Experimental Physics and
Industrial Control System

Tony Cox - (415)926-3105 <[email protected]> · Mon, 13 Feb 1995 10:23:32 PST

Alan writes:-

>Bob:
>
>I suggest we use pgp encryption for releases.  Pass phrases can be handled
>over the landline or some other reasonably secure medium.  We can select
>one pass-phrase per release or one per year to make it easier.  Only the
>1-2 people per site who actually get and install releases need to know
>this access key.

I think this is too lax. With all the EPICS sites, this pass phrase will
become an open secret.

Better to encrypt the distributions with the public keys of people who have
signed the EPICS collaborators agreements. The corresponding private keys
for decryption are far less likely to be given away, and even if the
private keys are stolen the `keyrings' are useless without a private
passphrase.

Note that this doesn't mean that a separate encrypted versions need be
generated for each user. PGP uses a two-step encryption algorithm. The data 
is encoded with IDEA, and it is the IDEA session key which is then further
encrypted with the intended recipients public keys. For each intended
recipient, this adds only around 1000 bytes to the total size of the
distribution. Encrypting for 50 intended recipients would seem quite practical.

>
>Pgp is available from MIT free of charge for all US based sites.

PGP is also available (in various international flavours) from sites outside
the US, so that ITAR regulations need not be violated. A list of international
distributions sites is posted regularly to alt.security.pgp.  

Tony Cox

--------------------------------------------------------------------------------
Dr Anthony D Cox
Computer Systems Specialist
Stanford Synchrotron Radiation Laboratory
Stanford Linear Accelerator Center
MS 69, Box 4349
Stanford CA 94305
[email protected]
--------------------------------------------------------------------------------

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System