[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DSA GnuPG signatures

From: Vladimir 'φ-coder/phcoder' Serbinenko
Subject: Re: DSA GnuPG signatures
Date: Wed, 03 Apr 2013 16:34:42 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20130116 Icedove/10.0.12

On 31.01.2013 13:49, Andrey Borzenkov wrote:

> В Fri, 11 Jan 2013 21:54:22 +0100
> Vladimir 'φ-coder/phcoder' Serbinenko <address@hidden> пишет:
>> Hello, all. I've just committed import of libgcrypt and implementation
>> of related code to check signatures. Short usage:
>> verify_detached FILE FILE.sig [pubkey.gpg]
>> trust KEY.gpg
>> distruct KEYID
>> check_signatures=[enforce|no]
>> grub-mkimage -k KEY gcry_dsa verify [...]
>> When check_signatures=enforce every time anthing tries to open a file
>> its signature (file.sig) is looked for and the open fails if signature
>> is absent or invalid.
> There is no protection against file modification after signature was
> verified. Is it intentional (i.e. it is not considered as viable
> threat)?

That is indeed a problem.

> One possibility is to cache file in memory on first open,
> which ensures it cannot be modified externally.

Possible but works only on relatively small files. For bigger files we
need to make a chunk hash list. I'll add the easy part now and if ever
needed we can add more difficult part as well.

>> Some limitations:
>> 1) DSA keys only. RSA is more tricky since it needs padding and RSA
>> should be progressively phased out, not put into new places due to some
>> vulnerabilities (large classes of semiprimes are factorisable up to the
>> point when a lot of care has to be taken to avoid them).
>> 2) Not efficient. Checking every file is slow. Some hashlists should be
>> implemented.
>> 3) Not efficient. File is read twice though it's avoidable in many cases.
> _______________________________________________
> Grub-devel mailing list
> address@hidden

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]