Re: PGP scripting...

From: Marcin Owsiany (marcin@owsiany.pl)
Date: 01/08/03

  • Next message: lsi: "Re: PGP scripting..." 
    Date: Wed, 8 Jan 2003 00:00:58 +0100
From: Marcin Owsiany <marcin@owsiany.pl>
To: secprog@securityfocus.com

    On Tue, Jan 07, 2003 at 03:19:24PM -0500, Valdis.Kletnieks@vt.edu wrote:
    > On Tue, 07 Jan 2003 12:02:13 EST, Andrew MacKenzie <andy@edespot.com> said:
    >
    > > My question therefore is: is all this worth the trouble? In order to use
    > > PGP with scripts (or even Java code), the scripts need access to both the
    > > private key and pass phrase (which are stored locally in files). If the
    > > system were compromised would any of this help?
    >
    > Simple answer: "GAME OVER".
    >
    > Detailed answer: If the system is compromised, they have all the data they
    > need to get all the data. The only way to "fix" this is to have a "pgp daemon"
    > that needs to be started by hand so you can give it the passphrase.

    I think that to make it nontrivial to crack, the application itself
    would have to be that daemon. Otherwise (i.e. if the application and the
    daemon were separate processes) they could intercept the communication
    between those two components and just ask the daemon do decrypt the
    files they need.

    That, in turn, might be possible by ptracing or modifying the kernel
    code, for example using modules.

    regards

    Marcin 

    -- 
Marcin Owsiany <marcin@owsiany.pl>              http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216
 
"Every program in development at MIT expands until it can read mail."
                                                              -- Unknown

    Relevant Pages

    • Re: Trojan injected in my Freebsd 4.1-RELEASE
      ... M> Using chkproc programm from Nelson Murilo found at pangeia.com.br I found one stealth process. ... Running clean ps command i found ssh daemon sshd daemon named 'swapper' in process list. ... Wtmp was cleared 5 hours back from time of created hackers scripts. ...
      (FreeBSD-Security)
    • Re: sendmail startup scripts
      ... > To start everything running you need the listener to start all in the ... It's best not to edit the standard startup scripts because your edits ... to start up the daemon that listens for incoming mail. ... You can use a modified version of the standard sendmail initscript to ...
      (Fedora)
    • 5.1 on a production box with some small problems (su, linux emu 7)
      ... only 2 small points witch are a pain and i found no solution. ... the scripts runs since 3.x, at least 4.x and was working up to 4.8. ... the pervasive sql server has a daemon ... option there is no listener ...
      (freebsd-questions)
    • 5.1 on a production box with some small problems (su, linux emu 7)
      ... only 2 small points witch are a pain and i found no solution. ... the scripts runs since 3.x, at least 4.x and was working up to 4.8. ... the pervasive sql server has a daemon ... option there is no listener ...
      (freebsd-current)
    • Re: PGP scripting...
      ... On Tue, 7 Jan 2003, Andrew MacKenzie wrote: ... > I would have prefered to use a PGP library (Java code), ... > PGP with scripts, the scripts need access to both the ... > private key and pass phrase. ...
      (SecProg)