On Fri, Aug 25, 2006 at 11:35:53AM +0100, Aine Douglas wrote:
> >The actually service carried out by ROS occurs over a closed
> >protocol. I imagine that if you could reverse engineer your own
> >client that could communicate with the ROS server using that
> >protocol then you could store the private key in plaintext if
> >you wanted.
>> No. The PKCS12 format does not permit this, check the RSA faq.
It's just a container format for arbitrary numbers. Asside from finger
wagging, there really is no way it can do that.
Its default construction and conventions may be not to do this, and
that's how tools may behave, but there's nothing to stop you storing the
decrypted key in the plain (e.g. after it's been XOR'd with your
passphrase, passwd the MAC, or whatever) and using that to negotiate the
It may appear convincing that the PCKS12 container does have a scheme
where by instead of storing an encrypted key it stores a partial key,
which needs your passphrase to be made full again, but this is just
descriptive. It is logically equivalent to the storing of a a regular
encrypted encryption key.
The rest is just behaviour of the tools. But that's relatively easy
to defeat, by replacing the client-side component.
> Which is why I asked if anyone knew of an SSH client which worked with
> PKCS12 keys.
OpenSSH supports X509 and can be convinced to work with the PKCS12 keys,
according to it's X509 readme. Though since OpenSSH could trivially
handle the very same key unencrypted in PEM format, you lose the
benefits your talking about.
> It would be a non standard SSH client which many professional
> organisations would have much interest in terms of maintaining
> security standards around password strengths etc. It appears that it
> simply does not exist, or if it does, nobody on this list has heard of
Generally the people who write SSH clients are very very careful, so I
can't see a client which deliberately tries to obfuscate key storage
with little reason being implemented in the near future.
Colm MacCárthaigh Public Key: colm+pgp at stdlib.net
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!