Re: PGP scripting...

From: Brian Hatch (secprogat_private)
Date: Tue Jan 07 2003 - 16:53:26 PST

  • Next message: Stefan Schildt: "Re: Standards for developing secure software"

    > Also, it doesn't do too much to help with the fact
    > that the private key/passphrase will still be stored locally.
    
    I don't remember which OS you were using, but you may have
    other alternatives.
    
    As meantioned, if you have some daemon that performs the
    encrypt/decrypt, you can have the passphrase stored
    there only[1].  However you still need some secure
    method to make sure only 'authorized' processes can
    communicate with it.  However the method needed to
    authorize itself (some form of password or pub/private
    key challenge) is the new point of attack, and is no
    better protected.  You've just moved the vulnerability
    a bit.
    
    
    However you may be able to set up your machine to have
    the keys and/or pgp keyrings available only to the
    authorized processes themselves at the kernel level.
    If this were a Linux machine, I'd suggest something like
    LIDS[2].  You'd be able to declair the pgp keyring to be 
    invisible to all processes, and grant read access only
    to the process that needs it.
    
    Or if you don't like blank passphrases (and you shouldn't)
    make a second file that is also invisible that has the
    passphrase.[3]  Thus your encryptor/decryptor can use the
    pgp keyring and read the passphrase, but any cracker that
    exploits something else in your system can't get access.
    
    You must protect this program from modification, else an
    attacker can change it to let him use these files, but
    LIDS forces this on you anyway.  Any bug in this program
    can still be used to circumvent security, but that's not
    new.
    
    
    
    [1] With the downside that you need to supply it on bootup
    
    [2] Grsecurity should be able to do this as well, but I'm
    	not as up on my grsecurity terminology.
    
    [3] By 'invisible' I mean that it has CAP_HIDDEN which means
    	it is unavailable entirely.  Unauthorized processes
    	are told it doesn't exist when they try to open it.
    	This isn't just hiding it from 'ls' output, any access
    	to it is blocked, unless you are allowed specifically
    	allowed access to it.
    	not as up on the terminology.  RSBAC or SELinux
    	would too, but perhaps are more than you need
    	for this one application.
    
    
    --
    Brian Hatch                  Something about
       Systems and                that idea stirs
       Security Engineer          deep terror within me.
    www.hackinglinuxexposed.com   --Nick
    
    Every message PGP signed
    
    
    



    This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 19:49:33 PST