Re: [PLUG] encrypting files with expiration

[Fred Stluka <fred@bristle.com>]

Rita,

I don't think you're going to get the security you want.

Once the data is displayed on the screen, all bets are off.

It can be copied by any screen-capture program, or at least by an
external camera taking a picture of the screen.  Can then also use
OCR to convert the image back to text, if leaking the image is not
bad enough.

--Fred
------------------------------------------------------------------------
Fred Stluka -- Bristle Software, Inc. -- http://bristle.com
Don't be a Trump! -- Make America Honorable Again!
------------------------------------------------------------------------

On 2/10/18 3:39 PM, Rich Freeman wrote:
> On Sat, Feb 10, 2018 at 3:24 PM, Rita <rmorgan466@gmail.com> wrote:
> > i would like to archive sensitive tax documents. i would like to store the
> > documents so you can't copy and paste -- just view once unlocked. set an
> > expiration time once unlocked. are there any tools like that?
> Have people written software that purportedly does this stuff?  Yes.
>
> Is it relatively easy to bypass?  Yes.
>
> With hardware support you can actually get close to something like
> this, assuming you want to only run it on your own hardware, and that
> you don't mind the files becoming inaccessible if the hardware fails.
> I don't think anybody has fully implemented anything like this in FOSS
> (and perhaps not even in non-FOSS).  It is theoretically possible
> though.
>
> The way you would go about it is to use hardware that includes a TPM,
> with TPM support in linux (and your bootloader as well if you don't
> directly boot linux from UEFI).  Together these will populate the PCR
> registers in the TPM during boot.  Then you would run your software
> and the software would request the encryption key for your file from
> the TPM, and once the file is accessed the software would start the
> expiration timer and enforce it.  If any of the software in the chain
> from firmware to your reader software (including the
> bootloader+kernel) were modified in any way the TPM would refuse to
> deliver the key, and the file would be unreadable.  You could use a
> kernel that includes special protections for the process displaying
> the file so that there isn't any way to access its memory.
>
> Again, none of this is implemented, nor would it be terribly easy to
> implement.  My understanding is that windows, android, and chromeos
> include some of the groundwork to allow for remote attestation, though
> it isn't commonly used (and the linux kernel portions are in the
> vanilla kernels).  Most passwordless full-disk encryption software
> uses an approach like this, though they operate a bit lower-level just
> to decrypt the disk and don't enforce timers/etc.
>
> There are some vulnerabilities here:
>
> 1.  If the hardware TPM is defeated your data will be compromised.
> This is not easy to do.
> 2.  If the hardware is damaged, your data will be lost.  You'll need
> some secure backup of your data, and this backup wouldn't have these
> protections.
> 3.  If the trusted version of any of the software
> (firmware/bootloader/kernel/viewer - and any other userspace involved
> like an X server/etc) contains a vulnerability, then that could be
> exploitable.  The scheme above ensures that none of this software is
> modified, but it can't protect against vulnerabilities in the
> unmodified software.
>
> For personal use like you suggest this would be quite an undertaking.
> However, it is certainly possible with the right hardware.

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug