Re: Confirmation for cached passphrases useful?

[Daniel Kahn Gillmor]

On 10/12/2010 02:26 AM, Werner Koch wrote:
> On Tue, 12 Oct 2010 04:44, d...@fifthhorseman.net said:
> 
>> (e.g. one process can send a simulated mouseclick to another process
>> pretty easily) but that doesn't mean no one is running with a
> 
> The standard pinentry grabs mouse and keyboard and thus we should be
> protected against this kind of attack.

I think that grabbing mouse and kbd prevents other tools from *reading*
the kbd and mouse events.  It doesn't prevent synthesized events from
triggering those inputs (e.g. clicking "OK" on a button).

As a simple example, try:

  sleep 3 && xdotool key Return & echo GETPIN xxx | pinentry

The backgrounded process hits the enter key on a foregrounded (grabbed)
pinentry-gtk.

So while it's useful to protect passphrase entry from other snooping X11
applications, i don't think that the kbd/mouse grab approach is
sufficient protection for a simple confirmation prompt dialog box.

I'd be happy to be corrected on this if i'm wrong, of course.

Regards,

--dkg



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Confirmation for cached passphrases useful?

[Hauke Laging]

Am Dienstag 12 Oktober 2010 06:34:48 schrieb Robert J. Hansen:


> If my attack gives me unprivileged access I'm going to escalate it to root.

"going to", yes.


> This is straight out of the malware
> playbook, and malware authors have a great many ways to achieve it.

I think that it is not useful to equalize unpriviledged and root access. This 
seems to me a bit ignorant of people trying to get their systems secure. :-)


> Heck, this doesn't even defend against an *unprivileged* attack.  Give
> me unprivileged access to your user account I'll edit your .profile to
> put a .malware/ subdirectory on your PATH and drop my trojaned GnuPG in
> there.

There are ways to prevent this. E.g. I protect important and hardly ever 
changed files like ~/.gnupg/options with root priviledge (chattr immutable on 
ext3). My most threatened processes (browser, IM) are covered by AppArmor 
profiles which hevily restrict access to $HOME but not to /tmp. These cannot 
access the secret keys, of course. But due to the new design of GnuPG 2.1 this 
may change.


> This seems like an niche solution to a problem which, as of right now,
> is nonexistent.

As Daniel already pointed out: Few people do but there are possibilities to 
harden your system. It would seem strange if of all things a security software 
put a limit to such efforts. Thus gpg should offer improvements even if these 
do not make much sense ALONE (which should be mentioned in the documentation).


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Confirmation for cached passphrases useful?

[Hauke Laging]

Am Dienstag 12 Oktober 2010 09:05:56 schrieb Daniel Kahn Gillmor:

> I think that grabbing mouse and kbd prevents other tools from *reading*
> the kbd and mouse events.  It doesn't prevent synthesized events from
> triggering those inputs (e.g. clicking "OK" on a button).

But this may change in the future. On the one hand you are free to have X 
clients running untrustedly (which should make that impossible) on the other 
hand I read rumores about the SELinux people heading at changes to their LSM 
in order to address the (more than obvious...) X problem.


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrytped email attachments

[Faramir]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

El 11-10-2010 12:04, Ben McGinnes escribió:
...
> Most email clients which support OpenPGP/GPG either natively or via a
> plug-in do the former automatically.  I use Thunderbird with Enigmail
> and it will encrypt an attachment to an encrypted email without any
> additional configuration or installation of libraries.

  Well, Enigmail could be seen as an additional library. Programmers
have one definition of libraries, the rest of the world maybe have another.

  But yes, Thunderbird with Enigmail is an awesome combo.

  Best Regards
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMtC4BAAoJEMV4f6PvczxAmvYH/0tgZZLDfpyOxbbNtTl0EqfK
+X8sOyCBhFBhyKxjlFu7bRxXeKJsmkkFoxHhcJKSvxZfQyma+q9knK3BGlv7SbQS
qGkzz3MC/YSTclYUq2hKxYUUEGU+rXsSZTDEZoQxww2V5bP63lGtEQrfqOfKn1TK
vclVg/S6Bkz+bfnjm0ywp7exzRflNhZ66ofL4qHLWhc6Z2Y1h/jjpxXwouC5JKsr
44UmrRV1En94/MYc0F/XcFh4bY8zFKjFBTxM8kcu4x5NB3cN25ugZG78qQzONE4C
cH3N3UYfHZvE2afh+eCLhHWMfAldm8cCHu06YX6JBvjoFFD/qjSrxVrW2i4QoPo=
=3FE1
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problem with Gemalto USB Shell Token V2

[Mukund Sivaraman]

Hi Tiago

I just purchased OpenPGP cards and Gemalto USB Shell Token V2 readers
(see ).  They work perfectly for me.

I'll explain what I use to access them. Maybe you can adapt it to your
own use.

1) Start the pcscd service on your distro. This is a daemon that is
distributed in the PCSC-Lite package.  On Fedora, as root you can run:

service pcscd start && chkconfig pcscd on

2) Add the "disable-ccid" option to gpg.conf. This will make GnuPG use
PCSC-Lite to access the card, instead of the built-in CCID driver.

This in itself should be enough to get the card working properly. You
can do gpg --card-status to see the card, gpg --card-edit to edit the
card.

I have all this working on my stock Fedora 13 install with the
following versions of packages:

gnupg-1.4.10-2.fc13.x86_64
pcsc-lite-1.5.5-4.fc13.x86_64
ccid-1.3.11-1.fc13.x86_64

To configure other things such as SSH authentication keys, etc., you
will have to configure gpg-agent to start during desktop session
startup, make environment variables available to the shell (man
gpg-agent), and also perhaps disable some things if you are using
GNOME.

Good luck.

Mukund


pgpbJQwHUELND.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

OpenPGP card questions

[Mukund Sivaraman]

Hi all

I just purchased 4 OpenPGP cards and am configuring one of them.
Everything is working perfectly so far.  I am using the Gemalto USB
Shell Token V2 as the reader device with PCSC-Lite.  You can see
pictures of it here: 

1. There is a typo on the printed sheet supplied with the OpenPGP card.

2. When running gpg --armor --export-secret-key , it
actually generates ---PGP PRIVATE KEY BLOCK--- output instead of an
error.  I had chosen not to make any backups when generating the key on
the card.  I asked about this on IRC and was told it might be a stub
containing the card ID, etc., but am looking for a more authoritative
answer (i.e., without the word `maybe') just to be sure.  :)

pgpdump says "Sym alg - Plaintext or unencrypted data(sym 0)", but this
cannot be an unencrypted key, right?  Is it a stub?  Is there any
method using which the private key can be recovered from the card?

Mukund


pgp8yT4CTymnr.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Scripting

[Lee Elcocks]

Hello all.

 

This is my last resort. I know that this is not the realy the correct place to 
pose such a question.

 

I have now succesfully set up a fully automated GPG solution, with the help of 
all of you on this list.

 

However my next task is to intergrate the scripts with GPG with WINSCP.

 

basically i want to do this.

 

Auto encrypted files end up in a folder called C:\encryptedfiles

 

then the WINSCP script will run and look at the files in the above folder, 
collect the file names into a temporary text file, and SFTP them over to a 
remote server.

My question is does anybody on this list have any knowledge of WINSCP scripting?

Ive had a look at the help pages on the website and cannot for the life of me 
figure them out! PS

I'm willing to pay!
  ___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrytped email attachments

[Ben McGinnes]

On 12/10/10 8:44 PM, Faramir wrote:
> 
>   Well, Enigmail could be seen as an additional library. Programmers
> have one definition of libraries, the rest of the world maybe have another.

Good point, it has been a while since I've thought of things that way.

>   But yes, Thunderbird with Enigmail is an awesome combo.

It most certainly is, especially with platform independence.  It's
particularly nice to be able to copy profile directories between systems
which will preserve plugins (I primarily use Enigmail and External
Editor) across those platforms.


Regards,
Ben

-- 
Ben McGinnes  http://www.adversary.org/  Twitter: benmcginnes
Systems Administrator, Writer, ICT Consultant
Encrypted email preferred - primary OpenPGP/GPG key: 0xA04AE313
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x371AC5BFA04AE313



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Confirmation for cached passphrases useful?

[Robert J. Hansen]

On 10/12/2010 1:54 AM, Daniel Kahn Gillmor wrote:
> yes, of course this isn't going to be able to protect the user from
> someone with full access to their user account or their current session.

These two attack modes (root and user access) cover the overwhelming
majority of instances today, so already this hypothetical attack is an
exotic.  On top of that, your imagined situation seems to involve a
compromised machine communicating with a trusted server over a socket.
If the trusted server sends back a confirmation request, what's to keep
the malware from simply saying, "OK," in response to these requests?

> Conversely, people won't run well-isolated subsystems if the tools we
> provide don't support reasonable separation and control in the first
> place.

Please do not mistake this for snark.  It's not.  I'm using an absurd
position here to try and make my objections clear, not because I'm
trying to denigrate your views.

That said: "People will also not use GnuPG as a personal flotation
device in the event of a water landing if GnuPG does not float."

GnuPG is not a personal flotation device and, unsurprisingly, doesn't
have any features related to that.  This said, if users want GnuPG to
offer pontoon functionality in 2.2 they are certainly welcome to make
their opinions known.  If more than a dozen people say, "yes, I need
GnuPG to serve as a personal flotation device," I will happily get out
of the way and encourage it to be added.

But to talk about how the people need personal flotation support in
GnuPG, without actually hearing from users who genuinely need it... I
might have great respect for the speakers and might even agree with
their opinions: but in the absence of user demand, I wouldn't think we
should do it.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Scripting

[Lee Elcocks]

Im really sorry, i need this in simple terms. Putty command line looks alot 
better though!

 

this is the script i intend to use

 

SETLOCAL
"C:\Program Files\putty"
>"%TMP%\~ftplist.txt" DIR /B "C:\encryptedfiles"
PUSHD "C:\encryptedfiles"
FOR /F "delims=" %%F IN ('MORE ^< "%TMP%\~ftplist.txt"') DO (
IF EXIST %%F (

MY PUTTY COMMAND GOES HERE 
IF ERRORLEVEL == 0 DEL "%%F"
)
)
POPD
DEL "%TMP%\~encryptlist.txt"
ENDLOCAL

 

I suppose what im asking is, please could you give the command, by the way does 
putty support SFTP with TLS authentication?

 
> Subject: Re: Scripting
> From: reid.thomp...@ateb.com
> To: l_elco...@hotmail.co.uk
> CC: reid.thomp...@ateb.com
> Date: Tue, 12 Oct 2010 08:45:46 -0400
> 
> On Tue, 2010-10-12 at 11:46 +0100, Lee Elcocks wrote:
> > Hello all.
> > 
> > This is my last resort. I know that this is not the realy the correct
> > place to pose such a question.
> > 
> > I have now succesfully set up a fully automated GPG solution, with the
> > help of all of you on this list.
> > 
> > However my next task is to intergrate the scripts with GPG with
> > WINSCP.
> > 
> > basically i want to do this.
> > 
> > Auto encrypted files end up in a folder called C:\encryptedfiles
> > 
> > then the WINSCP script will run and look at the files in the above
> > folder, collect the file names into a temporary text file, and SFTP
> > them over to a remote server.
> > My question is does anybody on this list have any knowledge of WINSCP
> > scripting?
> > Ive had a look at the help pages on the website and cannot for the
> > life of me figure them out! PS
> > I'm willing to pay!
> > ___
> > Gnupg-users mailing list
> > Gnupg-users@gnupg.org
> > http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> use the putty tools... pscp.exe ... with an ssh passwordless keypair
> schedule a task to call a bat file with something like this
> 
> \path\to\pscp.exe -q -i \path\to\private-key.ppk 
> \path\to\pattern_match_for_files 
> remote_host_use...@remote_host.domain.com:/path/to/folder/to/put/files/in
  ___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrytped email attachments

[vedaal]

There is a workaround to encrypt any e-mail attachment and send it 
inline as part of the encrypted email message:

gpg --enarmor 'attachment file'

or

gpg -e -a 'attachment file'

and then paste the ascii armored text inline, and then encrypt the 
message.

It has the minor advantage of getting through some e-mail clients 
and systems that don't allow attachments.

vedaal


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Confirmation for cached passphrases useful?

[Werner Koch]

On Tue, 12 Oct 2010 09:05, d...@fifthhorseman.net said:

> the kbd and mouse events.  It doesn't prevent synthesized events from
> triggering those inputs (e.g. clicking "OK" on a button).

You are right.  However it is the only protection we can use on X; it
might be helpful in some cases, but as you showed not in this one.
Anyway, if you are already have these permissions you can attack the
keys with all kind of simple tricks.  Thus it is mood.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Confirmation for cached passphrases useful?

[Werner Koch]

On Tue, 12 Oct 2010 11:10, mailinglis...@hauke-laging.de said:

> There are ways to prevent this. E.g. I protect important and hardly ever 
> changed files like ~/.gnupg/options with root priviledge (chattr immutable on 

It doesn't help - you need to protect gpg.conf and gpg.conf-2 and
gpg.conf-2.0 and so on.  BTW, ~/.gnupg/options is deprecated for ages.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Problem with Gemalto USB Shell Token V2

[Smith, Cathy]

Does anyone have the Gemalto USB working with Red Hat 5.5?



Cathy

---
Cathy L. Smith
IT Engineer
Pacific Northwest National Laboratory

Phone:  509.375.2687
Fax:    509.375.2330
Email: cathy.sm...@pnl.gov



-Original Message-
From: gnupg-users-boun...@gnupg.org [mailto:gnupg-users-boun...@gnupg.org] On 
Behalf Of Mukund Sivaraman
Sent: Monday, October 11, 2010 5:48 AM
To: ti...@forked.de
Cc: gnupg-users@gnupg.org
Subject: Re: Problem with Gemalto USB Shell Token V2

Hi Tiago

I just purchased OpenPGP cards and Gemalto USB Shell Token V2 readers (see 
).  They work perfectly for me.

I'll explain what I use to access them. Maybe you can adapt it to your own use.

1) Start the pcscd service on your distro. This is a daemon that is distributed 
in the PCSC-Lite package.  On Fedora, as root you can run:

service pcscd start && chkconfig pcscd on

2) Add the "disable-ccid" option to gpg.conf. This will make GnuPG use 
PCSC-Lite to access the card, instead of the built-in CCID driver.

This in itself should be enough to get the card working properly. You can do 
gpg --card-status to see the card, gpg --card-edit to edit the card.

I have all this working on my stock Fedora 13 install with the following 
versions of packages:

gnupg-1.4.10-2.fc13.x86_64
pcsc-lite-1.5.5-4.fc13.x86_64
ccid-1.3.11-1.fc13.x86_64

To configure other things such as SSH authentication keys, etc., you will have 
to configure gpg-agent to start during desktop session startup, make 
environment variables available to the shell (man gpg-agent), and also perhaps 
disable some things if you are using GNOME.

Good luck.

Mukund

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Problem with Gemalto USB Shell Token V2

[Smith, Cathy]

I'm running RHEL5.5:
php-5.1.6-27
pcsc-lite-1.4.4-4

These are Red Hat's version numbers.


Cathy

---
Cathy L. Smith
IT Engineer
Pacific Northwest National Laboratory

Phone:  509.375.2687
Fax:    509.375.2330
Email: cathy.sm...@pnl.gov



-Original Message-
From: Mukund Sivaraman [mailto:m...@banu.com] 
Sent: Tuesday, October 12, 2010 10:25 PM
To: Smith, Cathy
Cc: gnupg-users@gnupg.org
Subject: Re: Problem with Gemalto USB Shell Token V2

On Tue, Oct 12, 2010 at 01:03:42PM -0700, Smith, Cathy wrote:
> Does anyone have the Gemalto USB working with Red Hat 5.5?

I don't know about the versions of GnuPG and PCSC-Lite on RHEL 5.5 to answer 
this question.  Maybe you can try it, and if it do

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users