Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999_2

Bugtraq archives for 2nd quarter (Apr-Jun) 1999: Re: stored credentials was: Netscape 4.5 vulnerability

Re: stored credentials was: Netscape 4.5 vulnerability

Valdis.KletnieksVT.EDU
Sun, 25 Apr 1999 04:00:02 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Peter van Dijk: "Re: Outlook 98 allows spoofing internal users"
Previous message: Bo Elkjaer: "Re: Shopping Carts exposing CC data"
In reply to: Jefferson Ogata: "Re: stored credentials was: Netscape 4.5 vulnerability"

On Fri, 23 Apr 1999 17:06:33 EDT, Jefferson Ogata <jogataNODC.NOAA.GOV>  said:
> What if the OS itself maintains a database of randomized encryption keys,
> and allows access to a key only to a binary whose inode and filesystem
> matches the one under which the key was stored. I'm being needlessly
> specific here, but I lack the vocabulary to describe this in more general
> terms.

1) This data must, itself, be stored someplace.  Where, and how?
Obviously, this needs encrypting too. What do you use for a key for THAT?
(Remember, the key has to survive a reboot).

2) Mapping it to inode/filesystem is a Bad Idea.
   2A) You upgrade the product, you lose.
   2B) You restore the filesystem from tape, you lose.
   2C) An attacker finds a way to grab that inode number for himself, you lose.

I won't even get into possible hassles here with symlink confusion,
NFS issues (remember, dickless clients DO exist), and other warts
that we have to deal with in the real world.

				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

Next message: Peter van Dijk: "Re: Outlook 98 allows spoofing internal users"
Previous message: Bo Elkjaer: "Re: Shopping Carts exposing CC data"
In reply to: Jefferson Ogata: "Re: stored credentials was: Netscape 4.5 vulnerability"