Re: PGP scripting...

From: Brian Hatch (secprogat_private)
Date: Tue Jan 07 2003 - 16:53:26 PST

Next message: Stefan Schildt: "Re: Standards for developing secure software"

Previous message: Frank Knobbe: "Re: PGP scripting..."
In reply to: Andrew MacKenzie: "Re: PGP scripting..."
Next in thread: Andrew Steingruebl: "Re: PGP scripting..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Also, it doesn't do too much to help with the fact
> that the private key/passphrase will still be stored locally.

I don't remember which OS you were using, but you may have
other alternatives.

As meantioned, if you have some daemon that performs the
encrypt/decrypt, you can have the passphrase stored
there only[1].  However you still need some secure
method to make sure only 'authorized' processes can
communicate with it.  However the method needed to
authorize itself (some form of password or pub/private
key challenge) is the new point of attack, and is no
better protected.  You've just moved the vulnerability
a bit.


However you may be able to set up your machine to have
the keys and/or pgp keyrings available only to the
authorized processes themselves at the kernel level.
If this were a Linux machine, I'd suggest something like
LIDS[2].  You'd be able to declair the pgp keyring to be 
invisible to all processes, and grant read access only
to the process that needs it.

Or if you don't like blank passphrases (and you shouldn't)
make a second file that is also invisible that has the
passphrase.[3]  Thus your encryptor/decryptor can use the
pgp keyring and read the passphrase, but any cracker that
exploits something else in your system can't get access.

You must protect this program from modification, else an
attacker can change it to let him use these files, but
LIDS forces this on you anyway.  Any bug in this program
can still be used to circumvent security, but that's not
new.



[1] With the downside that you need to supply it on bootup

[2] Grsecurity should be able to do this as well, but I'm
	not as up on my grsecurity terminology.

[3] By 'invisible' I mean that it has CAP_HIDDEN which means
	it is unavailable entirely.  Unauthorized processes
	are told it doesn't exist when they try to open it.
	This isn't just hiding it from 'ls' output, any access
	to it is blocked, unless you are allowed specifically
	allowed access to it.
	not as up on the terminology.  RSBAC or SELinux
	would too, but perhaps are more than you need
	for this one application.


--
Brian Hatch                  Something about
   Systems and                that idea stirs
   Security Engineer          deep terror within me.
www.hackinglinuxexposed.com   --Nick

Every message PGP signed

application/pgp-signature attachment: stored

Next message: Stefan Schildt: "Re: Standards for developing secure software"
Previous message: Frank Knobbe: "Re: PGP scripting..."
In reply to: Andrew MacKenzie: "Re: PGP scripting..."
Next in thread: Andrew Steingruebl: "Re: PGP scripting..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 19:49:33 PST