[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-dev
Subject:    Re: key compromise with memory debugger possilbe ?
From:       Michal Ludvig <michal () logix ! cz>
Date:       2004-07-25 20:56:41
Message-ID: 41041E89.10307 () logix ! cz
[Download RAW message or body]

Oliver Welter wrote:

> We made a concept for a secure media player and now try to attack it -
> the openssl related question is:
> 
> We use openssl to en/decrypt data with 3des - is it possible to retrieve
> the used key while running a de/encryption via a memory debugger or
> something similar ? Are there any preventions against such attacks or
> has noone ever thought about such an attack ?

After the decryption you end up with a unprotected audio/video stream,
correct? Now why should the "attacker" spend time with finding the key
hidden somewhere in the process memory when he can probably more easily
capture the decrypted data that you serve him almost right on his table?

But as long as he has access to the player process' memory you lost
anyway. The only question now is which way to choose to get the
unprotected data :-)

Just my 2 cents...

Michal Ludvig
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]