Storing keys under a different user...

Nicholas Paul Johnson nickjohnson at
Wed Feb 11 16:30:22 CET 2004

Hash: SHA1


This post is meant as an informal feature request; I want to hear people's 
feedback before I make it a formal request.

It seems to me that a big weakness in GnuPG or any PGP implementation is
that the user who owns a private key can read the key in circumstances
other than encrypting/decrypting/signing/&c. Because of this, it is
possible for write trojan horses which search for and steal private keys
(this has already happened, I believe).

But, since some OSes (unices specifically, maybe others) can give files
different ownership, I think I see one possible solution.

This assumes that someone with proper priveledges (root) is willing to set
this up, and assumes you are using a unix-like machine.  Under some 
circumstances, root may not even be needed to set this up, except to give 
the gpg program setuid() priveledges.

For each user who wishes to use GnuPG, the system administrator creates
another user (with a different userid) who owns the keys, but is otherwise
not allowed to login.  

For example, if my username is nick and uid(nick)=501, then a user
nick_key would be created such that 

    uid(nick_key) = f( uid(nick) ) != uid(nick) 

where the function f(u) is some one-to-one function mapping a userid to
the userid of his key's owner.

This user nick_key would not be able to login. The public/private keypair
for user nick would be stored in the ~nick_key/.gnupg/ directory, with
permissions such that only user nick_key can read or write to it.

Then, when user nick wants to do any gnupg operation, he would
setuid(f(uid(nick))), read the key, restore user id, and procede.  

I would generally cringe on adding an setuid() call, but under certain
configurations gpg will *already* do this in order to lock memory pages.  
This feature would, of course, also be an optional feature.

This way, the key is secure, because no trojan running as a user would be
able to read the key, unless it somehow had (A) compromized root, which is
problem in itself, or (B) successfully logged in as nick_key, which is
(theoretically) not going to happen either.

I would write this, but as I am in the USA, you probably wouldn't want my 
code in GnuPG.

What does everyone think?

- -- 
Nicholas Paul Johnson
nickjohnsonSPAM^H^H^H^H at
( ) ascii ribbon campaign - against html mail 
 X                        - against microsoft attachments
/ \
- --

Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Made with pgp4pine 1.75-6


More information about the Gnupg-users mailing list