Patches for SpeakFreely 7.5/Linux for handling of encryption keys

R. A. Hettinga rah at shipwright.com
Tue Apr 22 07:20:32 EDT 2003


--- begin forwarded text


Date: Tue, 22 Apr 2003 00:16:48 +0200 (CEST)
From: Thomas Shaddack <shaddack at ns.arachne.cz>
To: cypherpunks <cypherpunks at lne.com>
Subject: Patches for SpeakFreely 7.5/Linux for handling of encryption
  keys
Sender: owner-cypherpunks at lne.com

In Linux version, the encryption keys are supplied to the sfspeaker and
sfmike processes as commandline parameters.

This is fundamentally insecure, as the keys are then available for
every user and process that can do "ps -ef" or has /proc access.

Also, it would be beneficial for many settings if the program could read
the keys from an external file. Then the key can be protected on the level
of the filesystem, or even by complete hardware removal when not used (eg,
storing the keys on a smartcard, removable USB drive, or a floppy). They
also can be easier automatically distributed, eg. by scp.

I wrote some modifications for version 7.5, which solves both problems.
If the key value begins with @, it's interpreted as a file name. After
reading the key value, the parameters accessible via /proc and ps are
overwritten in memory and destroyed. The patches are tested for only the
IDEA encryption, but the code is identical for the other options.

The patches for sfmike and sfspeaker are available from
<http://213.246.91.154/patches/speakfreely/>.

Enjoy. :)

    Shaddack, the Mad Scientist

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list