From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Roberto Sassu <roberto.sassu@polito.it>
Cc: linux-security-module@vger.kernel.org, keyrings@linux-nfs.org,
linux-crypto@vger.kernel.org, David Howells <dhowells@redhat.com>,
David Safford <safford@watson.ibm.com>,
Rajiv Andrade <srajiv@linux.vnet.ibm.com>,
Mimi Zohar <zohar@us.ibm.com>
Subject: Re: [RFC][PATCH 4/4] keys: add new key-type encrypted
Date: Wed, 29 Sep 2010 09:43:38 -0400 [thread overview]
Message-ID: <1285767818.3213.46.camel@localhost.localdomain> (raw)
In-Reply-To: <201009291440.59445.roberto.sassu@polito.it>
On Wed, 2010-09-29 at 14:40 +0200, Roberto Sassu wrote:
> On Wednesday, September 29, 2010 01:57:36 pm Mimi Zohar wrote:
> > On Wed, 2010-09-29 at 12:00 +0200, Roberto Sassu wrote:
> > > When a new encrypted key is created through the keyctl utility, the master
> > > key specified is not searched in the keyring and the operation is performed even
> > > if it is missing.
> >
> > Yes, and why is this a problem? After creating a new key, the first
> > thing done should be to save it. At that point, you'd find out the
> > master-key doesn't exist, requiring you to either load it or change the
> > master-key name using 'keyctl update'.
> >
>
> I think the master key verification is important at least for one reason:
> i suppose to have one encrypted key which depends on a trusted key unsealed
> during the boot process.
Yes, this would be the normal scenario - decrypting the encrypted key
with a trusted key.
> If the former key is present in the keyring, this does not mean
> that the platform is in a good status (condition required for the unsealing),
> since an attacker can generate another encryption key with the same name that
> may be used by users to encrypt their personal data.
True, the existence of an encrypted key with the expected name does not
imply anything about the key. However, using this 'fake' key will fail
to decrypt anything already encrypted with the real key. I'm not clear
how requiring the existence of the master-key prevents creating a 'fake'
key.
> The create check is probably wrong, what i mean is that key generation is an
> administrative task and trusted and encrypted keys should be usable only after
> decryption with the key they depend to.
I understand your concern, but checking the existence of the master-key
at creation doesn't imply that it will exist later, when needed to save
the new key. So immediately after creating a new key, it's important to
save both the master-key and the encrypted key.
Mimi
prev parent reply other threads:[~2010-09-29 13:43 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-28 18:36 [RFC][PATCH 0/4] keys: trusted and encrypted keys Mimi Zohar
2010-09-28 18:36 ` [RFC][PATCH 1/4] lib: hex2bin converts ascii hexadecimal string to binary Mimi Zohar
2010-09-29 12:11 ` David Howells
2010-09-29 13:51 ` Mimi Zohar
2010-09-28 18:36 ` [RFC][PATCH 2/4] key: add tpm_send command Mimi Zohar
2010-09-28 18:36 ` [RFC][PATCH 3/4] keys: add new trusted key-type Mimi Zohar
2010-09-28 18:36 ` [RFC][PATCH 4/4] keys: add new key-type encrypted Mimi Zohar
2010-09-29 10:00 ` Roberto Sassu
2010-09-29 11:57 ` Mimi Zohar
2010-09-29 12:40 ` Roberto Sassu
2010-09-29 13:43 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1285767818.3213.46.camel@localhost.localdomain \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=roberto.sassu@polito.it \
--cc=safford@watson.ibm.com \
--cc=srajiv@linux.vnet.ibm.com \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.