Storing keys under a different user...

David Shaw dshaw at jabberwocky.com
Wed Feb 11 16:58:01 CET 2004


On Wed, Feb 11, 2004 at 04:30:22PM -0500, Nicholas Paul Johnson wrote:
> Hello,
> 
> This post is meant as an informal feature request; I want to hear people's 
> feedback before I make it a formal request.
> 
> It seems to me that a big weakness in GnuPG or any PGP implementation is
> that the user who owns a private key can read the key in circumstances
> other than encrypting/decrypting/signing/&c. Because of this, it is
> possible for write trojan horses which search for and steal private keys
> (this has already happened, I believe).

On Windows, yes.
  http://www.geocities.com/SiliconValley/Heights/3652/caligula.html

However, note that a stolen private key doesn't really help the
attacker.  The private keys are stored encrypted, using the same
ciphers that GnuPG or PGP uses to protect messages.

If your passphrase is good, the attacker can't get to the actual
secret key data even if he manages to steal the secret key file on
disk.

Even so, your basic suggestion of storing keyrings in a non-stealable
way is not a bad one (extra protection doesn't hurt here), but there
are stronger ways to accomplish the goal.  The SELinux people have the
notion of a file that cannot be read except by certain processes.  In
this case, it doesn't matter if the attacker can become root - they
still can't read the file.

> I would write this, but as I am in the USA, you probably wouldn't want my 
> code in GnuPG.

No harm being in the US (I am).  You just have to jump through the
appropriate hoops.

David



More information about the Gnupg-users mailing list