View Issue Details

IDProjectCategoryView StatusLast Update
0006175Talerexchangepublic2021-08-24 16:23
ReporterChristian Grothoff Assigned ToChristian Grothoff  
Status closedResolutionfixed 
Platformi7OSDebian GNU/LinuxOS Versionsqueeze
Product Versiongit (master) 
Target Version0.8Fixed in Version0.8 
Summary0006175: implement privilege separation for access to online signing keys
DescriptionWe should not allow the main exchange HTTP process direct access to the exchange's signing keys (RSA or EdDSA).
Instead, those keys should be kept internal to another process running under a different UID. The HTTPD should then
use IPC (per-thread UNIX DGRAM connection is the preferred right now) to send signing requests to the helper process.
The helper process setup must ensure that the UNIX socket is ONLY accessible to the HTTPD.

This will prevent the private keys from being fully disclosed to an adversary if they were able to gain RCE in the HTTPD process. Naturally, they can still use the helper as a signing oracle, but the damage will still be a bit more limited.

Also, this should facilitate transitioning to an HSM in the future.
TagsNo tags attached.


Christian Grothoff

2020-11-22 22:33

manager   ~0017149 is the new process for the privilege separation of the RSA keys, with
crypto_helper_denom.c being the library to access the new signing service. Feedback welcome.

Christian Grothoff

2020-12-14 15:44

manager   ~0017198

Implemented in

Note that the 'old' key management logic was NOT removed with this patch. This, and more documentation, is still needed before this bug is finished.

Christian Grothoff

2020-12-19 15:16

manager   ~0017217

Should be complete.

Issue History

Date Modified Username Field Change
2020-04-11 22:07 Christian Grothoff New Issue
2020-04-11 22:07 Christian Grothoff Status new => assigned
2020-04-11 22:07 Christian Grothoff Assigned To => Christian Grothoff
2020-04-11 22:09 Christian Grothoff Assigned To Christian Grothoff =>
2020-04-11 22:09 Christian Grothoff Status assigned => confirmed
2020-04-13 02:40 Christian Grothoff Target Version => 0.9
2020-07-16 15:19 Christian Grothoff Assigned To => Christian Grothoff
2020-07-16 15:19 Christian Grothoff Status confirmed => assigned
2020-11-22 22:33 Christian Grothoff Note Added: 0017149
2020-12-14 15:44 Christian Grothoff Note Added: 0017198
2020-12-19 15:16 Christian Grothoff Status assigned => resolved
2020-12-19 15:16 Christian Grothoff Resolution open => fixed
2020-12-19 15:16 Christian Grothoff Fixed in Version => 0.9
2020-12-19 15:16 Christian Grothoff Note Added: 0017217
2021-07-30 13:57 Christian Grothoff Fixed in Version 0.9 => 0.8.1
2021-07-30 13:59 Christian Grothoff Target Version 0.9 => 0.8.1
2021-07-30 14:02 Christian Grothoff Fixed in Version 0.8.1 => 0.8
2021-07-30 14:02 Christian Grothoff Target Version 0.8.1 => 0.8
2021-08-24 16:23 Christian Grothoff Status resolved => closed