[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: session-key proposal

To: Noll Janos <johnzero@johnzero.hu>
Subject: Re: session-key proposal
From: Jari Ruusu <jari.ruusu@pp.inet.fi>
Date: Tue, 02 Apr 2002 20:19:39 +0300
CC: linux-crypto@nl.linux.org
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:listar@nl.linux.org?Subject=help>
List-owner: <mailto:riel@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Listar version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
Original-Recipient: rfc822;linux-crypto-archive@nl.linux.org
References: <XFMail.20020401214736.johnzero@johnzero.hu>
Sender: linux-crypto-bounce@nl.linux.org

Noll Janos wrote:
> On 01-Apr-2002 Jari Ruusu wrote:
> > This can be done in user space using GnuPG. A long and random session
> > key is encrypted using each users public key. Users just need to type
> > their personal GnuPG key to unlock the session key that is then piped
> > to "losetup -p 0".
> 
>  Yes, I already do this, but there are some problems:
> 
>  1. The session key traverses userspace, and thus, can be captured more
>     easily. And once someone knows the session key, he cannot be locked
>     out. Though this is only needed in very rare cases and setups.

Non-root users don't have access to session key, if the GnuPG encrypted file
is made root-only-readable and program that pipes that file's contents to
gpg and losetup/mount is made setuid-root.

>  2. It's not really solid, I mean, it needs a "second" (etc.) file.
>     If you encrypt a partition, you need to have the "second" file on a
>     separate partition. Although you could use the "offset=" switch and
>     embed the data into the beginning of the partition.

Using additional files should not be a major problem to someone who really
needs that kind of feature.

>  3. It needs some scripting, hacking, external programs (like GPG)
>     -- which is fine, if you're a programmer, but might be too much for
>     "Average Joe"

Writing such script or program should not be a major problem to anyone who
knows what they are doing.

>  I was also thinking of implementing this in user-space, only then you'd
> lose the ability to really "revoke" users' access to the encrypted space.
>  But then again, maybe a kernel level thing won't make this that harder.

Revoking someone's access is just creating new GnuPG encrypted session key
without that user's public key.

>  The top two scenarios I'd need session keys for is:
>  1. if I'd have to change the password of the encrypted partition

Users can change their GnuPG password any time they want.

>  2. if there needs to be a very secretly kept "rescue" password for the
>     partition (think companies, or even, cautious individuals)

Original root-only-access session key is such "rescue" password. Root uses
this "rescue" password to create GnuPG encrypted version for the setuid-root
program to read.

>  But, thinking of it, maybe an userspace tool would be totally
> appropriate.

Exactly.

Regards,
Jari Ruusu <jari.ruusu@pp.inet.fi>
-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

Follow-Ups:
- Re: session-key proposal
  - From: Jari Ruusu <jari.ruusu@pp.inet.fi>

References:
- Re: session-key proposal
  - From: Noll Janos <johnzero@johnzero.hu>

Prev by Date: Re: session-key proposal
Next by Date: International Kernel Patch + Lock Breaking + Preempt = bad
Prev by thread: Re: session-key proposal
Next by thread: Re: session-key proposal
Index(es):
- Date
- Thread