Key Management

Full Title or Meme

Problems

• The Heartbleed bug shipped on March 14, 2012, it was not publicly discovered for two years. At its core, the issue was not the bug itself - as bugs are inevitable - but rather the design that left private keys in the user space of the application. 9 years later key management systems do this and worse today. They copy keys around in the clear, leaving them in environment variables and largely un-ACLed files stored in user space. Essentially, we are just one bug away from another Heartbleed-like exposure because the way we manage keys has not fundamentally changed.

• Most Key Management schemes involve storage of some recovery mechanism in the cloud. That's similar to what Last Pass did for Cryptocurrency wallets. As should be expected, they were hacked.^[1] "A breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults."

Reverences

1. ↑ Brian Krebs, Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach (2023-09-05) https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/