From: Andreas Karlsson <andreas@proxel.se>
To: Matthias Urlichs <matthias@urlichs.de>, wireguard@lists.zx2c4.com
Subject: Re: Support FIDO2/CTAP2 security tokens as keystore
Date: Sat, 24 Aug 2019 21:01:06 +0200 [thread overview]
Message-ID: <9e7fce79-f7ae-6018-551c-02727e21a03a@proxel.se> (raw)
In-Reply-To: <8cd089e7-0da9-b69a-2fbb-f961c4803936@urlichs.de>
On 8/24/19 4:08 PM, Matthias Urlichs wrote:
> Anyone with *root* access to the running machine can do that. They also
> can trivially read the kernel memory (if nothing else, by installing a
> module) and walk the kernel data structures to find the private and/or
> shared key.
No, anyone with root access can only get the shared key used for
encrypting data, not the actual private key. The private key does never
leave the device.
Does this add enough extra security to be worth it? No idea. I haven't
worked much with systems like this, only a little bit with SSL and
SmartCards.
Andreas
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2019-08-25 15:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-18 14:22 Support FIDO2/CTAP2 security tokens as keystore Rene 'Renne' Bartsch, B.Sc. Informatics
2019-08-18 17:09 ` Reto
2019-08-22 8:54 ` Rene 'Renne' Bartsch, B.Sc. Informatics
2019-08-23 6:19 ` Reto
2019-08-24 14:08 ` Matthias Urlichs
2019-08-24 19:01 ` Andreas Karlsson [this message]
2019-08-25 19:30 ` Derrick Lyndon Pallas
2019-08-26 14:34 ` Andreas Karlsson
2019-08-30 11:42 Nicolas Stalder
2019-08-30 18:00 ` Phil Hofer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9e7fce79-f7ae-6018-551c-02727e21a03a@proxel.se \
--to=andreas@proxel.se \
--cc=matthias@urlichs.de \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).