[Cryptography] SEPTIX A proposal for a Secure Electronic Password Tank for *nIX

Ralf Senderek crypto at senderek.ie
Sun Oct 23 08:32:49 EDT 2022 


On Sun, 23 Oct 2022, David Kane-Parry wrote:

> On Sun, Oct 23, 2022 at 1:15 AM Ralf Senderek <crypto at senderek.ie> wrote:
> > I'd like to present my proposal for SEPTIX The Secure Electronic Password Tank for *nIX
> ...
> > So, if you have any comments on my proposal I'd be glad to receive criticism.
> 
> You've clearly put a lot of thought into this, but alas I could not discern your threat model. So that the comments
> to be shared would be most relevant, it'd help to define the specifics of the scenario(s) in which you believe your
> proposal is a sufficient defense. Just as one example, what privileges if any, unauthorized or otherwise, do you
> assume the attacker has?
> 
> - d.

Here is the threat model:

I assume, that an attacker is able to run processes on the
computer under the user's UID. This could be achieved by some
malware the user has uninentionally downloaded or accessed.

The privilege separation build into the project shields all
encryption processes and the stored files from these processes.

If the attacker has also compromised the separate user septix
and has access to encrypted key files, the use of the Yubikey
is not under the attacker's control, so that a RSA decryption
is out of reach for the attacker.

This would not be true if there was only the conventional
AES encryption.

I assume, that an attacker can access the computer over a network
connection only, so that physical manipulations of the computer
are not considered within this threat model.

The benefits of my proposal, as I see it, are mainly the result of
using the Yubikey for additional entropy and a second layer of
RSA encryption that requires the user's activation of the Yubikey.
This cannot be done remotely over the network connection.

I have already pointed out that a loss (or theft) of the Yubikey
is a fatal risk for availability, if the RSA private key had been
generated in the Yubikey so that no backup is available.
Loading an existing private RSA key onto the Yubike helps to
ensure a backup.

In short, my proposal aims at being a better way to store secrets,
than the usual encrypted file with a bunch of secrets in it, stored
in the user's home directory.

     --ralf

More information about the cryptography mailing list