From owner-freebsd-questions@freebsd.org Tue Mar 8 09:15:40 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9701CAC2DA0 for ; Tue, 8 Mar 2016 09:15:40 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 36945DDF for ; Tue, 8 Mar 2016 09:15:39 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from r56.edvax.de (port-92-195-185-40.dynamic.qsc.de [92.195.185.40]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx02.qsc.de (Postfix) with ESMTPS id B764B2769F; Tue, 8 Mar 2016 10:15:36 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id u289FZ89003041; Tue, 8 Mar 2016 10:15:35 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Tue, 8 Mar 2016 10:15:35 +0100 From: Polytropon To: Sergei G Cc: FreeBSD Questions Subject: Re: is there a secure store associated with user? Message-Id: <20160308101535.d191de76.freebsd@edvax.de> In-Reply-To: References: <20160302215421.53c9a7be.freebsd@edvax.de> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2016 09:15:40 -0000 First of all, thanks for describing your requirements more precisely. As it seems, using standard permissions or ACLs is not going to work for you. But allow me to throw in some further thoughts. On Tue, 8 Mar 2016 00:23:21 -0800, Sergei G wrote: > MS DPAPI is secure, because it relies on user's password to encrypt user's > data store. However, when windows services are involved, windows service > control manager (SCM) needs to store user's password, so it can unlock > DPAPI store when it starts the service. This somehow invalidates your first sentence. Is the password known to the service in plain text? Is it _stored_ in plain text? Or does the service store something like a hash or somehow encrypted password, and just checks "crypted vs. crypted" instead of "plain vs. plain" after decrypt? I won't go into detail about my feelings considering the idea that a closed source product licensed from an NSA strategic partner can be regarded "secure" - forgive my tinfoilhatness. ;-) > Thus, Windows OS has to store a > form of user's password somewhere... Exactly - this is one entity knowing the "keys to the kingdom" you cannot trust. There are good and bad ways how to deal with passwords. The best way is to not store them at all, the worst way is to store them in plaintext. > Our goal is to apply defense in depth and in this case it is a protection > of CONTENT of a file in case it was downloaded by an attacker. Standard > ACL solution does not work, because www user by definition has access to a > file's content to be able to work with (load it into application memory). > The file is not meant to be served, but it may be serviced due to a > vulnerability or misconfiguration. That's the scenario that we are > defending against. Now I understand. You'd still encounter the problem that an attacker will retrieve the data at a stage where it is _not_ encrypted, and there definitely is such a stage, i.e., when the data is going to be used (read or written). I have something in mind which might not be a solution for you, but could help develop further ideas: Imagine the data is stored in a disk image. This image is encrypted, so if the attacker gets the image, it's of no value. This image is being mounted (read only or read/write, as needed) and decrypted "through" a trusted "access layer". Modifications can only happen at that time. After use, the image is unmounted and therefore encrypted again. I'm obviously talking about a file system image plus some kind of PGP layer. I think it is possible to implement this with "SSH + NFS", or somehow "mount + PGP"... > One solution could be the deployment of a "security service" providing data > over a Unix file socket. The "security service" simply returns password to > the application and application decrypts sensitive data on the fly or uses > this password to establish DB connection. A direct download of file's > content would not result in sensitive data exposure. That would be possible, but again involves the knowledge of the password (plain?) to possibly untrusted instances. > The compromise is only possible if attacker gains ability to execute > arbitrary code as www user and instructs system to connect to "security > service". The same is true to DPAPI protection. If attacker can execute > arbitrary code as a service user, then he or she can return originally > protected data in plain text form. Being able to execute untrusted code basically is GAME OVER, especially when running with non-trivial system privilege. It would require that the associated user (corresponding to the service) is only allowed to execute _one_ verified binary image. > In some way this is similar to WSC-DPAPI at the conceptual level. WSC > knows the user's password, unlocks user's store and starts application with > user's context. This "security service" plays a similar 3rd party role of > knowing the password and returning it. Unfortunately, some form of > application ACL is necessary in this case. Again, too much "know the password" is involved here. But maybe this is inevitable for the setting you're describing. In that case, it would sound possible to implement something like this in Linux or UNIX. I don't know of a particular program which does this, but I'd say it's more or less trivial: When access to a file is requested which is under "user password control", the service decrypts the file (knowing the required password), and upon close(), re-encrypts it again. > Does it make any sense? Is it too much protection for the payoff? It's an additional means of security, but no "one size cures all" approach. Just given the password is "password", "12345", or "correcthorsebatterystaple", a quick dictionary-based attack on an extracted encrypted file will reveal the content - and will confirm that this password is valid for _other_ files associated with that user... > Does something like this exist today? Not that I'm aware of, but still possible. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...