Re: Decryption problems using php

2012-06-05 Thread Philipp Schafft 
reflum,

On Tue, 2012-06-05 at 10:20 +0530, Amol Patil wrote:
 Currenlty I am having problem with the decryption of the file my code
 is like this 
 
 echo shell_exec(echo $passphrase | $gpg --passphrase-fd 0 -o
 $unencrypted_file -d $encrypted_file); 

If you do this the passphrase can be shown by any user on the system
(for example using the ps(1) command). The window for this is small yet
this adds an attack vector. This attack becomes more easy as you may
trigger it via your web application (don't know what kind of
webapplication this is so just gussing here).

Also if you store the passphrase in your scripts it is plain on your FS.
Anyone with FS access can read it. This also includes explits in your
and other software running on your webserver. Even worse: of your
webserver's config is broken at some point it may handle your files as
plain text or something and allowing remote users to just read your
passphrase with a web browser.

I suggest you to drop the passphrase from the key as it does not add any
security in this case but makes stuff like this more complex.

You can actually improve the security by only storing the needed
subkey(s) on your server and have the primary key protected off-side
(for example on your work/devel system). If you need only decrypting
on-side this will perfectly protect you from attacks doing signatures or
certificates (sigs on other keys) or changing the key's crypto material
or options. So if there was a successfull attack somewhere in the future
you can just revoke this subkey and add a new one so your clients can
update using normal keyservers/... without needing to pass fingerprints
around again.

Hope I was of at least some help :)


PS: another attack which is fully off-topic to this list is injecting
something in $unencrypted_file or $encrypted_file. You need to fully
trust the content of those vars.

-- 
Philipp.
 (Rah of PH2)


signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Decryption problems using php

2012-06-04 Thread Amol Patil 

Hello,

Currenlty I am having problem with the decryption of the file my code is 
like this


echo shell_exec(echo $passphrase | $gpg --passphrase-fd 0 -o 
$unencrypted_file -d $encrypted_file);


when I checked using echo beforer executing it will shown as below

passphrase|gpg --output 
/var/www/directory/directory/directory/Receive/BOEOD840053012142257187.xml 
--passphrase-fd 0 --decrypt 
/var/www/directory/directory/directory/Receive/BOEOD840053012142257187.pgp


above command is executed correctly using putty but when I tried to use 
this command using php it is not working.

I have set permission to the directory . But it seems it not working

$gpg = '/usr/bin/gpg';
 $passphrase = 'passphrase';
 //$encrypted_file = 'foo.gpg';
  //$unencrypted_file = 'foo.txt';
   echo shell_exec(echo $passphrase | $gpg --passphrase-fd 0  
$unencrypted_file -d $encrypted_file);



Please assist me to work it correctly. I am facing such problems last 2 
weeks. We are using ubuntu 12.04 LTS (GNU/Linux 3.2.0-24-generic i686).



--

*Thanks  regards,*

**

*Amol Patil *

*Custom**Soft*

*+ 91 -- 020 - 3251 7794 *

am...@custom-soft.com mailto:am...@custom-soft.com | 
www.custom-soft.com http://www.custom-soft.com/


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users