Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Mar 2016 10:15:35 +0100
From:      Polytropon <freebsd@edvax.de>
To:        Sergei G <sergeig.public@gmail.com>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: is there a secure store associated with user?
Message-ID:  <20160308101535.d191de76.freebsd@edvax.de>
In-Reply-To: <CAFLLzCN%2BYhgCWTrafbPgG5HFY744tqcJeQgORnC6Ui83BDN9uA@mail.gmail.com>
References:  <CAFLLzCNNKZiXVJRYLD=URwhFRfkKo=NhR78cZBH8tOKZPow=kQ@mail.gmail.com> <20160302215421.53c9a7be.freebsd@edvax.de> <CAFLLzCN%2BYhgCWTrafbPgG5HFY744tqcJeQgORnC6Ui83BDN9uA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
First of all, thanks for describing your requirements more precisely.
As it seems, using standard permissions or ACLs is not going to work
for you. But allow me to throw in some further thoughts.

On Tue, 8 Mar 2016 00:23:21 -0800, Sergei G wrote:
> MS DPAPI is secure, because it relies on user's password to encrypt user's
> data store.  However, when windows services are involved, windows service
> control manager (SCM) needs to store user's password, so it can unlock
> DPAPI store when it starts the service.

This somehow invalidates your first sentence. Is the password known
to the service in plain text? Is it _stored_ in plain text? Or does
the service store something like a hash or somehow encrypted password,
and just checks "crypted vs. crypted" instead of "plain vs. plain"
after decrypt?

I won't go into detail about my feelings considering the idea that
a closed source product licensed from an NSA strategic partner can
be regarded "secure" - forgive my tinfoilhatness. ;-)



> Thus, Windows OS has to store a
> form of user's password somewhere...

Exactly - this is one entity knowing the "keys to the kingdom" you
cannot trust. There are good and bad ways how to deal with passwords.
The best way is to not store them at all, the worst way is to store
them in plaintext.



> Our goal is to apply defense in depth and in this case it is a protection
> of CONTENT of a file in case it was downloaded by an attacker.  Standard
> ACL solution does not work, because www user by definition has access to a
> file's content to be able to work with (load it into application memory).
> The file is not meant to be served, but it may be serviced due to a
> vulnerability or misconfiguration.  That's the scenario that we are
> defending against.

Now I understand. You'd still encounter the problem that an attacker
will retrieve the data at a stage where it is _not_ encrypted, and
there definitely is such a stage, i.e., when the data is going to
be used (read or written).

I have something in mind which might not be a solution for you, but
could help develop further ideas:

Imagine the data is stored in a disk image. This image is encrypted,
so if the attacker gets the image, it's of no value. This image is
being mounted (read only or read/write, as needed) and decrypted
"through" a trusted "access layer". Modifications can only happen
at that time. After use, the image is unmounted and therefore
encrypted again. I'm obviously talking about a file system image
plus some kind of PGP layer. I think it is possible to implement
this with "SSH + NFS", or somehow "mount + PGP"...



> One solution could be the deployment of a "security service" providing data
> over a Unix file socket. The "security service" simply returns password to
> the application and application decrypts sensitive data on the fly or uses
> this password to establish DB connection. A direct download of file's
> content would not result in sensitive data exposure.

That would be possible, but again involves the knowledge of the
password (plain?) to possibly untrusted instances.



> The compromise is only possible if attacker gains ability to execute
> arbitrary code as www user and instructs system to connect to "security
> service".  The same is true to DPAPI protection.  If attacker can execute
> arbitrary code as a service user, then he or she can return originally
> protected data in plain text form.

Being able to execute untrusted code basically is GAME OVER,
especially when running with non-trivial system privilege.
It would require that the associated user (corresponding to
the service) is only allowed to execute _one_ verified binary
image.



> In some way this is similar to WSC-DPAPI at the conceptual level.  WSC
> knows the user's password, unlocks user's store and starts application with
> user's context.  This "security service" plays a similar 3rd party role of
> knowing the password and returning it.  Unfortunately, some form of
> application ACL is necessary in this case.

Again, too much "know the password" is involved here. But maybe
this is inevitable for the setting you're describing. In that
case, it would sound possible to implement something like this
in Linux or UNIX. I don't know of a particular program which
does this, but I'd say it's more or less trivial: When access
to a file is requested which is under "user password control",
the service decrypts the file (knowing the required password),
and upon close(), re-encrypts it again.



> Does it make any sense?  Is it too much protection for the payoff?

It's an additional means of security, but no "one size cures
all" approach. Just given the password is "password", "12345",
or "correcthorsebatterystaple", a quick dictionary-based attack
on an extracted encrypted file will reveal the content - and
will confirm that this password is valid for _other_ files
associated with that user...



> Does something like this exist today?

Not that I'm aware of, but still possible.




-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160308101535.d191de76.freebsd>