GC and security

Thu Aug 31 18:37:33 EDT 2006

Les Schaffer <schaffer at optonline.net> writes:
> i forget whether gpg can be given a list of files to decrypt. but cuz of
> what we are doing, i still believe we would need to call gpg more than
> once.

Yes, gpg --batch if I remember correctly.

> Fred Lundh's scheme for blanking the passphrase looks good enough for now.

Again, think hard about why you even want to blank the passphrase in
ram.  If you sense that there's a reason for it, then maybe there is
one; but in that case, try to identify exactly what problem blanking
the passphrase is supposed to solve, and determine if blanking
actually does solve it.  The issue I'm thinking of is swap space.
Leaking key or passphrase material there where it might be recovered
from a repurposed disk sometime in the indefinite future seems like a
more serious threat than the likelihood of some hostile process
scanning user ram while the application runs and knowing what to look
for.

> by any chance, do you have any experience with these USB/fingerprint
> things?

Unfortunately not; I've been interested in looking into them, though
fingerprint readers are generally not considered that great an idea
among the security crowd.

> we are being asked to backup the MySQL tables onto the USBKey, so they
> need to be encrypted there as well. which means we need some kind of EFS
> on there as well. i wouldnt want to use more than one kind of encryption
> in this app, or better said, i dont want more than one set of
> keys/passes in this app. so we'd need an EFS on the Windows machines and
> on the USB keys that can utilize the same encryption keys.

The idea of EFS is to keep the keys and encryption out of the app.  If
you have EFS's on both the main drive and the USB key, there's no
problem with using separate keys for them.  They can be controlled by
the same user PIN or password.

> > Also, I think there
> > are some FS's that use the Windows Crypto API (CAPI)
> 
> FS's other than Microsoft's EFS? i'll take a look at their capabilities.

Unfortunately I'm not that familiar with Windows EFS's; I'm mainly a
Unix developer.  I guess I can check into this.

> and there is still MySQls comment about dealing with encrypted file
> systems. we were advised by one of their people to test to make sure the
> writes are not interfered with on an EFS.

Well, EFS's are supposed to be transparent, but if they say to test it
then you better test it ;-).  I'd hope there's be nothing worse than a
tolerable performance hit.

> but they still need the passphrase, hence keeping our eye on that silly
> string.

Right, secure passphrases (i.e. with enough entropy to protect an
encryption key) are a big usability problem--users forget them, or
write them down on the token, etc.  If you're doing some early test
with just a few users who are security-conscious, maybe it's ok to
rely on passphrases, but for a wide deployment with non-technical
users, I think it's worth looking for alternatives.

> thanks for the comments, they validate my concerns. if you know, or are,
> a pro in python and security, we might be able to manage a small
> consulting gig. but if its not python-relevant, lets talk offlist. in
> any case, many thanks.

I do a lot of Python security stuff, though not much Windows stuff.
In any case, I'd be happy to talk offlist (email being sent).

Paul