Win32 internals

Werner Koch wk@gnupg.org
Fri May 10 10:35:02 2002 

On Wed, 8 May 2002 21:34:19 -0400, Steve Kinney said:

> Linux.  (Although of course Microsoft network /application/ 
> software is horribly insecure, as demonstrated by numerous 
> IIS holes, swarming Outlook worms, root exploits in every 

Right.  And when I talk about Windows I am thinking of the
applications.  I agree that the kernel (represented by the so called
Win32 API) is not a security problem, it has actually a lot of good
ideas which are OTOH to complicate to be used the right way.

There is a long debate going on whether the IE can be removed from
Windows or not, so for discussing security things of Windows it is
IMHO valid to assume that the IE is part of Windows.

> less secure than any Windows OS, out of the box.  Linux can be
> /made/ highly secure, but it takes an informed and pro-active
> operator to do it.  Even then, Bad Things can happen.  

Agreed.  And with all the new GNOME and KDE applications we will soon
seen a lot of vulnerabilities

> Back to the point:  As far as I can tell, an entropy gathering
> daemon similar to dev/random would offer a major improvement
> over the RNG now used in Win32 GPG.  I can't write one, but I am

You can't do that because this neds to go into the kernel; well a
devide driver can be written but to do this one needs a lot of details
of internal kernel working - noithing which is public.  The CSPRNG
used in GnuPG for W32 is not that bad.

> hoping that someone will sometime soon.  As for memory locking,
> that's mostly a public relations issue-- maybe .001% of users
> could be affected by swap file leakage, and besides, the text

The memory locking does not want to protect the plaintext but the
secret key.  The session key is also protected but this is just
because we have this facility.  Protecting the secret key is not a PR
issue - a compromise would reveal any encrypted messages ever done for
this key and the key can be used to get access to resource which are
protected by a digital signature.  By making it harder to reveal the
unprotected content of the secret keyring and assuming that a good
passphrase was used, the poor guy with the stolen laptop might get
enough time to revoke the key or do other counter measurements.

  Werner