RE: PGP scripting...

From: Michael McKay (mmckayat_private)
Date: Tue Jan 07 2003 - 11:16:13 PST

  • Next message: Chris Matthews: "RE: PGP scripting..."

    The easy answer is: it all depends.  Seriously, you have to take into account exactly what is being protected against.  Encrypting
    data is useful for tape back-ups, and provides an extra layer of security while operating.  How effective that extra layer is
    depends both upon the threats it is meant to counter, as well as the implementation.
    
    I do a lot of work in the financial world, and insider fraud is a serious threat.  For most of my clients, software encryption is
    considered to have minimal value because of the ease that a system administrator (or other authorized users) could bypass it vs. the
    value of what is being handled (banking PINs, keys, payment authorizations, etc.).  These types of systems use encryption in tamper
    resistant hardware (both because it better protects the keys and the integrity of the algorithms, but also because logical data
    oriented protocols can be enforced by the hardware security module).
    
    Given the application, so far as you have described it, it sounds like there may be some generic benefit.  If the system is
    compromised (perhaps using some generic attack methods like OS or application attacks), the encryption will probably deter
    unmotivated hackers.
    
    To an insider, or a determined hacker, the encryption of data will add some level of inconvenience.  The problem is that your
    application needs to have the ability to decrypt the data (see note below).  There are a lot of implications from this, which could
    lead to one of the following attacks:
    
    * Misuse the application to legitimately decrypt the data, and than hijack the data
    * Misuse subcomponents of the system to decrypt the data
    * Obtain the key from the application/memory-dump (occasionally even from disk, depending upon how the keys are stored)
    * Obtain the key from outside source (perhaps legitimately)
    * Substitute a known key (old data might be still protected, unless a translation utility is built-in)
    
    In summary, you are probably adding a layer of complexity to any attacks.  How effective that layer is depends upon both the threats
    and how well implemented the system is (not just application, but key management details, administration, etc.).
    
    Michael McKay
    Software Director, iS3
    
    Note: This gets into my area of specialty, how do you control any decryption (or encryption for that matter) in such a way that your
    security requirements are upheld.  I was going to refer you to the VISA CISP as an area that needs these techniques, but VISA has
    removed most of the interesting documents from their website (it concerns encryption of CC card data by e-merchants).
    
    -----Original Message-----
    From: Andrew MacKenzie [mailto:andyat_private]
    Sent: Tuesday, January 07, 2003 9:02 AM
    To: secprogat_private
    Subject: PGP scripting...
    
    
    I apologize if this is a bit off-topic, but I'd like to ask a question
    about practical use of PGP.  I am a software developer, and have a client
    who is making a great attempt at being security conscious (to the extent of
    hiring a security consultant).
    
    We (my client) have a system that loads orders into an Oracle DB, and
    processes billing (Java/Solaris based).  One of the 'decrees' from my
    client is that all files that store 'sensitive' data (customer info and the
    like) shall be PGP encrypted, and *never* be stored on a HDD in
    un-encrypted form (even while processing said file).
    
    I can understand the desire to archive these files in encrypted forms, and
    to encrypt these files while transporting out of the system.  But I think
    this idea goes a bit too far as to be more counter-productive than useful.
    After many days of fighting with 'pgp -f' and modifying processes to use
    stdin/stdout, I've gotten much of this working.
    
    I would have prefered to use a PGP library (Java code), but was unable to
    find any within the timeframe.
    
    My question therefore is: is all this worth the trouble?  In order to use
    PGP with scripts (or even Java code), the scripts need access to both the
    private key and pass phrase (which are stored locally in files).  If the
    system were compromised would any of this help?  Is there a better way I
    could do this than what I am already doing?  This is somewhat academic for
    me at this point, as my client is inflexible on this point and code has
    been written, but I'd be interested in hearing your opinions on this
    subject.
    
    Thanks.
    
    --
    // Andrew MacKenzie  |  http://www.edespot.com
    // "Those are my principles. If you don't like them I have others."
    //      -- Groucho Marx
    



    This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 14:06:51 PST