PREVIEW: bsign embeds hash and/or digital signature in ELF files

Stainless Steel Rat ratinox at peorth.gweep.net
Tue Dec 15 12:19:41 CET 1998 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"OL" == Oscar Levi <elf at buici.com> writes:

OL> There is no expectation that bsign will work for generic text files.
OL> I have amother idea for them.

Thus two different mechanisms where one would suffice, IMO.

[...]

OL> This is true of any algorithm.  If the tripwire database were writable
OL> on the harddrive, it would be vulnerable the same way.

The critical difference is that the Tripwire database (or a signature
thereof) can be made physically read-only, whereas embedded signatures
generally cannot.

[...]

OL> Mr. Rat,

No honorific; just "Rat" is fine.

OL> I think I understand your point of view on this.  I have received
OL> similar comments from several people.  Given that bsign will never sign
OL> any file type, no one has been able to explain why they are so upset.

I am not upset; I just have a strong opinion.

System security is only as strong as the weakest link in the chain, and
from where I sit, bsign might have weaknesses that have not been thoroughly
considered.

OL> Tripwire is more complex than bsign and, therefore, has more failure
OL> modes.

The one does not necessarilly follow from the other.  A well-designed
complex system can be more fault-tolerant than a poorly-designed simple
system.

OL> It adds a step to normal SA, updating the database on it's
OL> read-only medium, that I feel is undesirable and unnecessary.

I feel that it is an absolute requirement to ensure system security.  As I
said, anything that could possibly be tampered with cannot be trusted.

I guess I'm just not-paranoid (because "they" really are out to get me, or
at least my systems) in a different way than you are.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.4.5 (GNU/Linux)
Comment: For info finger gcrypt at ftp.guug.de

iD8DBQE2dposgl+vIlSVSNkRAhJYAKC04+Xdn3Ag75ZkUMix/sf6Ap7jRQCgv4X5
D5yq+iK8RJYVX43uYwOp4Q4=
=H69H
-----END PGP SIGNATURE-----

-- 
Rat <ratinox at peorth.gweep.net>    \ Warning: pregnant women, the elderly, and
PGP Key: at a key server near you! \ children under 10 should avoid prolonged
GPG Key: same as my PGP 5 (DH) key  \ exposure to Happy Fun Ball.

More information about the Gnupg-devel mailing list