[5] in The Cryptographic File System users list
Welcome, and new CFS 1.4.0 features
daemon@ATHENA.MIT.EDU (Matt Blaze)
Tue Dec 16 11:56:26 1997
From owner-cfs-users@research.att.com Tue Dec 16 11:56:24 1997
Received: from rumor.research.att.com (rumor.research.att.com [192.20.225.9]) by bloom-picayune.MIT.EDU (8.7.6/2.3JIK) with SMTP id LAA24288 for <cfs-mtg@bloom-picayune.mit.edu>; Tue, 16 Dec 1997 11:56:23 -0500
Received: from research.att.com ([135.207.30.100]) by rumor; Tue Dec 16 11:51:30 EST 1997
Received: from amontillado.research.att.com ([135.207.24.32]) by research-clone; Tue Dec 16 11:52:07 EST 1997
Received: from nsa.research.att.com (majordomo@nsa.research.att.com [135.207.24.155])
by amontillado.research.att.com (8.8.7/8.8.7) with ESMTP id LAA05423;
Tue, 16 Dec 1997 11:51:54 -0500 (EST)
Received: (from majordomo@localhost) by nsa.research.att.com (8.7.3/8.7.3) id LAA25323 for cfs-users-list; Tue, 16 Dec 1997 11:52:07 -0500 (EST)
X-Authentication-Warning: nsa.research.att.com: majordomo set sender to owner-cfs-users@nsa.research.att.com using -f
Received: from amontillado.research.att.com (amontillado.research.att.com [135.207.24.32]) by nsa.research.att.com (8.7.3/8.7.3) with ESMTP id LAA25318 for <cfs-users@nsa.research.att.com>; Tue, 16 Dec 1997 11:52:05 -0500 (EST)
Received: from nsa.research.att.com (root@nsa.research.att.com [135.207.24.155])
by amontillado.research.att.com (8.8.7/8.8.7) with ESMTP id LAA05414
for <cfs-users@research.att.com>; Tue, 16 Dec 1997 11:51:36 -0500 (EST)
Received: from nsa.research.att.com (mab@localhost.research.att.com [127.0.0.1]) by nsa.research.att.com (8.7.3/8.7.3) with ESMTP id LAA25311 for <cfs-users@research.att.com>; Tue, 16 Dec 1997 11:52:02 -0500 (EST)
Message-Id: <199712161652.LAA25311@nsa.research.att.com>
To: cfs-users@research.att.com
Subject: Welcome, and new CFS 1.4.0 features
Date: Tue, 16 Dec 1997 11:52:02 -0500
From: Matt Blaze <mab@research.att.com>
Sender: owner-cfs-users@research.att.com
Precedence: bulk
First of all, sorry the list was down for so long. Thanks for
re-subscribing.
CFS 1.4.0 is now available for beta testing (just in time for your holiday
gift-giving needs). It is available in gnuziped tar format as
cfs.1.4.0.beta1.tar.gz at Michael P. Johnson's export controlled web site
<http://www.cryptography.org> . Answer the export questions and look
in the "raw http archive" under the "disk" directory. I can send the
code by email for those who can't get it via the web. (But you'll need
to tell me you're in the US and have read the license, etc.).
1.4.0 reads all 1.3.x formats. The main new features are support for
Schneier's Blowfish cipher (cmkdir -b) and for individual user
passphrases on shared directories. The latter feature entails a new
tool, called "cmkkey" (a shell script), and some changes to cpasswd
and cattach. (I also fixed a few annoying problems, and renamed "ssh"
to "cfssh" to avoid clobbering another popular tool).
I added cmkkey because several people have been asking for the ability
to have more than one passphrase on shared directories. The manual
may not make how to use this entirely clear, so I'll give an example.
The cmkkey script basically makes a link to an encrypted directory
with a private copy of the passphrase-encrypted key file. The "link
directory" then works just like the original directory, but changes to
the passphrase won't affect the original.
For example, "the boss" might create a shared directory "big_secrets" in
the normal way, with passphrase "the employees are empowered"
boss$ umask 022 # everyone else can read but not write
boss$ cmkdir /shared/public/directory/secrets
boss$ Key: [the employees are empowered]
boss$ Again: [the employees are empowered]
boss$
Later, the boss can make a secondary passphrase that's easier to
remember, using cmkkey and cpasswd:
boss$ cmkkey /shared/public/directory/secrets /home/boss/secrets
boss$ cpasswd /home/boss/secrets
boss$ Old key: [the employees are empowered]
boss$ New key: [my employees are ungrateful]
boss$ Again: [my employees are ungrateful]
Doing cattach on /home/boss/secrets uses the new boss key:
boss$ cattach /home/boss/secrets boss_secrets
boss$ Key: [my employees are ungrateful
boss$ cd /crypt/boss_secrets
boss$ ...
By telling authorized users the master passphrase, they can do the
same thing. They need only read access to the shared encrypted
directory:
dilbert$ cmkkey /shared/public/directory/secrets /home/dilbert/secrets
dilbert$ cpasswd /home/dilbert/secrets
dilbert$ Old key: [the employees are empowered]
dilbert$ New key: [my boss is a dangerous moron]
dilbert$ Again: [my boss is a dangerous moron]
Doing cattach on /home/dilbert/secrets uses dilbert's new key:
dilbert$ cattach /home/dilbert/secrets dilbert_secrets
dilbert$ Key: [my boss is a dangerous moron]
dilbert$ cd /crypt/dilbert_secrets
dilbert$ ...
Anyway, please let me know if there are any problems.
-matt
