Re: Xwindows security?

[kinch () julian uwo ca (Dave Kinchlea)]

On Wed, 11 Jan 1995, Rens Troost wrote:
>   Jon> encrypted system (like say krb5) could be much better if done
>
> Yeah, clearly. kerberos is so heavyweight, though that few sites end
> up installing it. Perhaps a pgp-based thing would catch on more. No
> gnarly key distribution architecture needed.

I have been think hard along these lines and I *think* it can be done but I
can't think of any way of ensuring that some human being (system
administrator or not) will be able to read the pass-phrase and/or secret
key via delving into /dev/[k]mem. The only possible way that I can think
of is to have the pgp `device' be completely external but physically
connected to the machine (presumably chained into the ethernet
connection). What you then `trust' is the pgp device which will encrypt
all outgoing traffic appropriately and decrypt all incoming traffic (that
it can). The host cannot be involved, if Unix is in charge anyway. 

It is *essential* that the theoretical pgp device be able to detect any 
physical and virtual snooping -- that pass phrase/secret key must not ever 
be known to anyone, including the manufacturer and the system 
admins/owners of the machine it is connected to. Once a physical snoop is 
detected, the pass phrase/secret key is wiped from existence. It must be  
guaranteed that a virtual snoop is not possible (ie: there is 
no way to communicate with the device, it is a simple function. Of 
course, that begs the question of how to obtain verification of keys -- I 
said I was thinking hard, I didn't say I have come up with the answer 
;-() else denial of service attacks would run rampant.

The device is part of the *machine*, not IP number, thus you continue to 
use existing protocols for `trusted hosts' but rather than ethernet 
numbers as listed in DNS tables, `trusted pgp public keys' would be used 
to verify the information. Packets could then be encrypted and signed for 
privacy or simply signed for authentication. As long as the device stays 
physically connected to that machine, it verifies that machine, remove it 
and you must generate a new key for that device (it doesn't necessarily 
have to stop working, it is just necessary to purge all traces of the 
pass phrase/secret key once compromised.

Can such a device be built? Does this make any sense at all?

kinch

ps: this is probably not appropriate for bugtraq, sorry.