Passing sensitive data over D-Bus

Stef Walter stef-list at memberwebs.com
Tue Nov 10 09:48:04 PST 2009


Milan Bouchet-Valat wrote:
> Le lundi 09 novembre 2009 à 17:50 -0600, Stef Walter a écrit :
>> In the new Secret Service DBus API, we'll using DH key agreement for
>> encrypting passwords as they pass through DBus, or between processes.
>>
>> Thought you might be interested. Just one option...
> How do you implement that ? It would be good to have if we want to allow
> the messages to go over the network. That's not a critical feature
> because AFAIK that does not really work currently, but it could be good
> to have. I'm wondering how complex this is to implement, given that we
> have C on one side of the bus, and perl on the other side.

It's somewhat complex, but being that we already link to crypto
libraries, it is relatively easy for gnome-keyring to implement.

It wouldn't work between machines, due to MITM attacks. Essentially
you'd need SSL and certificates when talking over a network.

The reason it works for us (on a single machine) is that we're not
trying to protect against 'active' attacks like MITM [1].

Cheers,

Stef

[1] http://live.gnome.org/GnomeKeyring/SecurityPhilosophy


More information about the dbus mailing list