Support FIDO2/CTAP2 security tokens as keystore
Derrick Lyndon Pallas
derrick at pallas.us
Sun Aug 25 21:30:09 CEST 2019
The private key is in kernel memory and is available via netlink and cli.
~Derrick • iPhone
> On Aug 24, 2019, at 12:01 PM, Andreas Karlsson <andreas at proxel.se> wrote:
>
>> On 8/24/19 4:08 PM, Matthias Urlichs wrote:
>> Anyone with *root* access to the running machine can do that. They also
>> can trivially read the kernel memory (if nothing else, by installing a
>> module) and walk the kernel data structures to find the private and/or
>> shared key.
>
> No, anyone with root access can only get the shared key used for encrypting data, not the actual private key. The private key does never leave the device.
>
> Does this add enough extra security to be worth it? No idea. I haven't worked much with systems like this, only a little bit with SSL and SmartCards.
>
> Andreas
> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
More information about the WireGuard
mailing list