Confirmation for cached passphrases useful?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Oct 13 17:51:57 CEST 2010


On 10/12/2010 02:46 PM, Werner Koch wrote:
> Anyway, if you are already have these permissions you can attack the
> keys with all kind of simple tricks.  Thus it is mood.

i'm not convinced it's moot, especially if i understand the model you're
advancing for the agent for 2.1 correctly.

If i run the agent locally, and forward access to it to a constrained
account, then the constrained account (which is talking to the agent)
*does not* have the ability to simulate such X11 events.

From a different perspective, i could run the agent itself in a
constrained account, and replace the prompting tool with a tool that
requires, say, an ACPI event, or a special keypress (not an X11 event)
from a designated hardware button.  in that case, malicious code with
access to the X11 session could detect that a prompt had been made, and
possibly dismiss it or hide it from the user, but could not force
acceptance of the keypress without superuser access (at which point,
game over anyway).  To take a vulnerability from a malicious use of
secret key material to a simpler denial of service attack strikes me as
a move in the right direction.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101013/40f252fe/attachment.pgp>


More information about the Gnupg-users mailing list