AW: Extraction of decryption session key without copying complete encrypted file
Fiedler Roman
Roman.Fiedler at ait.ac.at
Fri Aug 4 16:22:20 CEST 2017
> Von: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] Im Auftrag von
>
> On 04/08/17 14:39, Matthias Apitz wrote:
> > But this implies that everyone with priv access on the remote host
> could
> > abuse your secret key on your localhost, especially when a GnuPG-card
> is
> > used and you entered the PIN to unlock the secret key. I'm wrong?
>
> Yes, someone with root on the remote machine can do whatever they want
> on that machine. The solution is not to perform *any* crypto on a
> machine whose admins you do not trust. There's nothing that software can
> do to protect you from rogue sysadmins.
>
> If you don't want the sysadmins on the remote machine to abuse your
> private key, then you have to download the data, perform your crypto
> locally and ...
CAVEAT here!
> ... then upload the data again. Once you allow any software on
> the remote machine to access your local resources, the remote sysadmins
> can access them too.
>
> This applies to all sorts of other things BTW, such as client drives and
> printers shared over RDP.
So true, except for one minor thing: from risk perspective, the damage is the
same if you download and upload again: if the attacker/sysadmin has replaced
the file with something, you did not want to decrypt, you will decrypt the
wrong thing and upload it again. The only way to prevent that is to review the
unencrypted data before uploading it again.
The initial workflow in [1] does not include the review either, thus should be
of same security/risk level as the procedure you described. Currently I
believe, that in our workflow this additional protection would not be worth
it: if an attack can both replace an encrypted backup file on the main backup
storage with something more valuable, encrypted with the same key, and then
fetch the decrypted data from the system receiving the backup dump for
restore, then we are completely done anyway.
I just want to avoid to have an additional point of failure (except the
keystore itself), where compromise of a single machine will compromise
arbitrary backup data.
LG Roman
[1] https://lists.gnupg.org/pipermail/gnupg-users/2017-August/058821.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4814 bytes
Desc: not available
URL: </pipermail/attachments/20170804/37cb8707/attachment-0001.bin>
More information about the Gnupg-users
mailing list