[Interest] how to secure ssl key on symbian platform

4 views
Skip to first unread message

franki

unread,
Apr 2, 2012, 8:25:36 AM4/2/12
to inte...@qt-project.org
Hi,

I have app which uses SSL cert to log in to server. Server is verifying client
certificate and checking it against custom CA (located on server). On the other
hand client is also veryfing server certificate and checks it with certificate
from custom CA, so there is full verification, and no errors during handshake.

But the problem is, that on client side cert and key are stored in application
private dir, which is inaccessible during normal phone usage, but when I
connect this phone to PC with USB in mass storage mode, private application
dir is accessible (at least I can see it) and probably someone would be able
to copy ssl key from phone, that in turn would compromise secure transmision,
right?

So finally the question: Is there some way to store this ssl key (file) in a
safer way on symbian device ? Has someone some idea/expierience with that ?

best regards
Marek
_______________________________________________
Interest mailing list
Inte...@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest

Roopesh Chander

unread,
Apr 2, 2012, 9:10:35 AM4/2/12
to franki, inte...@qt-project.org
Per my understanding of public-private-key crypto, secure transmission is not compromised (ie. a third party cannot listen in) by someone getting hold of the client private key. Nevertheless, with the client key, the 'someone' could later pretend he's the real client and get probably sensitive data from the server, which could be a security issue by itself.

To prevent that, all I can think of is to store the client key on disk with encryption.

roop.

Thiago Macieira

unread,
Apr 2, 2012, 9:26:11 AM4/2/12
to inte...@qt-project.org
On segunda-feira, 2 de abril de 2012 18.40.35, Roopesh Chander wrote:
> Per my understanding of public-private-key crypto, secure transmission is
> not compromised (ie. a third party cannot listen in) by someone getting
> hold of the client private key. Nevertheless, with the client key, the
> 'someone' could later pretend he's the real client and get probably
> sensitive data from the server, which could be a security issue by itself.
>
> To prevent that, all I can think of is to store the client key on disk with
> encryption.

But that would require that you store the encryption key somewhere, possibly
in the application code. For an Open Source application, this makes no sense
of course. If it's closed, then you may be able to hide it, but not from a
skilled hacker.

I actually recommend storing the key in the platform's secure storage service.

--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
Intel Sweden AB - Registration Number: 556189-6027
Knarrarnäsgatan 15, 164 40 Kista, Stockholm, Sweden

signature.asc
Reply all
Reply to author
Forward
0 new messages