Secure Private Key Storage for UNIX?

An anonymous reader asks: "Microsoft Windows, from 2000 forward (except ME) offers secure certificate and private storage at the OS level in what is called a protected store. Offline, it's encrypted by a combination of the user's password and a session key stored on the filesystem. When the OS is running, the private keys stored are available to the logged in user, optionally encrypted with another password. The keys are stored in protected memory, so no applications can access them without going through the Microsoft CAPI calls. This code also is FIPS 140-1 level 1 (the best one can get for software cryptography modules) compliant." Does any other OS provide this kind of feature at the OS-level? If so, who? If not, why?

This functionality (especially certified FIPS 140-1 or FIPS 140-2) would be nice to see in UNIX variants. MacOS's key-chain functionality is similar, but stores at the application level, and is not FIPS compliant. An implementation of the protected store functionality will allow applications like Firefox, Thunderbird and gpg to have one common place to obtain private keys and certificates rather than maintaining their own individual key-stores. An additional application for this would be the ability to use hardware PKCS #11 tokens.

I am wondering why this functionality does not exist at the OS level in most OSes except Windows. A number of applications on many platforms have this functionality, but its at the app level, with their own key-stores, and not a standard at the OS level."

Re:Well duh..

[tritab]

Wow, this is the closest I've seen to anyone on Slashdot admitting that Microsoft did something better than any Unix / Linux system in a long time!

But seriously, I've wondered about the same question as the OP and have never found anything good. The closest was setting file system permissions on the key file as someone else mentioned.

Is it not possible?

Re:Protected memory

[Harik]

Er, Lots of stuff lives in ring0, and any vulnerability in ANY of it removes your "protected memory".

You can play games with hypervisors (can protect memory even from 'ring 0') or treacherous computing chips, or things like USB keystores with biometric authentication. But on vanilla 80386 machines, the best you're going to get is the OS to memlock() a few pages so they can't get swapped out to disk.

Re:Linux Kernel keyring; openCryptoki

[tlhIngan]

Any idea if that mechanism addresses the DRAM "memory" effect described in this paper: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_ [auckland.ac.nz] del.html?

Having developed for embedded systems, I'm amazed at how well DRAM can retain data. I've had it such that RAM disks were preserved after power cycles (~1 second without power, and SDRAM controllers not initialized until many milliseconds after powerup). There was at one point a hack we had to implement in the bootloader to clear a bit of memory so a power cycle really would start clean.

Heck, it's a great way when debugging - the OS could log all messages to the screen, but that greatly slows down operations. So we log into a circular RAM buffer. When the board crashes, we power cycle, then inspect the RAM buffer for the last few messages written.

Out of curiousity, I once experimented to see how long the data was retained - I wrote a data pattern to RAM, looked at it back, then removed power for varying lengths of time. It can take anywhere from a few seconds to a minute before the data gets hopelessly corrupted. But before then, if you knew what you were looking for, you could find it.

Re:Smart Card

[mr_death]

At the RSA conference three years ago, you could bring your smart card to many booths and they would extract the private key in less than 5 minutes. I have no reason to believe that the problem has become any harder.

True, a smart card (compared to a normal PC) sucks less, but it still sucks.

Plan 9's Factotum

[Darren Bane]

Plan 9 [bell-labs.com] has such a central key repository. It's called Factotum, and the best description is the USENIX paper [usenix.org]. It has been ported to other UNIX-likes by the plan9port [swtch.com] project.

Re:Well duh..

[linkages]

If only AIX's memory management was as good as its logical volume manager. mmap on AIX is just broken when it comes to performance.
If you have more that say a dozen processes mmaping a file and one of those procs makes a change all the others _MUST_ be interrupted to have their in proc. memory cleaned up. This becomes an even larger problem when you have hundreds of procs mmaping the same file.