Re: Automate GPG or PGP to make an .exe

"TC" <aatcbbtccctc@xxxxxxxxx> writes:
The OP might give the file to the recipient directly, on a USB key. Or
he might send it through a trusted friend. Or he might post the file to
a website that he created for that purpose, 5 minutes ago. Or he might
put it on a free image site. Or send it through the mail, on diskette.
Or post it to sendyourfiles.com. Or leave it on a disk inside the
second book to the left of the right-hand shelf. Or use any of 50
thousand ways of pasing files to people.

Yes, and the OP has decided that the file needs encryption, because of
a concern about attackers intercepting it and reading its contents.
Why on EARTH should anyone assume that an attacker willing to go to
the trouble of intercepting the file and reading it, won't also be
willing to tamper with it? Especially since this sounds like some
kind of production setup, where the operation will be repeated many
times using some kind of regular procedure, so the attacker can plan
ahead and gets many opportunities.

Here are two ways to move sensitive data around:

1) without encryption, for example normal email and phone calls. This
relies on the transport security to prevent interception and
tampering. It's good enough for most purposes, but the OP has already
decided that this particular application needs encryption.

2) With encryption and authentication, to safeguard against
interception and tampering without having to rely on the transport layer.

You seem to think the OP's data is in some kind of middle ground
between 1 and 2, like maybe 1.5, so it needs to be safeguarded against
interception but not against tampering. Such a middle ground might
exist sometimes, but it's pretty narrow.

One of the biggest and most common mistakes newbies around here make
is encrypting stuff without authenticating it. You're no different.
If your suggested methods of moving the file were so secure against
tampering, they'd also remove the need for encryption.
.

Relevant Pages

  • My response to a message by Dorothy Denning in 1995 - Australia and Encryption Policy
    ... Subject: Australia and Encryption Policy ... interception, which includes the issue of the use of cryptography as: ... keys but may be required to provide them in response to a court order. ...
    (sci.crypt)
  • Re: COM Interface Security
    ... you can set the call authentication level ... then I don't think you need to worry about interception very much - I'd ... your encryption DLL and offer it up to the client making the call. ... > How easy or difficult is it to intercept data values passing between a> client and server via a public COM interface? ...
    (microsoft.public.vb.com)
  • Re: COM Interface Security
    ... you can set the call authentication level ... then I don't think you need to worry about interception very much - I'd ... your encryption DLL and offer it up to the client making the call. ... > How easy or difficult is it to intercept data values passing between a> client and server via a public COM interface? ...
    (microsoft.public.vb.winapi)
  • Re: Encrypted logger?
    ... events in an encrypted log (to prevent tampering with the logs). ... especially not public key encryption like you outline. ... To add a log entry, add a MAC to the entry using the key and record ... If all tags check out, everything is ok, otherwise ...
    (sci.crypt)
  • Re: Encrypted logger?
    ... events in an encrypted log (to prevent tampering with the logs). ... especially not public key encryption like you outline. ... To add a log entry, add a MAC to the entry using the key and record ... If all tags check out, everything is ok, otherwise ...
    (sci.crypt)