Public
The problem that the heartbleed attack demonstrates is that people's private keys are available to a server that is also available (via heartbleed) to the attackers.
Ideally you'd want your TLS keys to be stored in an HSM(hardware security module), where if your machine is compromised they cannot be extracted. Usually this can be done via PKCS#11, an standard API for asking something else to do the crypto operations for you. This is plausible for client applications on devices with TPMs (eg Thinkpads), but the builtin TPMs are extremely slow, and are not usually available on servers. For example for storing things like client SSH keys, this is ideal. (You don't need to use the Platform Configuration Registers which is the bit that most people object to, and ideally you'd get a "real" HSM, not just reuse the TPM as a HSM.).
Ideally what you want to do for a web farm is to have a software daemon that pretends to be a HSM, which runs as a separate user than your webserver. When your webserver needs a crypto operation done that involves your private keys, it asks the software HSM to do the operation for it. Thus, even if an attacker gains access to the user the webserver is running as (eg remote code execution), they cannot just read out the TLS keys, and probably also the password used to encrypt them from the config file! If the softHSM running as a separate daemon in a second user account, they need to be able to access that second user (eg by exploiting bugs in the kernel etc) to get the keys, which is a much higher bar (and is not provided for by things like heartbleed). The attacker, if they did get full access to the webserver account could ask the softHSM to do the operations for it, but when combined with Perfect Foward Security, this doesn't really buy the attacker much that they didn't get just by sniffing the unencrypted streams they already have access to. If you wanted to later upgrade the security of your machine (eg, you have a TPM added to your server), you could swap out the software HSM's PKCS#11 driver library for your "real" HSM PKCS#11 driver, which is a small configuration change.
Unfortunately, at the moment all the softHSM's I've looked at operate as a shared library, and thus still have problems with key leakage. I have also not been able to figure out how to get any of the webserver SSL configurations to actually use PKCS#11. So far they only seem to allow you to say "I want to use PKCS#11" but then don't let you configure anything that you need to such as ... which PKCS#11 module to use, or what the User PIN for the HSM is, or which slot, token or certificate to use within the HSM. The current state of the art appears to recompiling to configure much of this. Hopefully I'm wrong here.
Heartbleed is bad, but it's not going to be the last bug that we ever see that gives access to the webserver account. There's going to be bugs in protocol handling (either TLS, or perhaps in new HTTP/2.0 implementations) and there's going to be bugs in websites that mean that file contents are leaked, or allow for varying degrees of remote code execution.
The best fix here is to not expose your keys to the same process that is exposed to the Internet. The best standard we have today for this is PKCS#11. To do this we need a software daemon based PKCS#11 that can run as a separate user and a driver PKCS#11 module for it (communicating over, say, a unix domain socket, perhaps dbus or something), and we need to have webserver vendors support PKCS#11 as a first class citizen in their configuration.
Ideally you'd want your TLS keys to be stored in an HSM(hardware security module), where if your machine is compromised they cannot be extracted. Usually this can be done via PKCS#11, an standard API for asking something else to do the crypto operations for you. This is plausible for client applications on devices with TPMs (eg Thinkpads), but the builtin TPMs are extremely slow, and are not usually available on servers. For example for storing things like client SSH keys, this is ideal. (You don't need to use the Platform Configuration Registers which is the bit that most people object to, and ideally you'd get a "real" HSM, not just reuse the TPM as a HSM.).
Ideally what you want to do for a web farm is to have a software daemon that pretends to be a HSM, which runs as a separate user than your webserver. When your webserver needs a crypto operation done that involves your private keys, it asks the software HSM to do the operation for it. Thus, even if an attacker gains access to the user the webserver is running as (eg remote code execution), they cannot just read out the TLS keys, and probably also the password used to encrypt them from the config file! If the softHSM running as a separate daemon in a second user account, they need to be able to access that second user (eg by exploiting bugs in the kernel etc) to get the keys, which is a much higher bar (and is not provided for by things like heartbleed). The attacker, if they did get full access to the webserver account could ask the softHSM to do the operations for it, but when combined with Perfect Foward Security, this doesn't really buy the attacker much that they didn't get just by sniffing the unencrypted streams they already have access to. If you wanted to later upgrade the security of your machine (eg, you have a TPM added to your server), you could swap out the software HSM's PKCS#11 driver library for your "real" HSM PKCS#11 driver, which is a small configuration change.
Unfortunately, at the moment all the softHSM's I've looked at operate as a shared library, and thus still have problems with key leakage. I have also not been able to figure out how to get any of the webserver SSL configurations to actually use PKCS#11. So far they only seem to allow you to say "I want to use PKCS#11" but then don't let you configure anything that you need to such as ... which PKCS#11 module to use, or what the User PIN for the HSM is, or which slot, token or certificate to use within the HSM. The current state of the art appears to recompiling to configure much of this. Hopefully I'm wrong here.
Heartbleed is bad, but it's not going to be the last bug that we ever see that gives access to the webserver account. There's going to be bugs in protocol handling (either TLS, or perhaps in new HTTP/2.0 implementations) and there's going to be bugs in websites that mean that file contents are leaked, or allow for varying degrees of remote code execution.
The best fix here is to not expose your keys to the same process that is exposed to the Internet. The best standard we have today for this is PKCS#11. To do this we need a software daemon based PKCS#11 that can run as a separate user and a driver PKCS#11 module for it (communicating over, say, a unix domain socket, perhaps dbus or something), and we need to have webserver vendors support PKCS#11 as a first class citizen in their configuration.
View 13 previous comments
PKCS#11 is a pain to deal with, but it's a thing that saves most of the security conscious organisations' butts.
The issue with HSMs and PKCS#11 is that it precludes from effective integration testing, leaving more bugs and more vulnerabilities undiscovered longer. Therefore for all it's benefits it would be a net negative to force that kind of crypto API onto people, while being perfectly fine for system libraries...
By the way, you can make OpenSSL use an HSM to store keys. It's just not appropriate for most scenarios. Also - integration with HSMs is flaky at best and HSM developers are security specialists, not good software developers(personal experience with several HSM vendors and their "consultants")Apr 14, 2014
+Jeff Schroeder Hrm, that's interesting. I'd not come across sigul. At the moment it doesn't look like it's designed to be integrated into anything else (like webservers etc), but perhaps it could be extended... Hm.Apr 14, 2014- +Charles Forsyth PKCS#11 isn't designed to do the same thing as Factotum. It covers a much smaller range of operations ("sign this data", "encrypt this data" "decrypt this data" "verify this signature") which you then build into higher order operations like the operations factotum would use ("authenticate this user"). So no, the HSM's aren't as powerful as Factotum. On the other hand the simpler the hardware interface the less likely that someone along the way will screw it up. (Which is not to say that this likelihood is anywhere close to 0...) Factotum, as I understand it, needs to be upgraded to implement a new authentication protocol, but PKCS#11 shouldn't need to be upgraded unless it involves a new crypto primitive (eg SHA-2, or AES-2 or something).Apr 14, 2014
- +Aleksandr Panzin Yes, you can make openssl use PKCS#11, but it is extremely irritating to do so. PKCS#11's complexities seem to rotate around really bad out of date documentation, closed source binary blob drivers that haven't been updated in three thousand years (probably was old when the documentation was written...), and poor support for distros.
Things like p11-kit and gnutls make using PKCS#11 fairly straightfoward, but these are two rare things for anyone to support (adding support for p11-kit is just dropping a textfile in /etc/pkcs11/modules/ so it's easy to do yourself, but I shouldn't have to...)Apr 14, 2014 
And this is precisely what I am doing as a side project right now. Though the HSM I am working on is targeted at a different market (client side website account authentication via SQRL). There is no reason why a variant of the software could not manage the TLS crypto.
I would say though, designing your own HSM is not for the faint hearted. Especially if an attacker can gain access to the live data connection or even measure physical aspects of it operation (current drain etc).
The hardware I am using initially is the Teensy-3.1, a 90MHz Arm M4 with a configurable USB interface.Apr 14, 2014
You might find this interesting - AcceSSL: a "soft HSM" for OpenSSL to secure private keys - https://github.com/gozdal/accessl/Jun 6, 2014
Add a comment...