On Fri, 23 Apr 1999 17:06:33 EDT, Jefferson Ogata <jogataat_private> said: > What if the OS itself maintains a database of randomized encryption keys, > and allows access to a key only to a binary whose inode and filesystem > matches the one under which the key was stored. I'm being needlessly > specific here, but I lack the vocabulary to describe this in more general > terms. 1) This data must, itself, be stored someplace. Where, and how? Obviously, this needs encrypting too. What do you use for a key for THAT? (Remember, the key has to survive a reboot). 2) Mapping it to inode/filesystem is a Bad Idea. 2A) You upgrade the product, you lose. 2B) You restore the filesystem from tape, you lose. 2C) An attacker finds a way to grab that inode number for himself, you lose. I won't even get into possible hassles here with symlink confusion, NFS issues (remember, dickless clients DO exist), and other warts that we have to deal with in the real world. Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:53 PDT