auto sign files

[Neil Williams]

On Tuesday 18 January 2005 9:08 am, Adam Cripps wrote:
> As a newbie in this area, I understand that there are at least two
> types of security - the most desirable security and more secure than
> now. This scenario fits in to the latter.

Wrong - it falls into the security trap of being LESS secure than current.

> Sure, automated signing is not desirable as it still has flaws within
> it if someone cracks your machine. But the alternative may be sending
> out unsigned files, which is even less secure

No, it's to send signed files that are copied in to place from a private 
machine.

Keep private keys on private machines.

> (assuming that they have 
> still broken in to your machine). Done properly, the automated signing
> can add another layer of security that needs to be cracked. Does this
> sound reasonable?

No, because to use automated signing, the passphrase must be kept somewhere on 
the automated (public) system in a clear-text form or the key set to not ask 
for a passphrase at all. Just reading the script will be enough to identify 
the passphrase. Therefore automated signatures give a FALSE sense of 
security. As soon as the machine is compromised, the script is readable, the 
key identifiable, the passphrase known. oops.

Automated signing removes any protection from the secret key itself. It's 
worse than non-signing because any compromise of the box is automatically a 
compromise of the key. Once an attacker can read the script, the passphrase 
(if any) becomes obvious, the secret key is easily located (because the 
script has to be able to find it) and the attacker can use the key as his/her 
own. Worse, the script would continue operating and issuing signatures AFTER 
the attack - no-one would have to know - including on files that are put onto 
the now compromised machine and dutifully SIGNED with YOUR key by your 
script! 

The extra layer of security doesn't exist because if the script knows the 
passphrase, anyone who can break into the machine and read the script ALSO 
has the passphrase. What you've introduced is a single point of failure for 
key AND machine.

Signing only provides an extra layer of security to the files IF the secret 
key is NOT on that machine. (Having a secret key with a passphrase that the 
script does not know is pointless.)

Automated signing INCREASES the security burden of the machine, it requires 
all sorts of extra precautions and intrusion detection systems to protect the 
(now) vulnerable key.

-- 

Neil Williams
=============
http://www.dcglug.org.uk/
http://www.nosoftwarepatents.com/
http://sourceforge.net/projects/isbnsearch/
http://www.williamsleesmill.me.uk/
http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050118/74f1b176/attachment-0001.pgp