[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why I have a 512 bit PGP key
From: Jeff Barber <[email protected]>
>Let's face it, creating the compiler-to-recognize-MD5 is quite a difficult
>problem, and if I were your system administrator and wanted to obtain
>access to your files, creating a special compiler version or otherwise
>attempting to cause your integrity check to fail would be one of the last
>forms of attack I'd try.
Perhaps, then, we need to discuss exactly what attacks your average sysadmin
would be expected to make.
I would think that you'd need to guard against two kinds of sysadmins:
1. The "gentleperson" sysadmin. Though this person might have reason to
want to do nasty things to you, (s)he is restricted, either by personal
morals or company policy, to doing things that are "proper". Hacking the
kernel or the compiler would be out; rather, this person would be more apt
to be liberal in his/her use of root privileges, possibly installing
user-space keypress monitors (like ttysnoop or some X keygrabber). Schemes
like a "personal tripwire", MD5 hashes of various important programs, and so
on would be effective against this kind of attacker.
2. "Sysadmin Hatfield." You're McCoy; you get the picture. Nothing is
below him/her. Your best protection: never log in.
The problem lies in distinguishing the two, and specifically detecting the
latter at any point (in case the former becomes the latter by, say, a policy
change), as Eric pointed out.
>The bottom line is that, as an ordinary user, you are relying completely
>on your trust in the system administrator.
...or your computer policy department. Remember, not even sysadmins are
God. While it's likely that a sysadmin could hack the kernel to substitute
bogus MD5 hashes, doing so in certain environments could earn the sysadmin a
quick exit from employment. If your sysadmin just didn't like you, it's
possible to get the upper hand; if the sysadmin has the added advantage of
little to no oversight, you're screwed.