GnuPG in universities

Kjetil Kjernsmo kjetil.kjernsmo@astro.uio.no
Mon Jun 11 22:54:01 2001


On 11 Jun 2001, Werner Koch wrote:


> || On Mon, 11 Jun 2001 00:06:58 +0000
> || Pedro Diaz Jimenez <pdiaz88@terra.es> wrote:
>
> pdj> anyway?. And for the sniffing stuff, I never use something less secure than
> pdj> ssh (more secure, for me, is typing at the machine keyboard)
>
>This is the most important thing to consider when you use a random
>box located somewhere on the campus. Expect that everything you type
>on this box is logged. Even an unexperienced cracker can insert a
>keystroke recorder into the keyboard cable - you won't notice that and
>it is a matter of seconds to install it. The most common method
>however is to trojan the login program and then later log everything
>you type. This is an everydays attack and not some esoteric hack.
Being a newbie, this of course, makes me concerned. I have no option but to have my stuff on a shared box. So, how vulnerable am I? I'm sitting on the console of this box, and there are about 70 people with login rights to the box itself. The number of people having access to the disk is _much_ higher, that's the whole university. The box is physically located in a room with five desks and three other computers, and there are seldom anybody but me logging onto the console. When we installed GnuPG, I did the compilation, but the sysadmin did make install, to make available for all the machines on the Institute. Of course, I read about using a floppy rather than storing the keyring on my home disk. I really can't see why this offers any additional security. If anybody wants to copy my keyring, its easy enough to send me an encrypted e-mail and see when I'm putting the disk into the machine to decrypt it. Or some similar strategy. Also, my .gnupg/ directory has set permission so that it is only accessible to me, the floppy could be stolen. So, from what I can see, the passphrase is the only thing that really protects my secret key, either way. I really can't see any way I can be reasonably certain of preventing an attacker from copying the contents of the .gnupg/ directory. Setting appropriate permissions, I think of as a small speed bump. But I have a hell of a passphrase, takes 20 seconds to type... :-) I think they would have a hard time cracking it with a dictionary attack, but of course, if someone is monitoring my keystrokes... This box is not that accessible, so what are the real risks? Best, Kjetil -- Kjetil Kjernsmo Graduate astronomy-student Problems worthy of attack University of Oslo, Norway Prove their worth by hitting back E-mail: kjetikj@astro.uio.no - Piet Hein Homepage <URL:http://www.astro.uio.no/~kjetikj/> Webmaster@skepsis.no