2016


It's not really a user-accessible Flash module. It's a cryptographic module
that has an internal FLASH that only it can access, and it's designed to
destroy the FLASH if you try to open it - with varying degrees of
effectiveness. It will either generate the private key itself and never
disclose it to anyone, or you can generate the private key and write it to
the device, but never read it. When you want to use the private key, you
tell the device to encrypt, sign, or decrypt for you and it does the
cryptography without disclosing the private key to you.

One problem is that they can be really slow. Like 0.9 seconds per operation!

You can make OpenSSL use an OpenSC engine which drives PKCS11 cryptographic
tokens. This should work with libwebsockets but is not an out-of-the-box
configuration and will take some time to get right.

    Bruce

On Thu, Jun 9, 2016 at 9:45 PM, techi eth <techieth at gmail.com> wrote:

>  Flash area which is accessible by user how have password to access but by
> reading PKI document i understand  private key shoudln't be in memory area
> where user have access.
>
> I was reading through & found couple of solution which will do secure TLS
> handshake like TPM & OpenSSL compatible engines.Please find below link for
> same.
>
> https://en.wikipedia.org/wiki/Trusted_Platform_Module
> https://wiki.openssl.org/index.php/Binaries
>
>
>
> On Fri, Jun 10, 2016 at 9:42 AM, Andy Green <andy at warmcat.com> wrote:
>
>>
>>
>> On 06/10/2016 11:41 AM, techi eth wrote:
>>
>>> Is their any way by which private key taken by libwebsocket is not from
>>> file or open memory area ?
>>>
>>> My question coming from security aspect, I understand private key
>>> shouldn't be kept in open memory area due to security.
>>>
>>
>> Can you explain what a "not open memory area" looks like?
>>
>> -Andy
>>
>>
>>>
>>>
>>> _______________________________________________
>>> Libwebsockets mailing list
>>> Libwebsockets at ml.libwebsockets.org
>>> http://libwebsockets.org/mailman/listinfo/libwebsockets
>>>
>>>
>
> _______________________________________________
> Libwebsockets mailing list
> Libwebsockets at ml.libwebsockets.org
> http://libwebsockets.org/mailman/listinfo/libwebsockets
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://libwebsockets.org/pipermail/libwebsockets/attachments/20160609/ce534e9d/attachment-0001.html>


More information about the Libwebsockets mailing list