Re: Are there any API's available for performing cryptographic functions in a kext?
Re: Are there any API's available for performing cryptographic functions in a kext?
- Subject: Re: Are there any API's available for performing cryptographic functions in a kext?
- From: "Tom Fortmann" <email@hidden>
- Date: Sun, 22 Feb 2009 20:09:55 -0600
I'm working on a security product that adds additional browser security when
a user surfs to specific sites. It is a client server application
components that run on the web server, on the client, and on a back-end
administration server. We are using a combination of daemons, kext and
Safari components to secure the browser session. I'm trying to secure the
client agent in a couple ways. First, I want to sign everything so we know
no one has tampered with any of the pieces. Second we want to secure the
configuration data as it flows through the pieces. For this I'm looking at
using something like Diffie-Hellman to setup session keys and either hashing
or encrypting the data as it passes to/from the kext. The keys would have
some life associated with them to avoid the overhead of a key exchange on
every open/close. Most of the data can be stored in the clear, so something
like an SHA hash will suffice and avoid the added overhead of encrypting and
decrypting.
>From all of the responses I've received it sounds like the DH, SHA and AES
routines will have to be included directly in my kext. I realize some of
this may be overkill, and ultimately if someone gets root authority they can
circumvent almost anything we do to protect ourselves.
Tom
___________________________________
Thomas Fortmann
Director of Development
Xcape Solutions, Inc.
207 Crystal Grove Blvd.
Lutz, FL 33548
TEL 847 228 9831
www.xcapesolutions.net
email@hidden
Message: 1
Date: Fri, 20 Feb 2009 22:10:30 -0800
From: Michael Smith <email@hidden>
Subject: Re: Are there any API's available for performing
cryptographic functions in a kext?
To: Tom Fortmann <email@hidden>
Cc: email@hidden
Message-ID: <email@hidden>
Content-Type: text/plain; charset="windows-1252"
On Feb 20, 2009, at 6:35 AM, Tom Fortmann wrote:
> Can anyone point me to any documentation on available (Leopard)
> API�s to perform encryption and possibly Diffie-Hellman calculations
> within a kernel extension? We want to secure our kernel interface
> and are looking to encrypt the data exchanged between a user-space
> daemon and our kext. I know there is open-source available we could
> link this directly in to our kext, but I would prefer to live within
> any existing security framework that may exist within the OSX kernel
> space.
Tom,
Why would you trust any such service any more than you trust the
services that provide the communications channel between the user
process and your extension?
Perhaps you could explain what you mean by "secure our kernel
interface" a little more and that might clarify the matter, but as a
general rule if you are looking to keep something secret, you need
private hardware; the kernel address space is not protected in that
fashion.
= Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.apple.com/mailman/private/darwin-kernel/attachments/20090220/c4
9351a3/attachment.html
------------------------------
Message: 2
Date: Fri, 20 Feb 2009 22:44:00 -0800
From: mm w <email@hidden>
Subject: cryptographic
To: email@hidden
Message-ID:
<email@hidden>
Content-Type: text/plain; charset=UTF-8
Hi Tom,
there is crypto(4) or the same than Linux kernel crypto, the only way
(if you want to use such algos)
should be to include the code to your kext, anyway even you crypt...
can you tell more about your project?
as Mike said, you need something behind, (hardware-accelerated
cryptographic operations)
anyway imagine you have it:
it depends what your are doing but if you plane to crypt every
transaction it will burn fat, anyway what's your software design?
to want to avoid public transactions between one client and his own
host, from what do you want to hide it? other users?
those APIs have not been implemented exactly for doing what you wrote
or maybe I didn't well understand what you put here
-mmw
------------------------------
_______________________________________________
Darwin-kernel mailing list
email@hidden
http://lists.apple.com/mailman/listinfo/darwin-kernel
End of Darwin-kernel Digest, Vol 6, Issue 31
********************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden