Key Management

From MgmtWiki

Revision as of 21:54, 5 September 2023 by Tom (talk | contribs) (→‎Reverences)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

Contents

1 Full Title or Meme
2 Problems
3 Problems
4 Reverences

Full Title or Meme

Problems

The Heartbleed bug shipped on March 14, 2012, it was not publicly discovered for two years. At its core, the issue was not the bug itself - as bugs are inevitable - but rather the design that left private keys in the user space of the application. 9 years later key management systems do this and worse today. They copy keys around in the clear, leaving them in environment variables and largely un-ACLed files stored in user space. Essentially, we are just one bug away from another Heartbleed-like exposure because the way we manage keys has not fundamentally changed.

Problems

Most Key Management schemes involve storage of some recovery mechanism in the cloud. That's similar to what Last Pass did for Cryptocurrency wallets. As should be expected, they were hacked.^[1]

Reverences

↑ Brian Krebs, Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach (2023-09-05) https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Key_Management&oldid=18652"

Security