Re: Basic interface for key management in reiser4 (DRAFT)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Gregory Maxwell <gmaxwell@gmail.com>
To: Hans Reiser <reiser@namesys.com>
Cc: Edward Shishkin <edward@namesys.com>,
	Reiserfs developers mail-list <Reiserfs-Dev@namesys.com>,
	Reiserfs List <reiserfs-list@namesys.com>,
	Nate Diller <ndiller@namesys.com>
Subject: Re: Basic interface for key management in reiser4 (DRAFT)
Date: Fri, 19 Aug 2005 03:16:09 -0400	[thread overview]
Message-ID: <e692861c05081900162985adbc@mail.gmail.com> (raw)
In-Reply-To: <43056B7E.6030500@namesys.com>

On 8/19/05, Hans Reiser <reiser@namesys.com> wrote:
> I think it would make sense to put the keys as files in /proc:
> e.g.
> touch  /proc/1/keys/private/"0893410984328098094321"
> would give init (aka process with id of 1) a new key that its children
> would not inherit
> touch  /proc/1/keys/inheritable/"1893410984328098094321"
> would give init a new key that is children WOULD inherit.
> 
> Not sure what the permissions on that keys directory would be, I guess 700.

Eh, that would make leaks of key information easy..  Since most
applications don't assume that something visable in a file name could
be highly confidential information. :)

Better to have the file in proc be an abbriviated keyid (some kind of
smaller lossy hash of the key). To add you might echo "label:real key
data" > /proc/1/keys/private/keys, and a file would appear named
/proc/1/keys/private/label-123abcd which is a user defined label and
the hash.

Under no condition should a process be able to actually read the key
data.. they can get the ID.. delete keys based on IDs.. etc. But they
can't get the data.. otherwise a process could steal keys. If I take
away a processes key from proc, there should be no way for it to get
any further access to those files.. no chance that it could have
hidden away a copy of that key.

On 8/19/05, Hans Reiser <reiser@namesys.com> wrote:
> I think it would make sense to put the keys as files in /proc:
> 
> e.g.
> touch  /proc/1/keys/private/"0893410984328098094321"
> would give init (aka process with id of 1) a new key that its children
> would not inherit
> 
> touch  /proc/1/keys/inheritable/"1893410984328098094321"
> would give init a new key that is children WOULD inherit.
> 
> Not sure what the permissions on that keys directory would be, I guess 700.
> 
> Hans
> 
> Gregory Maxwell wrote:
> 
> >On 8/18/05, Hans Reiser <reiser@namesys.com> wrote:
> >
> >
> >>but the idea is to use keys instead of standard unix permissions....
> >>
> >>I think you need to store keys in a per process place, and allow
> >>specifying whether children of a process inherit the keys somehow.
> >>
> >>
> >
> >Oh, slick!
> >
> >I did not previously catch what the advantage would be to using crypto
> >in the FS rather than just a crypted block device... minus some non
> >critical niceties (like being able to use a random & per file IV is
> >good from a security perspective.).
> >
> >Now I see what is possible, and I'm really excited.
> >
> >It will be interesting to see how a system with many keys performs..
> >most fast implementations of most crypto algs need a computationally
> >expensive key setup which produces a fairly large working set of
> >constants for encryption/decryption.
> >
> >With a per process structure there should be a way to revoke all
> >instances of a key from all the other running processes that carry
> >it.. or at least all processes of a specific user. Otherwise it will
> >be too easy to accidental leave keys laying around.
> >
> >This per process crypto in the FS fits very nicely with a lot of the
> >other recent security advances in the Linux world.
> >
> >Thanks for something new and exciting to talk about with my Linux
> >using friends! :)
> >
> >
> >
> >
> 
>

next prev parent reply	other threads:[~2005-08-19  7:16 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-08-17 14:50 Basic interface for key management in reiser4 (DRAFT) Edward Shishkin
2005-08-17 19:52 ` Hans Reiser
2005-08-18 18:33   ` Edward Shishkin
2005-08-19  0:30     ` Hans Reiser
2005-08-19  4:18       ` Gregory Maxwell
2005-08-19  5:17         ` Hans Reiser
2005-08-19  7:16           ` Gregory Maxwell [this message]
2005-08-19 14:56             ` Edward Shishkin
2005-08-19 11:43         ` Edward Shishkin
2005-08-19 14:48           ` Gregory Maxwell
2005-08-19 10:45       ` Edward Shishkin
2005-08-23 15:48       ` Edward Shishkin
2005-08-24  0:52         ` Hans Reiser

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e692861c05081900162985adbc@mail.gmail.com \
    --to=gmaxwell@gmail.com \
    --cc=Reiserfs-Dev@namesys.com \
    --cc=edward@namesys.com \
    --cc=ndiller@namesys.com \
    --cc=reiser@namesys.com \
    --cc=reiserfs-list@namesys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.