Passing sensitive data over D-Bus

Hi all!

In the system-tools-backends/gnome-system-tools, we have long been
encrypting user passwords before sending them over the bus from the GUI
to the privileged backends. But this raises several problems since we're
forced to reimplement in the GUI a password-encryption mechanism that is
not distribution-dependent, which can severely break things. So we'd
like to send the clear-text password to the backends, letting the
standard system tools or PAM itself do what should be done.

Is D-Bus considered secure for this kind of highly sensitive data, when
sender and receiver are on the same host? If not, since SSL encryption
is not supported AFAIK, that would leave us with opening a pipe to pass
the secrets between the GUI and the backend. What do you think of this
solution? Is there a general model for this kind of use case?


Regards

_______________________________________________
dbus mailing list
dbus@...
http://lists.freedesktop.org/mailman/listinfo/dbus

Em Sábado 7. Novembro 2009, às 15.03.54, Milan Bouchet-Valat escreveu: If you're on the system bus (not the user's session bus), then it should be
safe to pass sensitive data over method calls and method replies. Signals are
broadcast, so anyone could listen to them, though.

--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
  Senior Product Manager - Nokia, Qt Development Frameworks
      PGP/GPG: 0x6EF45358; fingerprint:
      E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358


_______________________________________________
dbus mailing list
dbus@...
http://lists.freedesktop.org/mailman/listinfo/dbus

Le samedi 07 novembre 2009 à 18:22 +0100, Thiago Macieira a écrit :
> If you're on the system bus (not the user's session bus), then it should be
> safe to pass sensitive data over method calls and method replies. Signals are
> broadcast, so anyone could listen to them, though.
Thanks for your quick (and positive!) answer. So we'll go this way, our
interfaces will be much clearer. We don't need to send passwords in
signals, obviously, only in method calls.


Regards

_______________________________________________
dbus mailing list
dbus@...
http://lists.freedesktop.org/mailman/listinfo/dbus

On Sat, 2009-11-07 at 18:22 +0100, Thiago Macieira wrote:
> If you're on the system bus (not the user's session bus), then it
> should be
> safe to pass sensitive data over method calls and method replies.
>
This is due system bus is encrypted in some way (which one?) or due
confidence on the fact processes need particular privileges to
communicate over this bus?

--
Roberto -MadBob- Guido
http://claimid.com/madbob


_______________________________________________
dbus mailing list
dbus@...
http://lists.freedesktop.org/mailman/listinfo/dbus

On Mon, 09.11.09 23:17, Roberto -MadBob- Guido (bob4mail@...) wrote:

>
> On Sat, 2009-11-07 at 18:22 +0100, Thiago Macieira wrote:
> > If you're on the system bus (not the user's session bus), then it
> > should be
> > safe to pass sensitive data over method calls and method replies.
> >
> This is due system bus is encrypted in some way (which one?) or due
> confidence on the fact processes need particular privileges to
> communicate over this bus?

That is simply due to the fact that on on Unix systems the user can always
(or actually must) trust the system services.

User code may always trust other code that is run by the same user and
all system services. That means that as long as you exchange your
secrets only via local same-user-owned processes (such as a local session
dbus daemon owned by the same user) or system services (such as a
system dbus daemon) you should be safe.

Or the other way round: it is not a good idea to send secrets across
the network with dbus (since it does not encrypt anything), nor to
pass them on to other (non-system) users.

Lennart

--
Lennart Poettering                        Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/           GnuPG 0x1A015CC4
_______________________________________________
dbus mailing list
dbus@...
http://lists.freedesktop.org/mailman/listinfo/dbus

Le lundi 09 novembre 2009 à 17:50 -0600, Stef Walter a écrit :
> In gnome-keyring one of our goals is to keep passwords out of pageable
> memory [1]. Not that this matters for all passwords, but it does matter
> for some.
It does matter for Unix users passwords obviously. Though I don't think
anything has ever been done in this direction in the GNOME System Tools.
That's less of a problem than in the keyring, since typically we're only
run once in a while. But that should ideally be done that way,  yes.

> In the new Secret Service DBus API, we'll using DH key agreement for
> encrypting passwords as they pass through DBus, or between processes.
>
> Thought you might be interested. Just one option...
How do you implement that ? It would be good to have if we want to allow
the messages to go over the network. That's not a critical feature
because AFAIK that does not really work currently, but it could be good
to have. I'm wondering how complex this is to implement, given that we
have C on one side of the bus, and perl on the other side.


Regards

_______________________________________________
dbus mailing list
dbus@...
http://lists.freedesktop.org/mailman/listinfo/dbus

Milan Bouchet-Valat wrote:
> In the system-tools-backends/gnome-system-tools, we have long been
> encrypting user passwords before sending them over the bus from the GUI
> to the privileged backends. But this raises several problems since we're
> forced to reimplement in the GUI a password-encryption mechanism that is
> not distribution-dependent, which can severely break things. So we'd
> like to send the clear-text password to the backends, letting the
> standard system tools or PAM itself do what should be done.

In gnome-keyring one of our goals is to keep passwords out of pageable
memory [1]. Not that this matters for all passwords, but it does matter
for some.

In the new Secret Service DBus API, we'll using DH key agreement for
encrypting passwords as they pass through DBus, or between processes.

Thought you might be interested. Just one option...

Cheers,

Stef

[1] http://live.gnome.org/GnomeKeyring/SecurityPhilosophy

_______________________________________________
dbus mailing list
dbus@...
http://lists.freedesktop.org/mailman/listinfo/dbus

Milan Bouchet-Valat wrote:
It's somewhat complex, but being that we already link to crypto
libraries, it is relatively easy for gnome-keyring to implement.

It wouldn't work between machines, due to MITM attacks. Essentially
you'd need SSL and certificates when talking over a network.

The reason it works for us (on a single machine) is that we're not
trying to protect against 'active' attacks like MITM [1].

Cheers,

Stef

[1] http://live.gnome.org/GnomeKeyring/SecurityPhilosophy
_______________________________________________
dbus mailing list
dbus@...
http://lists.freedesktop.org/mailman/listinfo/dbus

Le mardi 10 novembre 2009 à 11:48 -0600, Stef Walter a écrit :
> It's somewhat complex, but being that we already link to crypto
> libraries, it is relatively easy for gnome-keyring to implement.
>
> It wouldn't work between machines, due to MITM attacks. Essentially
> you'd need SSL and certificates when talking over a network.
>
> The reason it works for us (on a single machine) is that we're not
> trying to protect against 'active' attacks like MITM [1].
Right. So that's not really of interest in my case, because network bus
would have been the only situation where we need it. And I don't think
we want to add another layer of complexity in two different languages to
encrypt our passwords - we've already enough problems to solve.

Thanks anyways for the idea.

_______________________________________________
dbus mailing list
dbus@...
http://lists.freedesktop.org/mailman/listinfo/dbus