[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

passing information via network via gpg

Hi people,

I'm not really sure if I should be posting this to this list - please
don't flame me *too* much if you think I shouldn't... ;-)

I had this idea a while back about setting up a program that listens
on one port and then when a connection comes in, negotiates for another
and listens on that, and then negotiates for another, passing everything
through gpg with pre-defined keys. Eventually, enough 'trust' is built
so that the 'charge' is passed to the client.

IMO, the advantages of this is based on the fact that i) as there are
lots of Syn,Syn/Ack,Acks going on, an traffic sniffer will get more
confused (plus all the packets will look the same as they're all gpg
encrypted); ii) attacking the initial port will reveal nothing;
iii) the port used to send sensitive information is only open briefly;
iv) no public keys are passed - they have to be pre-setup.

Anyway, it's now coded and available at namkas.com/ncgpg/

As the people on this list seem to know a damn site more about security
than me, I was kinda hoping that some of you might be able to take a
look and tell me your opinion on it - I'm not really sure who else to
turn to. It works currently, and I think is fairly secure, but I'm not
sure about i) the security of nc and ii) how to avoid putting the gpg
passphrase in the process list when encrypting text (see the code).

Hope this isn't too out of place on this list...

Thank you,



Matthew Sackman

The contents of this email are intended for the indicated recipient(s)
only. This may or may not be indicated in the above email as it is
enormously easy to fake email addresses (see the relevant RFCs).

For security reasons this email is likely to be gnupg signed. On the
other hand it may not be if I forgot to do so. In any case, if you
are reading this on a Windows based computer then there was no point
in me doing so (provided that I remembered) as your computer is most
likely being used by yourself and 2.8 other people at the same time
(normally without your consent).

No responsibility will be accepted by anyone for any of the contents
of this email. So tough. If in doubt, go compile Mozilla.

Attachment: pgpjjxK8KbZ5Q.pgp
Description: PGP signature

Reply to: