Posted by David T. Ashley on 05/01/07 14:44

Thanks for the helpful replies on the other thread. Essentially it was
pointed out that a process with the same UID as the ones writing/reading the
pipes would be able to examine the memory of the pipe writers/readers and
figure out what data had flowed.

Here is my application (and I'd be grateful for any other advice).

I'm incorporating cryptographic FOBs into my PHP-based database application
to enhance login security.

A cryptographic FOB is an electronic device about the size of a keychain
that either displays sequential numbers to be used as one-time passwords or
else can allow you to enter a long number (the challenge) and will generate
a number in response (the reply) to be used as a password.

Here is a page with some photos of similar devices:

http://en.wikipedia.org/wiki/Security_token

The FOB contains a key (typically a 192-bit AES key) that is used for both
sequential one-time password generation and for challenge-reply.

Compromise of the FOB key is equivalent to breaking security (because with
the key one can emulate the FOB). The theory of operation of the FOB is
that one can observe a great many sequential numbers or challenge-response
cycles and the mathematical framework does not exist to use this information
to guess what the FOB will display next or how it will respond to a
different challenge, or to reverse-engineer the key.

The manufacturer of the FOB provides a Linux shared library to use in
authenticating the FOB. The library is essentially a cryptographic math
library. To determine, for example, what the FOB's response to a certain
challenge should be, one would make a call into the library with the FOB key
and the challenge, and the function will return what the FOB should answer.

I am not able to call a shared library directly from PHP. Instead, I have
to write a C program that is called (i.e. exec'd or similar) from PHP and
which uses the shared library.

Because the FOB key is one of the parameters that must be used with the
shared library, it must also be passed from PHP to the compiled C program.
Because the FOB key is so sensitive, the question is how to pass it from PHP
to the compiled program securely.

Passing the information on the command line is clearly not secure, because
program names and command-line parameters are world-visible on a Unix
system.

However, I was thinking that I could use the PHP proc_open() function:

http://us.php.net/manual/en/function.proc-open.php

to pass the information to the compiled C program's stdin and get
information back from stdout securely (without others being able to
eavesdrop).

If I've read everyone's posts correctly, the only security hole is if a
potential attacker could launch another process with the same UID.

I guess also I'd need to wipe memory before the compiled C program
terminates to get rid of any trace of the sensitive information (otherwise
the memory might be discovered by other processes later).

Any other suggestions or thoughts?

Thanks
--
David T. Ashley (dta@e3ft.com)
http://www.e3ft.com (Consulting Home Page)
http://www.dtashley.com (Personal Home Page)
http://gpl.e3ft.com (GPL Publications and Projects)

[Back to original message]