Date: Mon, 17 May 1999 09:31:43 -0400 From: Adam Shostack <adam@homeport.org> To: Kris Kennaway <kkennawa@physics.adelaide.edu.au> Cc: Adam Shostack <adam@breakwater.homeport.org>, nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup Message-ID: <19990517093143.B2322@weathership.homeport.org> In-Reply-To: <Pine.OSF.4.10.9905171213420.28148-100000@bragg>; from Kris Kennaway on Mon, May 17, 1999 at 12:45:09PM %2B0930 References: <19990516223322.B1851@weathership.homeport.org> <Pine.OSF.4.10.9905171213420.28148-100000@bragg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 17, 1999 at 12:45:09PM +0930, Kris Kennaway wrote: | On Sun, 16 May 1999, Adam Shostack wrote: | | > You're worried about errors on the tape, I presume? You could | > pipe the output of pgp through something that does redundant encoding, | > such that errors on the tape are recoverable outside the tape. There | > are some direct tradeoffs that you can find between bloat and | > recoverability; as you add bits, your odds of being able to | > reconstruct increase. | | Pipe the output of dump or tar or whatever you're using through bdes(1). You | don't need the overhead of PGP unless you want a trusted third party to read | the backup without knowing the encryption key. Pass the data through three | rounds of bdes doing an encrypt, decrypt, followed by encrypt (with different | keys, of course) and you've got yourself 3DES, which bdes doesn't seem to do | natively. Make the keys random, and stick those in a PGP file if you like. | | Hmm, there seems to be a void of any general-purpose tools which provide | error-correcting data encoding - but in this case do you really need it? | It'll only multiply the size of your backup, and if you're using a reliable | transport protocol between client and server (i.e. TCP) then this shouldn't be | an issue. If your tape is dropping bits, then it would be a big problem if you | were using it in the normal way (attached to local computer). I suppose the | untrusted server could cause your data stream to be corrupted, but they could | also cause it to never make the tape in the first place. If the tape is unreliable, and you lose a few bits of a plaintext file, you've lost a few bits. If its a few bits of an encrypted and compressed file, you may lose the whole file. | ther server and modify it to nullify ANY authentication measures (easy if this | is a shell script) - so you can't really be sure that no-one else is writing | data onto the tape, only that the data you do write which ends up on the tape | is secure from decryption. No, if you use pgp, you can sign the data on your local (trusted) machine, and only be vulnerable to a DOS attack, not authentication attacks. | In summary, there's only so much you can do if you don't trust the server - | you still have to trust them to provide basic functions like actually writing | your data to the tape. This is correct. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990517093143.B2322>