auto sign files
linux at codehelp.co.uk
Tue Jan 18 13:33:18 CET 2005
On Tuesday 18 January 2005 9:08 am, Adam Cripps wrote:
> As a newbie in this area, I understand that there are at least two
> types of security - the most desirable security and more secure than
> now. This scenario fits in to the latter.
Wrong - it falls into the security trap of being LESS secure than current.
> Sure, automated signing is not desirable as it still has flaws within
> it if someone cracks your machine. But the alternative may be sending
> out unsigned files, which is even less secure
No, it's to send signed files that are copied in to place from a private
Keep private keys on private machines.
> (assuming that they have
> still broken in to your machine). Done properly, the automated signing
> can add another layer of security that needs to be cracked. Does this
> sound reasonable?
No, because to use automated signing, the passphrase must be kept somewhere on
the automated (public) system in a clear-text form or the key set to not ask
for a passphrase at all. Just reading the script will be enough to identify
the passphrase. Therefore automated signatures give a FALSE sense of
security. As soon as the machine is compromised, the script is readable, the
key identifiable, the passphrase known. oops.
Automated signing removes any protection from the secret key itself. It's
worse than non-signing because any compromise of the box is automatically a
compromise of the key. Once an attacker can read the script, the passphrase
(if any) becomes obvious, the secret key is easily located (because the
script has to be able to find it) and the attacker can use the key as his/her
own. Worse, the script would continue operating and issuing signatures AFTER
the attack - no-one would have to know - including on files that are put onto
the now compromised machine and dutifully SIGNED with YOUR key by your
The extra layer of security doesn't exist because if the script knows the
passphrase, anyone who can break into the machine and read the script ALSO
has the passphrase. What you've introduced is a single point of failure for
key AND machine.
Signing only provides an extra layer of security to the files IF the secret
key is NOT on that machine. (Having a secret key with a passphrase that the
script does not know is pointless.)
Automated signing INCREASES the security burden of the machine, it requires
all sorts of extra precautions and intrusion detection systems to protect the
(now) vulnerable key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050118/74f1b176/attachment-0001.pgp
More information about the Gnupg-users