Key Management

Full Title or Meme

Devices with keys in storage are lost, broken or upgraded. The user's want their data (and, in some cases, money) recovered. Key Management is the typical answer.

Problems

• The Heartbleed bug shipped on March 14, 2012, it was not publicly discovered for two years. At its core, the issue was not the bug itself - as bugs are inevitable - but rather the design that left private keys in the user space of the application. 9 years later key management systems do this and worse today. They copy keys around in the clear, leaving them in environment variables and largely un-ACLed files stored in user space. Essentially, we are just one bug away from another Heartbleed-like exposure because the way we manage keys has not fundamentally changed.

• Most Key Management schemes involve storage of some recovery mechanism in the cloud. That's similar to what Last Pass did for Cryptocurrency wallets. As should be expected, they were hacked.^[1] "A breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults."

Reverences

1. ↑ Brian Krebs, Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach (2023-09-05) https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/