[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PGP Shell Integrity
At 10:13 PM 1/29/96 -0800, you wrote:
>Firstly, if this is viewed as "Noise" rather than "Signal", please accept
my apologies.
Looks like a real technical discussion instead of a flame - obviously the
wrong list :-)
>The matter at hand concerns my concern over my inability to check the
> "integrity" of a PGP windoze shell written by Michael R. Lyman at Aegis
Research Corp.
>
>I worry that since the shell has access to my secret ring that it might
> be sending it somewhere without my knowledge.
I don't know that package, but most of them act as wrappers around
DOS PGP rather than filtering keystrokes or doing PGP internals.
There are several risks - getting your secret ring, getting your passphrase,
getting the RSA parameters without the passphrase itself.
Obviously, having your secret key ring file leak is not good,
but the fun parts _are_ IDEA-encrypted using your passphrases,
so it's not too much of a risk. Having the passphrase or the
raw keys stolen would obviously be worse.
DOS/Windows is _not_ a secure operating system, if you believe
that there's more than one person in the universe. (DOS doesn't
believe that, so in some sense it's perfectly secure. :-)
Nathaniel Borenstein's recent postings are a good reminder that
keystrokes can be stolen, easily, in that environment.
>The freeware was, according
> to Mr.Lyman, developed "Project Manager, Forward Air Missile Defense,
> United States Army Missile Command". That gvt. affiliation gives me
> considerable pause as regards back doors and other ways my secret ring
> and pass phrase could be compromised.
>
>Does anyone have any familiarity with this freeware? I do not think
> I am being paranoid.. just careful. Lastly, if I am not a programmer,
> what sort of inspection can I perform on the software to make sure it is
not "bugged"?
Without source code, if you're not a programmer, the things to look for are
circumstantial evidence - is the copy of the program you got off the server
PGP-signed by the purported author? Or by any programmers you trust?
That doesn't tell you the program is trustable, but it does tell you if
it's a fake replacing the real thing. Is the real thing trustable?
(Well, probably...)
There's also the problem of leaking your key back to the Bad Guys,
but that's easy - the program could leak it out in your PGP messages
(either obviously, as a second recipient, or in subtle nasty ways
like playing with the system clock on timestamps.)
#--
# Thanks; Bill
# Bill Stewart, [email protected], Pager/Voicemail 1-408-787-1281
# http://www.idiom.com/~wcs