Securing Passphrase
Securing Passphrase
A passphrase can be secured in the following three ways:
Obfuscated Passphrase
To obfuscate the passphrase and store the obfuscated value in the Passphrase parameter:
Enable the passphrase obfuscation (i.e. set Passphrase_Encrypted=yes).
Run the command line utility (PassPhraseSecure) from the command line, as shown below:
<Installation_Directory>\utilities>PassPhraseSecure.exe Usage : Passphrase -help -- To print this help Passphrase -txt <TextToBeObfuscated> -- Obfuscates the provided text Passphrase -file <FileName> -- Obfuscates first line of the file provided in file name
The parameters with PassPhraseSecure utility allows the user to provide different inputs to the utility. The parameters used are:
PassPhraseSecure -txt
<TextToBeObfuscated>: This parameter allows the user to provide input as text and display the obfuscated value.Note
If the text to (be obfuscated) contains whitespaces then it must be provided within double quotes (" ").
For example:
<Installation_Directory>\utilities>PassPhraseSecure.exe -txt "hello, input to passpharase" 41058116C2572937869274FC1BD81EDB75AF95182F62870815220A3890B3BD6CNote
The length of the text to be obfuscated must be <=1023 characters, excluding leading and trailing whitespaces. Any leading and trailing whitespaces are removed from the text before obfuscation.
PassPhraseSecure -file
<FileName>: This parameter allows the user to provide input from a file and display the obfuscated value. The FileName could be the name and path of the file from which the text is to be obfuscated. For example:<Installation_Directory>\utilities>PassPhraseSecure.exe -file test.txt 66A09CF4974DB15B1E3C22F89912338ENote
There exists no restriction on length of the file. However, only first line from the file is obfuscated irrespective of the file length.
PassPhraseSecure -help: This parameter displays the help, to use this utility, on the console. For example:
<Installation_Directory>\utilities>PassPhraseSecure.exe -help Usage : Passphrase -help -- To print this help Passphrase -txt <TextToBeObfuscated> -- Obfuscates the provided text Passphrase -file <FileName> -- Obfuscates first line of the file provided in file nameIf user does not provide any parameter with the utility, the same -help parameter output is displayed.
Secured Passphrase
You can use the I_C_SetPassPhraseCallback() function to secure the passphrase. This function can be used to get the passphrase using a user-specified callback function.
The I_C_SetPassPhraseCallback() function can only be used when Passphrase_Encrypted=no. When the I_C_SetPassPhraseCallback() function is called, it sets the callback function to get the passphrase. In this case, the plaintext passphrase stored in the Passphrase parameter is ignored.
For Example: The following is an example of using secured passphrase functionality:
char str[100] = {0,};
char * getstring (void *arg)
{
printf("\nPlease enter password for private key [%s] : ",(char*)arg);
scanf("%s",str); // Some other way can be used to read secure password from User Interface
return str;
} // Before calling I_C_OpenSession, the following function should be called to set a
callback
for passphrase.
rc = I_C_SetPassPhraseCallback(getstring);
if (rc != I_E_OK)
{ fprintf(stderr, "
I_C_SetPassPhraseCallback error: %
s\n", I_C_GetErrorString(rc));
return rc;
}
This causes the password to be dynamically collected when reading Key_File while establishing SSL connection with the server. Here, getstring is the user-specified function that provides the user with a customized approach to secure/get the passphrase.
Plaintext Passphrase
When Passphrase_Encrypted is set to no, and the callback function is not used, the Passphrase parameter stores the password in plaintext for the private key. Storing the password in plaintext on the system is against a good security practice, as it might compromise the security of the private key.
Note
It is strongly recommended to use secured or obfuscated passphrase.
