[pmwiki-devel] encrypted pagestore?

Martin Fick mogulguy at yahoo.com
Sun Jan 6 01:13:16 CST 2008 

--- Ben Stallings <ben at interdependentweb.com> wrote:
...
> However... my question is, has anyone looked into
> writing an encrypted 
> pagestore, so that if wiki page files were
> downloaded or intercepted it 
> would not be immediately obvious what they were or
> how to decrypt them? 

Let me try to understand your threat model a little
better.  This model will help suggest a solution.

Are you concerned with an attacker:

1) who can sniff your ftp transfer of these files
(sounds like yes?)

2) who can sniff your ftp password and therefor even
access the files once they are on the server (sounds
like yes also?)

3) who has root access on the server (i.e. godaddy
sysadmins?)

-If you are only concerned with #1 there are ways of
encrypting the files before transferring them and
decrypting them afterwards allowing you to use
unencrypted ftp.

-If you are only concerned with #1 and #2, an
encrypted pagestore which is decrypted on the fly with
the browsing user's password would be helpful to you. 
There is a PITS for this here:

  http://pmwiki.org/wiki/PITS/00545

This is conceivably possible, the hard part as
mentioned in the PITS is managing the keys.  

I actually began work on such a project last summer 
and got to the point of being able to encrypt and
decrypt the pagestore.  I did not get very far in the
key management area though, I was planning on
implementing the key management scheme that I proposed
at the bottom of the PITS page.  I could provide my
code if you are interested in finishing the project,
or hiring me or someone else to finish it. :)

-If you are concerned with all three of these threats
then you are probably SOL since a root user can always
access memory to view the decrypted content of the
files when they are being decrypted for on the fly
viewing.

Good luck,

-Martin



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

More information about the pmwiki-devel mailing list