Re: Automate GPG or PGP to make an .exe

"TC" <aatcbbtccctc@yahoo.com> writes:
> The OP might give the file to the recipient directly, on a USB key. Or
> he might send it through a trusted friend. Or he might post the file to
> a website that he created for that purpose, 5 minutes ago. Or he might
> put it on a free image site. Or send it through the mail, on diskette.
> Or post it to sendyourfiles.com. Or leave it on a disk inside the
> second book to the left of the right-hand shelf. Or use any of 50
> thousand ways of pasing files to people.

Yes, and the OP has decided that the file needs encryption, because of
a concern about attackers intercepting it and reading its contents.
Why on EARTH should anyone assume that an attacker willing to go to
the trouble of intercepting the file and reading it, won't also be
willing to tamper with it? Especially since this sounds like some
kind of production setup, where the operation will be repeated many
times using some kind of regular procedure, so the attacker can plan
ahead and gets many opportunities.

Here are two ways to move sensitive data around:

1) without encryption, for example normal email and phone calls. This
relies on the transport security to prevent interception and
tampering. It's good enough for most purposes, but the OP has already
decided that this particular application needs encryption.

2) With encryption and authentication, to safeguard against
interception and tampering without having to rely on the transport layer.

You seem to think the OP's data is in some kind of middle ground
between 1 and 2, like maybe 1.5, so it needs to be safeguarded against
interception but not against tampering. Such a middle ground might
exist sometimes, but it's pretty narrow.

One of the biggest and most common mistakes newbies around here make
is encrypting stuff without authenticating it. You're no different.
If your suggested methods of moving the file were so secure against
tampering, they'd also remove the need for encryption.
Received on Mon May 1 01:53:18 2006