Safe decryption with GnuPG?

Krzysztof Żelechowski program.spe at home.pl
Wed Feb 6 09:14:58 CET 2008 

Thanks a lot for the keywords, the hints and the missing parts.  

Indeed, I hoped that such an application 
did not need a custom implementation 
because IMHO encrypting information is useless 
if you cannot view the information 
without exposure to eavesdropping or tracing.
I have to review what is available and what is needed 
before I can come up with a budget.

Specific comments below.
Thx, Chris


Dnia 06-02-2008, Śr o godzinie 02:22 +0100, Philipp Gühring pisze:
> Hi,
> 
> > 1.
> > The decrypted information must not make it to any persistent medium
> > (I understand gpg '-d' already guarantees it
> > as long as it manages the decrypted text,
> >  but what happens after it leaves gpg?)
> 
> Use a full-disc encryption system for all your persistent media.

That is overkill if it only can be avoided.

> 
> > 2.
> > The decrypted text must not be stored in volatile memory
> > any longer than it is needed.
> 
> You can use TaintedBochs or TaintedQemu to investigate that.
> 
> > In particular, it should be converted to a human-viewable bitmap
> > and the computer-readable representation must be immediately erased.
> 
> Doesn´t help much to try that, I would say. But feel free to try ...
> 
> > 3. Only the information I need should be displayed.
> 
> You need a Do-What-I-Mean system for that.

In this particular case, Do-What-I-Mean 
means displaying only matching information à la fgrep.  
The keywords are not secret.

> > 7.
> > If more information is requested,
> > it should be displayed in small chunks.
> > The program should be fully unaware
> > of the content of the chunks that are not being displayed.
> 
> > (That probably means a garbage-collected language cannot be used).
> 
> I don´t understand why you need that. 
> I would suggest that you seperate the small chunks into seperated encrypted 
> files, to ensure that the reader only gets those chunks that you actually 
> decrypted.

I shall consider that but I do not like this idea at the first glance; 
I am afraid there would be some maintenance overhead.

> 
> > 8.
> > The application should be as lightweight as possible
> > (for source code audit).
> 
> Agreed.
> 
> > Can you direct me to some implementation meeting these requirements?
> 
> I think your specification isn´t complete yet. You forgot about half of the 
> requirements.
> 
> I guess that:
> 
> * You want a machine that seperates code from data (to be secure against  
> trojans, virii and other malware)
> 
> * You want secure documents, that can´t change dynamically, or otherwise 
> contain invisible contents

I thought GnuPG-encrypted files are immutable, aren't they?

> 
> * You want a secure path to the user
> 
> (and some more requirements that I forgot at the moment)
> 
> What´s your budget for this small project?
> 
> Best regards,
> Philipp Gühring
>

More information about the Gnupg-users mailing list