why non exportable keys?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
why is there this feature in certificate creation? can it really stop
someone determined from exporting his/her private key?


Re: why non exportable keys?

Quoted text here. Click to load it

It at least makes it "hard", in the sense that they have to spend hours trying
to figure out where the key is stored, and to debug the process that decrypts
data, looking for the moment when the private key is being used.  This is not
an automatable process, as far as I know.

In some cases, when the certificate is stored on a hardware device that does
the encryption, it can make it "impossible" to discover the key.

"hard" and "impossible" are relative values of difficulty that are difficult
to gauge.


[Please don't email posters, if a Usenet response is appropriate.]
Texas Imperial Software   | Find us at http://www.wftpd.com or email
23921 57th Ave SE         | alun@wftpd.com.
Washington WA 98072-8661  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Re: why non exportable keys?

Quoted text here. Click to load it

Because they like to lie a lot to sell more products ?

Anyway, if the system can have access to the certificate without giving
any passphrase, then you can do exactly the same.
The only reason why it is hard to do it is the it is not(badly)

Quoted text here. Click to load it

No, and it can't stop any worm or virus to get and mail it anywhere.

Aurelien Bordes just made the poc in a french security magazine.

You can get the slides from the presentation of Aurelien Bordes and
Eric Detoisien presenting the flaw in hacklu meeting:

Anyway, this doesn't seem to afraid anybody more than that. Many
companies can use a PKI based on the principle that their private
keys aren't exportable, because it is just written in the software...

It is a chance that my anti-virus blocks 100% of known and unknown
virus, if not, I could have my private keys stolen ! ;-))

Posted via Mailgate.ORG Server - http://www.Mailgate.ORG

Site Timeline