Rich Freeman on 10 Feb 2018 13:32:00 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] encrypting files with expiration


On Sat, Feb 10, 2018 at 4:14 PM, brent timothy saner
<brent.saner@gmail.com> wrote:
> On 02/10/2018 03:45 PM, Rich Freeman wrote:
>
>> I don't think view-once was actually part of the requirements, but
>> again using the trusted viewer software this might be achievable.
>
> per OP:
>
> "... i would like to store the documents so you can't copy and paste --
> *just view once* unlocked. ..." (emphasis added)

Or you could read it as just view *once unlocked*.  That is you can
view it as many times as you want to, but only after you've unlocked
it each time.

I'll leave it up to OP to clarify.

> further, a TPM cannot ensure the unlocked version of this (assuming one
> did implement an encryption policy for said data using something
> hardware-locked like TPM) is not copied elsewhere- not only by email,
> but by other methods.

The TPM ensures that the viewer used to display the file is the one
that was enrolled with the TPM.  You would only enroll a viewer that
is capable of display the file without being able to copy it
anywhere/etc.  Creating a PDF viewer that has no save/copy/email
functionality would not be very difficult, and you'd need to ensure
that whatever mechanism is used to display the image on the screen is
not interceptable.

Of course none of this stops you from taking a photo of the screen.  :)

Ultimately the entity responsible for ensuring that stuff isn't copied
isn't the TPM or the software, but the person engineering the
solution.  The TPM is just part of the solution.  However, preventing
the person at the keyboard from doing things undesirable to the
hardware owner is actually the main reason TPMs were invented.
(Obviously with the whole Treacherous Computing thing the "hardware
owner" is a touchy matter...)

> in order to implement half of what you proposed, you're talking about a
> significant rewrite of certain parts of the kernel - not to mention all
> the other supporting userland code.

I'm not sure that much would actually have to be done to the kernel.
Surely protecting a process from other processes is something SELinux
must support?  There might need to be some additions to the kernel - I
wouldn't be surprised if Linus would accept them into mainline if they
were done in a general manner, as he already has accepted much of the
necessary TPM support.

Userland is the main area where support for this stuff is missing.
You'd want an OS that generally supports signature verification
top-down, relying on the TPM module/etc.  That is something I believe
RedHat has already expressed some interest in though I don't think
they're there yet.

My main point is that this is possible, not that it was something the
OP was likely to actually undertake.

> and, as acknowledged, still does not address other key parts of the
> original requirements.

Which parts?

Even if view-once was a requirement I did provide a solution for it.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug