Re: Passphrase and swapfile (David Picón Álvarez)

Leigh S. Jones, KR6X kr6x@kr6x.com
Thu Jun 6 22:11:02 2002 

Actually, I think that most dangers come from attacks that can be
performed mindlessly.  If it takes an engineer thinking to perform the
attack then another attack will be used.  Unless, of course, the
engineer publishes thought processes in the form of a program
that can mindlessly perform the attack.  This has been done for
a number of attacks, and the results can be found on the Internet.

It's easier to "bug" a computer than might be expected.  Programs
for trapping keystrokes and sending them to a server are easier than
any of the swap file approaches.  And they can be written with
"removal" features for a clean get-away, and using innocent
intermediates to relay the data to make the task of tracing the
outbound data utterly impossible.  Much easier than seizing the
computer or swapfile for analysis.

----- Original Message -----
From: "Ryan Malayter" <rmalayter@bai.org>
To: <gnupg-users@gnupg.org>
Sent: Thursday, June 06, 2002 12:25
Subject: RE: Passphrase and swapfile (David Picón Álvarez)


From: Leigh S. Jones, KR6X [mailto:kr6x@kr6x.com]
>...We are talking 1Gb of swap file here.  If you find
>a 20 character long sequence enclosed by NULL characters,
>will you only try to use all 20 characters?  Or must you
>try many permutations?  Perhaps the last 11 characters?
>Perhaps the last 9? ...

I don't think things would be nearly as difficult for the attacker as you
imagine. If you know something about what the binary program code of the
encryption application looks like, you'll be able to find that code easily.
Typically, memory would be allocated in a similar fashion,
virutal-address-space wise, on every run of the encryption program. The
passphrase (or a pointer to it) will probably appear very near to, if not
exactly on, the same set of swap pages as the encryption program code. Even
if it wasn't nearyby, all you would need to do is discover something about
the virtual-to-physical address space mapping at run-time figure it out.

It wouldn't be easy, of course, and you'd need a lot of expertise in the
OS's memory-management, but it would be a heck of a lot easier than a
brute-force search.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users