| dj3vande@csclub.uwaterloo.ca.invalid 2007-11-28, 7:34 pm |
| In article <1e4fef27-ef0f-41a7-85dc-6bd345a11fdf@p69g2000hsa.googlegroups.com>,
Benoit Lefebvre <benoit.lefebvre@gmail.com> wrote:
>On Nov 28, 4:17 pm, dj3va...@csclub.uwaterloo.ca.invalid wrote:
[vbcol=seagreen]
>
>It's an RSA ssh key.
>
>My script is calling ssh to do some check on a list of remote systems
>and I don't want the rsa key available on the filesystem or to any
>user.
Who are you trying to hide it from?
If it's just a casual snooper, do some simple reversible transformation
to it (like XORing each character with the result of a known function
like a PRNG with a specified seed), and whatever shows up in the output
of the binary won't be the key you're using.
If you're trying to defend against anything more than a casual snooper,
you need to re-think how you're doing the whole process, because:
>So my program create a temporary file
as soon as you do this, you've lost if the attacker has bothered to
take a close look at what the program is doing.
Against a determined and intelligent attacker, you have even more to
worry about. Your program has to convert the data into a form it
recognizes somehow (without requiring human intervention, if I'm not
mistaken?), and somebody who's interested enough to run the code under
a debugger will be able to track what it's doing and follow the same
steps to get the information.
dave
|