[Box Backup] Advice for users of Debian-derived systems affected by the OpenSSL fiasco -- assume compromise of all data

Bjarne Carlsen boxbackup@fluffy.co.uk
Thu, 15 May 2008 15:01:24 +0200

tor, 15 05 2008 kl. 12:35 +0100, skrev Ben Summers:
> I advise Box Backup users who generated their certificates/keys on  
> affected Debian system to consider the security of their backups  
> compromised. The server admin or anyone able to deduce the private
> key  
> of a server or client certificates could have read your data.

There are several scenarios that need to be taken into consideration:

      * Alice generates her *.crt and *.FileEncKeys.raw on a secure
        system, but Bob signs the *.crt on a compromised system. In this
        case Alice's certificates are to be considered compromised, and
        are to be re-issued using a secure box for signing, but her data
        are secure. To a certain extent even secure from tampering by
        Mike spoofing Alice in the compromise period, since Mike would
        only have been able to read data which would be of no use to
        him, and write data, but not encrypted to Alice's key. Mike
        could not modify data which were already in place, (they were,
        and are, encrypted to Alice's key). This would seem to be the
        most prolific scenario, given that backup vendors cater mostly
        to Windows systems that subsequently push their backups to a
        possibly insecure Debian/-derivative box.
      * Alice generates her *.crt and *.FileEncKeys.raw on an insecure
        system. Whether or not Bob's system was secure at the time is of
        no consequence to the matter, the certificates and backups are
        to be considered compromised. Probably the second most prolific
        scenario - that of backing up servers to servers.
      * Alice lets Bob generate both *.crt and *.FileEncKeys.raw, sign
        the *.crt and send the whole shebang back to Alice. This means
        that Alice has implicit trust in Bob. Not a preferred scenario,
        but it exists out there! The security of both certificates and
        keys are blown no matter what the status of the two systems are,
        since this violates the basic rule that Alice should not trust