Remote signing

Stuart A Yeates stuart.yeates at computing-services.oxford.ac.uk
Tue Apr 20 11:56:04 CEST 2004 

Samuel ]slund wrote:
> On Tue, Apr 20, 2004 at 08:55:10AM +0100, Stuart A Yeates wrote:
> 
>>Dave Symonds wrote:
>>
>>>I have a slightly unusual setup that I would like to use GnuPG in, and 
>>>wanted
>>>to ask for some guidance. At my Uni we have a Sun machine that runs all the
>>>mail stuff, and where I mostly prefer to do all my mail reading/composing 
>>>from.
>>>However, I don't want to entrust my GPG private key(s) to that system, and
>>>would prefer to keep them on my laptop (or a USB key). What my ideal setup
>>>would be is for my mailer (mutt) running on the mail server to call out to
>>>a little script that would connect securely (via ssh) to my laptop, on 
>>>which
>>>would pop up a window showing the message and prompting for the passphrase 
>>>to
>>>sign that message (encryption isn't so important at the moment). The signed
>>>message would be sent back, and then emailed out.
>>
>>If the Sun is hacked, an attacker can (potentially) see every password 
>>you type.
> 
> 
> I do not see this, could you elaborate?
> Any password/secret for the ssh connection is of course lost but how
> would a localy running script that only have two text streams as
> connection to the compromised machine be threatened?
> Assuming the signing is done localy and the recieving ssh session only
> takes the message and no commands as input from the mail server.
> 
> I would worry a little about the possibility of missing a change in the
> text shown before signing. Since you wrote the text you "know" what is
> writen in it and might not read it carfully enough to catch a change.
> If the mail server is compromised such a change is possible.

Let me see if I've understood you correctly:

You have a Sun which does all your you normal mail handling, and at 
whose console you do do your computing. You have another laptop 
connected to the Sun via a public network which has your secret key. 
When you wish to use your public keys you use ssh to start a bash shell 
(or similar) on the laptop, transfer your data, perform your operation 
and transfer your data back. Possibly you have a script to automate some 
of these connection/transfer/opration/transfer steps.

If the Sun is compromised, then your ssh connection and password is 
compromised. If your ssh password is compromised then an attacker can 
use it to connect to the laptop and get your secret key. If the secret 
key has no passphrase, then the attacker has all they need.

If you have a passphrase on your secret key, then to perform the 
operation the passphrase must come from somewhere. If it comes across 
the ssh connection and the ssh connection has been compromised then your 
passphrase can be known to the attacker. If it comes off a disk local to 
the laptop and the attacker has you ssh password, then the attacker can 
connect to the laptop and collect the passphrase.

If the attacker has access to the sun to install a keylogger (phyicsal 
or software) they can access any passwords and phrases you type at the 
keyboard.

Another approach is to have a restricted account whose login shell isn't 
bash but a script which allows only certain operations to be performed. 
If you're very good at writing secure code this might be an option. I'm 
not sure you could use any out-of-the-box security scripting solutions 
because most of them prioritise the integrety of the system over the 
protection of some secret which the script has access to anyway.

cheers
stuart
-- 
Stuart Yeates            stuart.yeates at computing-services.oxford.ac.uk
OSS Watch                                  http://www.oss-watch.ac.uk/
Oxford Text Archive                             http://ota.ahds.ac.uk/
Humbul Humanities Hub                         http://www.humbul.ac.uk/

More information about the Gnupg-users mailing list