Re: GnuPG front-end to safely en/de-crypt files using symmetic cipher
phn_at_icke-reklam.ipsec.nu
Date: 05/27/03
- Next message: Simon: "Re: My Solution to Securing Windows 98, ME Against Network Modification and Spying, using Linux."
- Previous message: Barry Margolin: "Re: ISP DNS, proxies and security"
- In reply to: Dusan Chromy: "GnuPG front-end to safely en/de-crypt files using symmetic cipher"
- Next in thread: Dusan Chromy: "Re: GnuPG front-end to safely en/de-crypt files using symmetic cipher"
- Reply: Dusan Chromy: "Re: GnuPG front-end to safely en/de-crypt files using symmetic cipher"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 May 2003 16:33:27 +0000 (UTC)
In comp.security.misc Dusan Chromy <dusan.chromy@tiscali.cz> wrote:
> Hi,
> I am using Steganos Security Suite v4 to encrypt some files on my
> computer. However, every time I open them using Steganos, they got
> saved decrypted on the disk.
> I was thinking about writing a Java application to avoid that. The
> idea is to
> use GnuPG as the encryption engine for symmetrical encryption. The
> Java application would invoke gpg (--decrypt) via Runtime.exec,
> capture it's output (the decrypted file) and let the user modify it.
> When done, it would again invoke gpg (--symmetric) to encrypt the
> file.
> Now I have several questions about this approach:
> 1) How secure is it at all? Runtime.exec uses probably the pipe
> mechanism of the underlying OS to communicate with the process, so the
> encrypted data would definitely get written somewhere in memory. How
> vulnerable it is?
could be a problem.
> 2) The passphrase is needed for both encryption and decryption. For
> convenience, the Java application should ask the password from user
> and send it to gpg (run gpg with --passphrase-fd 0). I guess it's
> equally bad as item 1), but then again it's not nice to have user type
> the passphrase in console window...
the passphrase is needed at decryption time, not encryption time
( you encrypt with the recipients public key). Signing a message
however needs the passphrase.
> 3) Is there a freeware product doing this or alike? I don't care so
> much about commercial products because I'd like to make mine freeware.
> However I wouldn't mind a little inspiration from the commercial arena
> too :-)
PGP
> 4) Given all the drawbacks of items 1)-2) and compared to the
> improvement over a scenario with temporary files, does it make sense
> to create such application?
You could create a "secure" application. Risks are however that something
that slipped your mind will sneak through and the end result will
be an unsecure application.
> Thanks,
> Dusan
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
- Next message: Simon: "Re: My Solution to Securing Windows 98, ME Against Network Modification and Spying, using Linux."
- Previous message: Barry Margolin: "Re: ISP DNS, proxies and security"
- In reply to: Dusan Chromy: "GnuPG front-end to safely en/de-crypt files using symmetic cipher"
- Next in thread: Dusan Chromy: "Re: GnuPG front-end to safely en/de-crypt files using symmetic cipher"
- Reply: Dusan Chromy: "Re: GnuPG front-end to safely en/de-crypt files using symmetic cipher"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
