GC and security

Thu Aug 31 17:35:05 EDT 2006

Paul Rubin wrote:

> gpg is fairly careful about passphrases.  Why are you collecting the
> passphrase in the Python app instead of letting gpg handle it?

as i recall we did that because we needed the passphrase more than once,
and didnt want to have to make the users type in something that long
that many times within a minute or so.

i forget whether gpg can be given a list of files to decrypt. but cuz of
what we are doing, i still believe we would need to call gpg more than
once.

Fred Lundh's scheme for blanking the passphrase looks good enough for now.

> 
> Yes, I mean get rid of the need for a passphrase, though since the
> encrypted key is accessible on the USB drive, there's no way around
> it.  With smart cards it's generally considered ok to use a short PIN
> instead of a passphrase; the card itself enforces a maximum # of
> incorrect guesses.

by any chance, do you have any experience with these USB/fingerprint
things?

i think the PI on this project will consider smart cards overkill, but
we will suggest these as alternatives before we get out into the field.

> Does using an encrypted FS not take care of that?  

yea but ...

we are being asked to backup the MySQL tables onto the USBKey, so they
need to be encrypted there as well. which means we need some kind of EFS
on there as well. i wouldnt want to use more than one kind of encryption
in this app, or better said, i dont want more than one set of
keys/passes in this app. so we'd need an EFS on the Windows machines and
on the USB keys that can utilize the same encryption keys.

> Also, I think there
> are some FS's that use the Windows Crypto API (CAPI) either for bulk
> encryption or for key management, so you can use secure passphrases,
> hardware tokens, or whatever.

FS's other than Microsoft's EFS? i'll take a look at their capabilities.
and there is still MySQls comment about dealing with encrypted file
systems. we were advised by one of their people to test to make sure the
writes are not interfered with on an EFS.

> This is better than nothing but it's very easy to duplicate a USB key,
> either intentionally or by spilling the contents through a routine
> backup procedure, etc.  

but they still need the passphrase, hence keeping our eye on that silly
string.

not worried about accidents at the moment. if the USB keys had drive
serial numbers we could validate on that. but i just checked mine and it
has none. WMI reports that physical drives have a "Signature", not sure
what that is.

> A crypto token (USB dongle or smart card) is
> way preferable for this type of thing.  GPG has smart card support
> that you might be able to use:
> 
>   http://www.g10code.com/p-card.html
>   http://www.gnupg.org/(en)/howtos/card-howto/en/smartcard-howto-single.html

would definitely consider this for Gen II.

> 
> You might want to discuss this on sci.crypt, where specialists hang
> out.  As is fairly typical in these situations, it would help a lot if
> you could describe the application in more detail.

need to get permission from PI on the project.

thanks for the comments, they validate my concerns. if you know, or are,
a pro in python and security, we might be able to manage a small
consulting gig. but if its not python-relevant, lets talk offlist. in
any case, many thanks.

Les Schaffer