Unix security additions

Clifford C. Skolnick cliffs at gaffa.East.Sun.COM
Fri Apr 19 04:12:41 AEST 1991 

In article <1991Apr18.042212.11738 at Think.COM> barmar at think.com (Barry Margolin) writes:
>In article <6783 at awdprime.UUCP> Tony Sanders <sanders at cactus.org> writes:
>>What if the backup/restore utilities on the "secure" system used an
>>encryption scheme before writting to tape (like dump|crypt|dd of=/dev/mt,
>
>If the people you're trying to protect against are the operators, this
>isn't much of a solution, since they have to know the password in order to
>do the backups and restores.
>--
>Barry Margolin, Thinking Machines Corp.
>
>barmar at think.com
>{uunet,harvard}!think!barmar

If you wrote your own crypt "like" program this would not be true.
Basically you could have a "mycrypt" and "myuncrypt" function.  You
would just have to protect the "myuncrypt" program and you will be all
set.

Optionally you could put the encryption in the device driver so
that only that driver could read the tapes again.  This is a bit
overboard unless you are really paranoid.

Either of these schemes would also help the problem of keeping backups
both off-site and secure.  Even if the "ememy" gets the tapes, he
will need to decrypt them first.  I guess this is not such a bad
idea.

Hmm, psuedo tape device driver with encyption.  Set the password via and
ioctl().  Encrypt all data in or out.  It would not even be that hard.

Of course the real enemy is reading all packets of the ethernet and
saving the good stuff.  Some idiot left a set of OS tapes which
he booted from and got root access to his workstation.  He also knew
enought to build himself a new kernel and add in NIT or whatever
support he needed to create his own version of a sniffer.

If it ain't one thing it's another.  UNIX and security is a
fine art, of which few people have a true understanding.


Cliff
--
Cliff Skolnick | "When routine life's hard, and inhibitions are low, and
cliffs at sun.com | resentment lies hide, but emotions run through, and we're
(716) 385-5049 | changing our ways, taking different roads.  Love, love
I think. I am. | will tear us apart, again." -- Joy Division

More information about the Comp.unix.internals mailing list