[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Design proposal: crypto-capable generic interface
On Sat, 18 Nov 1995, Adam Shostack wrote:
> Raph Levien wrote:
>
> | I propose that the new interface lives as a sort of daemon, rather
[snip]
> |
>
> A daemon per user, or per machine? Either way, I think you
> run into problems on a big multi-user machine. (Either its an extra
> process or two per person, or its a great target for attack &
> subversion.
>
_anything_ that has open access on a piece of hardware is a point
of intrustion --sendmail for instance, or open password files, etc.
the issue is trading off risks to _maximize_ security and
impenatrable access.
even assuming we were to post 100% of the source code, a
translation daemon is a _translation_ model --even if it is capable
of translating pgp, garbage in equals nothing out...
one of the biggest problems with _any_ crypto system, and pgp is
no exception, is tmp files, followed closely by insecure memory.
insecure memory is a separate issue, but some of the temporary file
problems can be relegated to reduced risk by passing the daemon the
user's preferred location for tmp file --for instance, on any net
access machine, I globally specify TMP, TEMP, etc to a local tmp
directory which is at least somewhat safer than public tmp files.
obviously, you expect the daemon to wipe clean each memory block
before it free()s it --I's sure we all have routines handy for that.
presuming the daemon is constructed so it can only respond to its
current process owner, this leaves the security problem of swapping
in a daemon which also responds to an interloper --and this same risk
applies to a libppg or a .dll file (more so to a .dll file) to an
even greater degree. However, if a daemon is swapped, the system has
a more _serious_ problem with the system administrator, not the
daemon.
if the IPC strings are intercepted in the daemon initializtion,
again we have a basic hardware and system security problem.
Even If Ralph Levian believes daemons are serious risk problems
(which they can be if not properly implemented), I do not agree that
the libppg() or .dll offer anything additional. I dont presume to
believe that anything is safe anyway, just safer than the alter-
native.
NB: _nothing_ should ever be assumed secure!
assumption is fuckup's mother.
one must hope to have considered every possible line of attack,
and a few which have not been conceived, which goes back to our
cypherpunk "credo" which says that private standards are not safe
--let's all have at it --even if we break it, there probably is a way
to block the attack, we just did not block it or consider it the
first time,
I have been playing with all three approaches, and I keep going
back to the daemon despite the fact it is not portable to the brain
dead.
I don't know if W95 permits daemons as I have ignored MS
for a number of years --if I can not run as many processes
as I want without some MickeySoft program blowing away a
day's work.... I prsume NT will run 'em, and maybe the
next release of NT will be more useable, more secure, and
more stable.
Since pgp() has been pulled from crypto10, I need to modularize
pgp to a pgp() and include the relevant goodies such as MIME and its
variations. And, of course, we need all the "we do it here" types to
buy into a standard interface.
And, to add fuel: the module needs the ability to encode and
place clear text into a MIME format specified by the calling program.
> Its an interesting proposal, but let me ask you this--Why is
> it better than a libpgp (or pgp.dll) that offers a variety of services
> to programs at multiple levels (ie, offers full one call RSA/IDEA
> encryption and compression, as well as ascii armoring, or offers each
> of those as a seperate function.
>
not necessarily better. but a valid approach IMHO. I for one
think it would be easy enough to sell IAPs on a daemon.
>
>
>
> --
> "It is seldom that liberty of any kind is lost all at once."
> -Hume
>