Re: GnuPG front-end to safely en/de-crypt files using symmetic cipher
From: Dusan Chromy (dusan.chromy_at_tiscali.cz)
Date: 05/28/03
- Previous message: sponge: "Re: spybot and adware"
- In reply to: phn_at_icke-reklam.ipsec.nu: "Re: GnuPG front-end to safely en/de-crypt files using symmetic cipher"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 28 May 2003 01:29:52 -0700
phn@icke-reklam.ipsec.nu wrote in message news:<bb040n$2qe2$3@nyheter.crt.se>...
> In comp.security.misc Dusan Chromy <dusan.chromy@tiscali.cz> wrote:
> > Hi,
>
> > I am using Steganos Security Suite v4 to encrypt some files on my
> > computer. However, every time I open them using Steganos, they got
> > saved decrypted on the disk.
>
> > I was thinking about writing a Java application to avoid that. The
> > idea is to
> > use GnuPG as the encryption engine for symmetrical encryption. The
> > Java application would invoke gpg (--decrypt) via Runtime.exec,
> > capture it's output (the decrypted file) and let the user modify it.
> > When done, it would again invoke gpg (--symmetric) to encrypt the
> > file.
>
> > Now I have several questions about this approach:
>
> > 1) How secure is it at all? Runtime.exec uses probably the pipe
> > mechanism of the underlying OS to communicate with the process, so the
> > encrypted data would definitely get written somewhere in memory. How
> > vulnerable it is?
>
> could be a problem.
Sure it could. But how big? I guess using secure memory is something
very OS-dependant. Now can you even do that in Java? Keep in mind I
want a better solution to storing temporary files, which I think it
is. The question is: is it better enough to invest effort to it?
>
> > 2) The passphrase is needed for both encryption and decryption. For
> > convenience, the Java application should ask the password from user
> > and send it to gpg (run gpg with --passphrase-fd 0). I guess it's
> > equally bad as item 1), but then again it's not nice to have user type
> > the passphrase in console window...
> the passphrase is needed at decryption time, not encryption time
> ( you encrypt with the recipients public key). Signing a message
> however needs the passphrase.
No, you don't get me right. It's symmetric encryption, hence
passphrase needed both for encryption and decryption. It has nothing
to do with public/private keys.
>
> > 3) Is there a freeware product doing this or alike? I don't care so
> > much about commercial products because I'd like to make mine freeware.
> > However I wouldn't mind a little inspiration from the commercial arena
> > too :-)
>
> PGP
>
> > 4) Given all the drawbacks of items 1)-2) and compared to the
> > improvement over a scenario with temporary files, does it make sense
> > to create such application?
>
> You could create a "secure" application. Risks are however that something
> that slipped your mind will sneak through and the end result will
> be an unsecure application.
>
Well I guess that's why it's good when it's open source - everyone can
point out the security holes.
>
> > Thanks,
>
> > Dusan
- Previous message: sponge: "Re: spybot and adware"
- In reply to: phn_at_icke-reklam.ipsec.nu: "Re: GnuPG front-end to safely en/de-crypt files using symmetic cipher"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
