I am in discussions with a vendor regarding the storing of encryption
keys on systems that exchange information through an application. The
vendor is advising against storing the keys in the registry and
suggests hiding them somewhere in the filesystem. They suggest that
the registry is the first place an attacker would look.
The systems are open to the public internet and web traffic. If the
keys need to be accessible to the system somewhere locally, which would
be a better place to store the keys and why? I would think the
registry would be safer than the file system. Thanks in advance.
>I am in discussions with a vendor regarding the storing of encryption
>keys on systems that exchange information through an application. The
>vendor is advising against storing the keys in the registry and
>suggests hiding them somewhere in the filesystem. They suggest that
>the registry is the first place an attacker would look.
>The systems are open to the public internet and web traffic. If the
>keys need to be accessible to the system somewhere locally, which would
>be a better place to store the keys and why? I would think the
>registry would be safer than the file system. Thanks in advance.
Yee gads. Is it better if I have my leg chopped off or is it better if I
chop off my hand. I think that this system needs rethinking. The registry
or a file are almost equally bad as you have to assume that the attacker
will know where the keys are kept. It is not a secret which you should have
any confidence that you can keep (especially as you are running a Windows
machine, whose ability to keep secrets is not very great)
(For all you know one of the employees of the vendor's
company is a spy for the Mafia).
Why do the keys need to on that system at all? Why cannot the critical
infomation be kept on a machine which is not connected to the net, except
perhaps by a very very very restricted or even one way pipe?
<phillipkim1@yahoo.com> wrote in message
news:1123885941.728141.322420@g49g2000cwa.googlegr oups.com...
> Hello,
>
> I am in discussions with a vendor regarding the storing of encryption
> keys on systems that exchange information through an application. The
> vendor is advising against storing the keys in the registry and
> suggests hiding them somewhere in the filesystem. They suggest that
> the registry is the first place an attacker would look.
>
> The systems are open to the public internet and web traffic. If the
> keys need to be accessible to the system somewhere locally, which would
> be a better place to store the keys and why? I would think the
> registry would be safer than the file system. Thanks in advance.
I'll agree with Unruh that the situation is not at it's best.
IIRC correctly it is easier to protect something in the windows registry by
using the encrypted interfaces, but IIRC these are broken so the extra
security is minimal at best. The typical way of creating a system that has
the potential to be secure is to store Encrypt(User_key, encryption_keys)
(i.e. encryption_keys encrypted with the User_key), then require that the
user enter the User_key, this is a very simplified (e.g. has holes) version
of what PGP does, where the storage occurs actually becomes generally
irrelevant.
To have something secure requires secure storage of some kind, whether that
is hardware or the human brain is a potentially very complex design
decision.
Joe
All registry and filesystem access can be easily detected using free
tools from various sources. So you have to assume that whatever you put
in either place, is actually open for all to see.
In comp.security.misc phillipkim1@yahoo.com wrote:
> I am in discussions with a vendor regarding the storing of encryption
> keys on systems that exchange information through an application. The
> vendor is advising against storing the keys in the registry and
> suggests hiding them somewhere in the filesystem. They suggest that
> the registry is the first place an attacker would look.
> The systems are open to the public internet and web traffic. If the
> keys need to be accessible to the system somewhere locally, which would
> be a better place to store the keys and why? I would think the
> registry would be safer than the file system. Thanks in advance.
Don't store unencrypted keys anywhere, where other users theoretically
can read them.
Better use a passphrase and store them encrypted, or store them in
a crypto-container.
It does not matter, wether you store them in the registry or in a file
system. "Hiding" them by obscuring the place they're stored, will not
work at all.
Posting has nothing to do with the science of cryptography, so F'up
corrected.
Yours,
VB.
--
"Almighty Father, who wilt hear the prayer of those that love Thee, we pray
Thee to be with those who brave heights of Thy heaven and who carry the
battle to our enemies. Guard and protect them, we pray Thee, as they fly
the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
In comp.security.misc TC <aatcbbtccctc@yahoo.com> wrote:
> All registry and filesystem access can be easily detected using free
> tools from various sources. So you have to assume that whatever you put
> in either place, is actually open for all to see.
That's wrong. It is open to see only for Administrators.
F'up corrected.
Yours,
VB.
--
"Almighty Father, who wilt hear the prayer of those that love Thee, we pray
Thee to be with those who brave heights of Thy heaven and who carry the
battle to our enemies. Guard and protect them, we pray Thee, as they fly
the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
He has not said what OS he is on, how it has been set up, whether his
app will have permission to write to restricted areas of the registry
(or whether it will only write to less-protected areas), or what
security would be applied to the relevant keys. (Eg. you can have
completely unprotected keys in protected areas of the registry, just so
that a badly-written app which uses that key can continue to run. MS
themselves have fixes of this kind, in the knowledgebase.)
So in the absence of /any/ of that information, the prudent advice is
to assume that everyone will be able to see what he puts in there.
TC <aatcbbtccctc@yahoo.com> wrote:
> He has not said what OS he is on
He told us, there is a "Registry". How many OSes are there, which
have one?
> how it has been set up
That does not matter. He told us, that he want's to use obscurity to
store keys, not encryption.
Yours,
VB.
--
"Almighty Father, who wilt hear the prayer of those that love Thee, we pray
Thee to be with those who brave heights of Thy heaven and who carry the
battle to our enemies. Guard and protect them, we pray Thee, as they fly
the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
> <phillipkim1@yahoo.com> wrote in message
> news:1123885941.728141.322420@g49g2000cwa.googlegr oups.com...
>
>>Hello,
>>
>>I am in discussions with a vendor regarding the storing of encryption
>>keys on systems that exchange information through an application. The
>>vendor is advising against storing the keys in the registry and
>>suggests hiding them somewhere in the filesystem. They suggest that
>>the registry is the first place an attacker would look.
>>
>>The systems are open to the public internet and web traffic. If the
>>keys need to be accessible to the system somewhere locally, which would
>>be a better place to store the keys and why? I would think the
>>registry would be safer than the file system. Thanks in advance.
>
>
> I'll agree with Unruh that the situation is not at it's best.
>
> IIRC correctly it is easier to protect something in the windows registry by
> using the encrypted interfaces, but IIRC these are broken so the extra
> security is minimal at best. The typical way of creating a system that has
> the potential to be secure is to store Encrypt(User_key, encryption_keys)
> (i.e. encryption_keys encrypted with the User_key), then require that the
> user enter the User_key, this is a very simplified (e.g. has holes) version
> of what PGP does, where the storage occurs actually becomes generally
> irrelevant.
>
> To have something secure requires secure storage of some kind, whether that
> is hardware or the human brain is a potentially very complex design
> decision.
> Joe
>
>
Didn't you say that people can not remember pass phrases?
And now you refer to the human brain as secure storage?
Volker Birk wrote:
> In comp.security.misc TC <aatcbbtccctc@yahoo.com> wrote:
>> All registry and filesystem access can be easily detected using free
>> tools from various sources. So you have to assume that whatever you
>> put in either place, is actually open for all to see.
>
> That's wrong. It is open to see only for Administrators.
Using kernel-level tools, yes. However, if it is an application that the
user runs (as opposed to, say, monitoring the accesses of an already-running
service) then file and registry access through DLL calls can easily be
hooked using code injection unless the application goes to a lot of trouble
to avoid detection by doing the relevant kernel calls itself.
--
Michael Brown
Add michael@ to emboss.co.nz ---+--- My inbox is always open
"Volker Birk" <bumens@dingens.org> wrote in message
news:42fd9d50@news.uni-ulm.de...
> In comp.security.misc TC <aatcbbtccctc@yahoo.com> wrote:
>> All registry and filesystem access can be easily detected using
>> free
>> tools from various sources. So you have to assume that whatever
>> you put
>> in either place, is actually open for all to see.
>
> That's wrong. It is open to see only for Administrators.
>
> F'up corrected.
Which at least 90% of non business users run in all the time anyway.
And . . the number is probably quite high in business environments
as well.
--
"When you have to choose between a first-rate company with a
second-rate product and a second-rate company with a first-rate
product, it's never an ideal choice. " -Ed (www.overclockers.com)
Michael Brown <see@signature.below> wrote:
> Volker Birk wrote:
> > In comp.security.misc TC <aatcbbtccctc@yahoo.com> wrote:
> >> All registry and filesystem access can be easily detected using free
> >> tools from various sources. So you have to assume that whatever you
> >> put in either place, is actually open for all to see.
> > That's wrong. It is open to see only for Administrators.
> Using kernel-level tools, yes. However, if it is an application that the
> user runs (as opposed to, say, monitoring the accesses of an already-running
> service) then file and registry access through DLL calls can easily be
> hooked using code injection unless the application goes to a lot of trouble
> to avoid detection by doing the relevant kernel calls itself.
For that, you need Debug privileges, which a regular user does not have.
Yours,
VB.
--
"Almighty Father, who wilt hear the prayer of those that love Thee, we pray
Thee to be with those who brave heights of Thy heaven and who carry the
battle to our enemies. Guard and protect them, we pray Thee, as they fly
the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
Luc The Perverse <sll_noSpamlicious_z_XXX_m@cc.usu.edu> wrote:
> "Volker Birk" <bumens@dingens.org> wrote in message
> news:42fd9d50@news.uni-ulm.de...
> > In comp.security.misc TC <aatcbbtccctc@yahoo.com> wrote:
> >> All registry and filesystem access can be easily detected using
> >> free
> >> tools from various sources. So you have to assume that whatever
> >> you put
> >> in either place, is actually open for all to see.
> > That's wrong. It is open to see only for Administrators.
> Which at least 90% of non business users run in all the time anyway.
Yes. This is the reason, why usually you lose, if you have code running
on your system, which should not run.
Unfortunately.
> And . . the number is probably quite high in business environments
> as well.
I hope, you're wrong. I suppose, you're right.
Yours,
VB.
--
"Almighty Father, who wilt hear the prayer of those that love Thee, we pray
Thee to be with those who brave heights of Thy heaven and who carry the
battle to our enemies. Guard and protect them, we pray Thee, as they fly
the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
Volker Birk wrote:
> Michael Brown <see@signature.below> wrote:
>> Volker Birk wrote:
>>> In comp.security.misc TC <aatcbbtccctc@yahoo.com> wrote:
>>>> All registry and filesystem access can be easily detected using
>>>> free tools from various sources. So you have to assume that
>>>> whatever you put in either place, is actually open for all to see.
>>>
>>> That's wrong. It is open to see only for Administrators.
>>
>> Using kernel-level tools, yes. However, if it is an application that
>> the user runs (as opposed to, say, monitoring the accesses of an
>> already-running service) then file and registry access through DLL
>> calls can easily be hooked using code injection unless the
>> application goes to a lot of trouble to avoid detection by doing the
>> relevant kernel calls itself.
>
> For that, you need Debug privileges, which a regular user does not
> have.
No, not at all. Two methods which don't involve seDebugPrivilege are import
table modification and SetWindowHookEx. Additionally, you only require
seDebugPrivilege to open a process (with sufficient rights to do injection
through CreateRemoteThread and friends) that is not owned by you. So you can
do code injection into any process that you start.
--
Michael Brown
Add michael@ to emboss.co.nz ---+--- My inbox is always open
<Crypto@S.M.S> wrote in message news:11frklv17n77a7a@news.supernews.com...
> Joseph Ashwood wrote:
>
>> <phillipkim1@yahoo.com> wrote in message
>> news:1123885941.728141.322420@g49g2000cwa.googlegr oups.com...
>>
>>>Hello,
>>>
>>>I am in discussions with a vendor regarding the storing of encryption
>>>keys on systems that exchange information through an application. The
>>>vendor is advising against storing the keys in the registry and
>>>suggests hiding them somewhere in the filesystem. They suggest that
>>>the registry is the first place an attacker would look.
>>>
>>>The systems are open to the public internet and web traffic. If the
>>>keys need to be accessible to the system somewhere locally, which would
>>>be a better place to store the keys and why? I would think the
>>>registry would be safer than the file system. Thanks in advance.
>>
>>
>> I'll agree with Unruh that the situation is not at it's best.
>>
>> IIRC correctly it is easier to protect something in the windows registry
>> by using the encrypted interfaces, but IIRC these are broken so the extra
>> security is minimal at best. The typical way of creating a system that
>> has the potential to be secure is to store Encrypt(User_key,
>> encryption_keys) (i.e. encryption_keys encrypted with the User_key), then
>> require that the user enter the User_key, this is a very simplified (e.g.
>> has holes) version of what PGP does, where the storage occurs actually
>> becomes generally irrelevant.
>>
>> To have something secure requires secure storage of some kind, whether
>> that is hardware or the human brain is a potentially very complex design
>> decision.
>> Joe
>
> Didn't you say that people can not remember pass phrases?
> And now you refer to the human brain as secure storage?
What I said was the people make bad storage devices for large quantities of
entropy. Each individual has a limit to the amount of entropy they can
memorize, if each individual can memorize say 120-bits, then each passphrase
they memorize can only have 120/n bits of entropy (on average) where n is
the number of passphrases. For a single passphrase this would deliver
120-bits of entropy, more than enough to be secure, with 3 passphrase it
would mean a strength of only 40-bits far below what is needed for security.
Joe
Joe
Joseph Ashwood wrote:
> <Crypto@S.M.S> wrote in message news:11frklv17n77a7a@news.supernews.com...
>
>>Joseph Ashwood wrote:
>>
>>
>>><phillipkim1@yahoo.com> wrote in message
>>>news:1123885941.728141.322420@g49g2000cwa.googl egroups.com...
>>>
>>>
>>>>Hello,
>>>>
>>>>I am in discussions with a vendor regarding the storing of encryption
>>>>keys on systems that exchange information through an application. The
>>>>vendor is advising against storing the keys in the registry and
>>>>suggests hiding them somewhere in the filesystem. They suggest that
>>>>the registry is the first place an attacker would look.
>>>>
>>>>The systems are open to the public internet and web traffic. If the
>>>>keys need to be accessible to the system somewhere locally, which would
>>>>be a better place to store the keys and why? I would think the
>>>>registry would be safer than the file system. Thanks in advance.
>>>
>>>
>>>I'll agree with Unruh that the situation is not at it's best.
>>>
>>>IIRC correctly it is easier to protect something in the windows registry
>>>by using the encrypted interfaces, but IIRC these are broken so the extra
>>>security is minimal at best. The typical way of creating a system that
>>>has the potential to be secure is to store Encrypt(User_key,
>>>encryption_keys) (i.e. encryption_keys encrypted with the User_key), then
>>>require that the user enter the User_key, this is a very simplified (e.g.
>>>has holes) version of what PGP does, where the storage occurs actually
>>>becomes generally irrelevant.
>>>
>>>To have something secure requires secure storage of some kind, whether
>>>that is hardware or the human brain is a potentially very complex design
>>>decision.
>>> Joe
>>
>>Didn't you say that people can not remember pass phrases?
>>And now you refer to the human brain as secure storage?
>
>
> What I said was the people make bad storage devices for large quantities of
> entropy. Each individual has a limit to the amount of entropy they can
> memorize, if each individual can memorize say 120-bits, then each passphrase
> they memorize can only have 120/n bits of entropy (on average) where n is
> the number of passphrases. For a single passphrase this would deliver
> 120-bits of entropy, more than enough to be secure, with 3 passphrase it
> would mean a strength of only 40-bits far below what is needed for security.
> Joe
> Joe
>
>
120 bits seems like a very low limit.
How are you defining this "amount of entropy they can memorize"?
It seems we disagree on memorisation skills.
In article <_swLe.3501$DV3.2648@newssvr17.news.prodigy.com> ,
Joseph Ashwood <ashwood@msn.com> wrote:
:What I said was the people make bad storage devices for large quantities of
:entropy. Each individual has a limit to the amount of entropy they can
:memorize, if each individual can memorize say 120-bits, then each passphrase
:they memorize can only have 120/n bits of entropy (on average) where n is
:the number of passphrases.
People routinely remember a fair number of phone numbers amd names.
Consider too Jeopardy, Trivial Persuit, and the large numbers of
fan-memorized baseball and hockey statistics: many people have a -lot- of
memory capacity when they have motivation.
I do not know it to be "fact", but I have read a number of times
that in many pre-literary cultures and cultures with substantial
oral traditions, memorizing large amounts of material "word perfect"
was a routine expectation -- and apparently we have largely lost
that skill through lack of practice.
Still, every year at Fringe Festival time, a hundred troops come
through my city, with people who have memorized 3/4 hours to 2 hours of
material -- and some of those longer 90 minute to 2 hour shows are solo
performances. Does the School Play tradition still continue, with
children who have a hard time remembering to take out the garbage
turning out to be able to give fine memorized performances?
--
"I will speculate that [...] applications [...] could actually see a
performance boost for most users by going dual-core [...] because it
is running the adware and spyware that [...] are otherwise slowing
down the single CPU that user has today" -- Herb Sutter
> In article <_swLe.3501$DV3.2648@newssvr17.news.prodigy.com> ,
> Joseph Ashwood <ashwood@msn.com> wrote:
> :What I said was the people make bad storage devices for large quantities of
> :entropy. Each individual has a limit to the amount of entropy they can
> :memorize, if each individual can memorize say 120-bits, then each passphrase
> :they memorize can only have 120/n bits of entropy (on average) where n is
> :the number of passphrases.
>
> People routinely remember a fair number of phone numbers amd names.
> Consider too Jeopardy, Trivial Persuit, and the large numbers of
> fan-memorized baseball and hockey statistics: many people have a -lot- of
> memory capacity when they have motivation.
>
Let's not overlook religious tracts & prayers, literary masterpieces,
or even languages themselves (with their many overlapping yet disjunct
dialects, spelling rules, etc).
People have an enormous memory capacity. And it can be very exact.
>
> I do not know it to be "fact", but I have read a number of times
> that in many pre-literary cultures and cultures with substantial
> oral traditions, memorizing large amounts of material "word perfect"
> was a routine expectation -- and apparently we have largely lost
> that skill through lack of practice.
>
We are not called upon to remember the "stories" of things, because
we can easily look them up, should we need access to the information.
In days gone by, only those who knew the local oral traditions (and
their related tall tales) had access to the knowledge of "how things
were".
>
> Still, every year at Fringe Festival time, a hundred troops come
> through my city, with people who have memorized 3/4 hours to 2 hours of
> material -- and some of those longer 90 minute to 2 hour shows are solo
> performances. Does the School Play tradition still continue, with
> children who have a hard time remembering to take out the garbage
> turning out to be able to give fine memorized performances?
>
Children still often outshine their elders in memory skills.
Who remembers the american vice president having his misspellings
corrected by a child? What was his name?
> In article <_swLe.3501$DV3.2648@newssvr17.news.prodigy.com> ,
> Joseph Ashwood <ashwood@msn.com> wrote:
>:What I said was the people make bad storage devices for large
>:quantities of entropy. Each individual has a limit to the amount of
>:entropy they can memorize, if each individual can memorize say
>:120-bits, then each passphrase they memorize can only have 120/n bits
>:of entropy (on average) where n is the number of passphrases.
>
> People routinely remember a fair number of phone numbers amd names.
> Consider too Jeopardy, Trivial Persuit, and the large numbers of
> fan-memorized baseball and hockey statistics: many people have a -lot-
> of memory capacity when they have motivation.
>
> I do not know it to be "fact", but I have read a number of times
> that in many pre-literary cultures and cultures with substantial
> oral traditions, memorizing large amounts of material "word perfect"
> was a routine expectation -- and apparently we have largely lost
> that skill through lack of practice.
>
> Still, every year at Fringe Festival time, a hundred troops come
> through my city, with people who have memorized 3/4 hours to 2 hours
> of material -- and some of those longer 90 minute to 2 hour shows are
> solo performances. Does the School Play tradition still continue, with
> children who have a hard time remembering to take out the garbage
> turning out to be able to give fine memorized performances?
Here is some indication of the upper range of the possible for
memorization. Whether the long-term memory of these folks is as good as
their short-term memory is not clear.
"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:ddm7ri$a5q$1@canopus.cc.umanitoba.ca...
> Joseph Ashwood <ashwood@msn.com> wrote:
> :What I said was the people make bad storage devices for large quantities
> of
> :entropy.
> I do not know it to be "fact", but I have read a number of times
> that in many pre-literary cultures and cultures with substantial
> oral traditions, memorizing large amounts of material "word perfect"
> was a routine expectation -- and apparently we have largely lost
> that skill through lack of practice.
I will certainly agree that through practice gains can be made, but I am
skeptical about the ability to remember multiple passphrases with sufficient
entropy for protection, yes 120-bits is probably low, but so is the 3. I
doubt humans have the ability to remember 1000 bits of entropy for long
periods of time, this would be actually more difficult to the average person
than remembering the 17th word spoken by their teacher on the 47th day of
their 3rd year of primary school (although statistically guessing "the"
would have higher probability than most). A more accurate representation
would be to take a look at the average recollection of a person working in a
large office building of their coworker's names. There will be a relatively
small group that is remembered completely, others will simply be "that guy
that always wears green," I believe this is a more accurate reference
because with strong passphrases the user has little to no control over the
actual passphrase and is responsible for memorization only.
> Still, every year at Fringe Festival time, a hundred troops come
> through my city, with people who have memorized 3/4 hours to 2 hours of
> material -- and some of those longer 90 minute to 2 hour shows are solo
> performances. Does the School Play tradition still continue, with
> children who have a hard time remembering to take out the garbage
> turning out to be able to give fine memorized performances?
Actually I can tell you how that is done, having been a musical performer.
Performers memorize the feel of the piece, certain key sections, and cues
from others; in a solo no one knows if you screw up, working with others
there are a number of other brains that keep a significant portion of the
information. Also if you look there are cheat sheets all over the place on
stage, I was actually known to place the sheet music inside the timpani
where only I would be able to see it, horns (except French Horn) have a
surprising amount of viewable space that only the performer sees, saxophones
often have sheet mounts built into them, etc. There are some that will
memorize everything, but most will semi-improvise, something that will not
exactly reproduce the piece in the sense of the entropy requirement for this
kind of memorization.
Joe
The OP has not said what OS he is on; he has not said whether his
program has permission to use the more-secured areas of the registry
(or only less-secured ones); and he has not said what permissions he
plans to give to his registry keys (so they might be open to everyone).
In the absence of any pertinent information, such as that above, the
prudent advice is to say that anyone might be able to see whatever he
puts in there.
In article <Q0BLe.1132$UA1.93@newssvr30.news.prodigy.com>,
Joseph Ashwood <ashwood@msn.com> wrote:
:I doubt humans have the ability to remember 1000 bits of entropy for long
:periods of time, this would be actually more difficult to the average person
:than remembering the 17th word spoken by their teacher on the 47th day of
:their 3rd year of primary school (although statistically guessing "the"
:would have higher probability than most)
1000 bits of entropy: considering the results of Shannon's
experiments, that would be 500 to 750 characters. Put the
characters in word form using the old "initial letter" rule,
allow injection of some null words for better flow, and the
task is no worse than memorizing 1000 word speech or poem.
Or if one converts the bits into decimal digits, that's about 334
digits to remember, which is not extrodinarily difficult for
anyone who cares to work on it a bit. (I once memorized 1000 digits
of Pi over the course of about 3 days; it wasn't difficult once
I developed a rhythm.)
I don't think 1000 bits is particularily difficult for humans
who [unlike me] exercise their memory skills. Many people memorize lots
of popular songs, or can tell you exactly who starred in a
particular movie. And I'm astonished at the number of people who
refuse to re-read any book they've read before, because they
clearly remember how books go.
--
"I want to make sure [a user] can't get through ... an online
experience without hitting a Microsoft ad"
-- Steve Ballmer [Microsoft Chief Executive]
Michael Brown <see@signature.below> wrote:
> Two methods which don't involve seDebugPrivilege are import
> table modification and SetWindowHookEx.
If a program opens windows, then it is unsecure. That's nothing new.
> So you can
> do code injection into any process that you start.
Why should one do that? If I create the process myself, I can do anything
inside this or in another process, what this process can do anyway.
Yours,
VB.
--
"Almighty Father, who wilt hear the prayer of those that love Thee, we pray
Thee to be with those who brave heights of Thy heaven and who carry the
battle to our enemies. Guard and protect them, we pray Thee, as they fly
the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
Volker Birk wrote:
> Michael Brown <see@signature.below> wrote:
>> Two methods which don't involve seDebugPrivilege are import
>> table modification and SetWindowHookEx.
>
> If a program opens windows, then it is unsecure. That's nothing new.
Your original claim was that only administrators could monitor file and
registry accesses. I pointed out that this was not the case for ***user-run
processes*** as you could use code injection to acheive these aims. You
replied that code injection required seDebugPrivilege, hence my reply above.
Note that in my reply I deliberately left in the part where I mentioned that
I was talking about user-run processes to avoid losing context.
Note also that you can have an interactive application that is secure from
the interactive user as long as the process is owned by a different user
(and, of course, the attacker does not have admin or seDebugPrivilege
rights, in which case your whole security setup is hosed anyhow).
>> So you can
>> do code injection into any process that you start.
>
> Why should one do that?
If you wanted to, say, log file and registry accesses by that process :)
[...]
--
Michael Brown
Add michael@ to emboss.co.nz ---+--- My inbox is always open
Michael Brown <see@signature.below> wrote:
> > If a program opens windows, then it is unsecure. That's nothing new.
> Your original claim was that only administrators could monitor file and
> registry accesses. I pointed out that this was not the case for ***user-run
> processes*** as you could use code injection to acheive these aims.
You're right here. But what will that tell us?
If I start a program as a user, I can do anything with that program.
So what?
This is not a security related topic, because a user program can do
exactly what all the other user programs can do, say: that, what the
user is allowed to do.
What are you trying to tell?
> You
> replied that code injection required seDebugPrivilege, hence my reply above.
I cannot see any sense in code injection in a non privileged program.
Code injection does make sense into programs, which lead i.e. to
privilege elevation.
> Note that in my reply I deliberately left in the part where I mentioned that
> I was talking about user-run processes to avoid losing context.
I was talking about the postings before also.
> Note also that you can have an interactive application that is secure from
> the interactive user as long as the process is owned by a different user
That's not enough. To prevent message based attacks like i.e. shatter
attacks, it has to run on another desktop, too.
> >> So you can
> >> do code injection into any process that you start.
> > Why should one do that?
> If you wanted to, say, log file and registry accesses by that process :)
And what does that have to do with security?
Yours,
VB.
--
"Almighty Father, who wilt hear the prayer of those that love Thee, we pray
Thee to be with those who brave heights of Thy heaven and who carry the
battle to our enemies. Guard and protect them, we pray Thee, as they fly
the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
A well known study of human long term memory can be found in ISBN:
0750917164, 1066 & All That: A Memorable History of England
Jony
urvhqqhmCtvp/fr/lo
"Joseph Ashwood" <ashwood@msn.com> wrote in message
news:Q0BLe.1132$UA1.93@newssvr30.news.prodigy.com. ..
> "Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
> news:ddm7ri$a5q$1@canopus.cc.umanitoba.ca...
>> Joseph Ashwood <ashwood@msn.com> wrote:
>> :What I said was the people make bad storage devices for large quantities
>> of
>> :entropy.
>
>> I do not know it to be "fact", but I have read a number of times
>> that in many pre-literary cultures and cultures with substantial
>> oral traditions, memorizing large amounts of material "word perfect"
>> was a routine expectation -- and apparently we have largely lost
>> that skill through lack of practice.
>
> I will certainly agree that through practice gains can be made, but I am
> skeptical about the ability to remember multiple passphrases with
> sufficient entropy for protection, yes 120-bits is probably low, but so is
> the 3. I doubt humans have the ability to remember 1000 bits of entropy
> for long periods of time, this would be actually more difficult to the
> average person than remembering the 17th word spoken by their teacher on
> the 47th day of their 3rd year of primary school (although statistically
> guessing "the" would have higher probability than most). A more accurate
> representation would be to take a look at the average recollection of a
> person working in a large office building of their coworker's names. There
> will be a relatively small group that is remembered completely, others
> will simply be "that guy that always wears green," I believe this is a
> more accurate reference because with strong passphrases the user has
> little to no control over the actual passphrase and is responsible for
> memorization only.
>
>> Still, every year at Fringe Festival time, a hundred troops come
>> through my city, with people who have memorized 3/4 hours to 2 hours of
>> material -- and some of those longer 90 minute to 2 hour shows are solo
>> performances. Does the School Play tradition still continue, with
>> children who have a hard time remembering to take out the garbage
>> turning out to be able to give fine memorized performances?
>
> Actually I can tell you how that is done, having been a musical performer.
> Performers memorize the feel of the piece, certain key sections, and cues
> from others; in a solo no one knows if you screw up, working with others
> there are a number of other brains that keep a significant portion of the
> information. Also if you look there are cheat sheets all over the place on
> stage, I was actually known to place the sheet music inside the timpani
> where only I would be able to see it, horns (except French Horn) have a
> surprising amount of viewable space that only the performer sees,
> saxophones often have sheet mounts built into them, etc. There are some
> that will memorize everything, but most will semi-improvise, something
> that will not exactly reproduce the piece in the sense of the entropy
> requirement for this kind of memorization.
> Joe
>
phillipkim1@yahoo.com wrote:
> Hello,
>
> I am in discussions with a vendor regarding the storing of encryption
> keys on systems that exchange information through an application. The
> vendor is advising against storing the keys in the registry and
> suggests hiding them somewhere in the filesystem. They suggest that
> the registry is the first place an attacker would look.
>
> The systems are open to the public internet and web traffic. If the
> keys need to be accessible to the system somewhere locally, which would
> be a better place to store the keys and why? I would think the
> registry would be safer than the file system. Thanks in advance.
This is a problem that has been solved by thousands of web sites that
support SSL connections.
Note: I don't know what the solution is, just that it exists.
Mike Amling <nospam@nospam.com> writes:
> This is a problem that has been solved by thousands of web sites
> that support SSL connections.
> Note: I don't know what the solution is, just that it exists.
Usually on SSL servers, the keys are stored in disk files encrypted by
passphrases. When you start the server, the key file gets loaded into
memory and you type the passphrase. Fancier servers use hardware
modules to hold the keys. It sounds like the OP wants to store secret
keys on desktop Windows machines where the user can't get at them,
which sounds like some kind of DRM application. That's a totally
different set of problems than an SSL server.
aatcbbtccctc@yahoo.com wrote:
> > > He has not said what OS he is on
> > He told us, there is a "Registry". How many OSes are there, which
> > have one?
> OS's as in win whatever. Eg. win98 (which lots of people still use) has
> no security on the registry. The win98 registry is mainly open for all
> to see.
OK. I will not talk about Win9x and security. This is an Oxymoron.
Yours,
VB.
--
"Almighty Father, who wilt hear the prayer of those that love Thee, we pray
Thee to be with those who brave heights of Thy heaven and who carry the
battle to our enemies. Guard and protect them, we pray Thee, as they fly
the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
hiding encryption keys 
Linear Mode
