On Tue, Jan 16, 2007 at 11:33:46AM -0500, Steven M. Bellovin wrote: > On Tue, 16 Jan 2007 08:19:41 -0800 > "Saqib Ali" <[EMAIL PROTECTED]> wrote: > > > Dr. Bellovin, > > > > > In most situations, disk encryption is useless and probably harmful. > > > It's useless because you're still relying on the OS to prevent > > > access to the cleartext through the file system, and if the OS can > > > do that it can do that with an unencrypted disk. > > > > I am not sure I understand this. With FDE, the HDD is unlocked by a > > pre-boot kernel (linux). It is not the function of the resident OS to > > unlock the drive. > > Not necessarily -- many of my systems have multiple disk drives and > file systems, some of which are on removable media. Apart from that, > though, this is reinforcing my point -- what is the threat model?
Seems to me the threat model is real and obvious - physical access to the disk hardware - either by theft or (worse) by stealth (eg black bag jobs, or insider access at night or on weekends). Think of someone either image copying or stealing a drive that contains valuable data... most of the time this necessarily involves either powering it down or disconnecting it in a way that can be readily detected by drive and host interface firmware. If this results in zeroization of the working key in the drive requiring some kind of re-authentication of host to drive and drive to host and then reload of key before the data can be read it at least becomes significantly harder to steal data by just unplugging the drive and either walking out the door with it in your briefcase or plugging it into another system for an image copy before returning it to its normal home. Needless to say if the drive and its contained file systems aren't encrypted this is pretty low hanging fruit. Relatively unskilled attackers can easily capture very valuable material if they can gain physical access for only a few minutes. And further, unusual events - disasters such as floods, fires, tornadoes, building collapses and the like - can result in massive exposure of confidential data amidst the ruins whereas if the disks in desktops and servers were encrypted capture of - or covert access to - the drives in the chaos surrounded a crisis is much less useful to an adversary. Obviously it may be possible for really sophisticated attackers to somehow unplug drives from live machines without the key zeroization happening and presumably without the host noticing and raising an alarm and logging the event, but given the mechanical design of modern high end desktop and server boxes with a common connector for power and signals for the current generation of SATA drives this is at the very least significantly more challenging to do without getting noticed or caught than just causing a fake power fail and removing the disks. And it can be made harder by appropriate modest hardware, firmware and system tweaks too. Obviously too, a disk whose surface is encrypted with a key it forgets when the power is off can be quite safely shipped or stored or even decommissioned and destroyed without much danger of disclosure of confidential data contained therein. This is far more useful in practice than it might in first seem as it reduces costs and risks a lot in many common situations where drives and even entire machines need to be moved, stored, sold, scrapped and shipped around in untrusted hands. And a server or desktop that is depowered (if it is truly depowered, not always the case with modern hardware) can be assumed to be in a fairly secure state (presuming the key reload on power up requires some external intervention) whereas a traditional in-the-clear disks server or desktop that contains highly sensitive information is in face MORE vulnerable when powered down in that its disks can be removed, image copied, and returned to the system without much of anything being the wiser. A powered up machine is much more likely to at least log anomalous events that can be detected if not suspiciously crash altogether when its disks are removed or disconnected. This paradoxically makes the systems in a typical office more vulnerable exactly when they are least well monitored and protected - nights and weekends and other off hours. So I do think the classic FDE with AES in the drive ASICs does gain something meaningful against this kind of threat, though obviously the most sophisticated and careful attacks can defeat it. But defeating the less elaborate attacks at least removes an AWFUL lot of low hanging fruit and in doing so materially increases overall security. There are far fewer really sophisticated attackers than common (and often pretty stupid) petty criminals near computers, after all. Back under my rock... -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493 "An empty zombie mind with a forlorn barely readable weatherbeaten 'For Rent' sign still vainly flapping outside on the weed encrusted pole - in celebration of what could have been, but wasn't and is not to be now either." --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]