On Tue, Jan 16, 2007 at 11:33:46AM -0500, Steven M. Bellovin wrote:
> On Tue, 16 Jan 2007 08:19:41 -0800
> "Saqib Ali" <[EMAIL PROTECTED]> wrote:
> > Dr. Bellovin,
> > 
> > > In most situations, disk encryption is useless and probably harmful.
> > > It's useless because you're still relying on the OS to prevent
> > > access to the cleartext through the file system, and if the OS can
> > > do that it can do that with an unencrypted disk.
> > 
> > I am not sure I understand this. With FDE, the HDD is unlocked by a
> > pre-boot kernel (linux). It is not the function of the resident OS to
> > unlock the drive.
> Not necessarily -- many of my systems have multiple disk drives and
> file systems, some of which are on removable media.  Apart from that,
> though, this is reinforcing my point -- what is the threat model?

        Seems to me the threat model is real and obvious - physical 
access to the disk hardware - either by theft or (worse) by stealth (eg
black bag jobs, or insider access at night or on weekends).

        Think of someone either image copying or stealing a drive that
contains valuable data... most of the time this necessarily involves
either powering it down or disconnecting it in a way that can be readily
detected by drive and host interface firmware.   If this results in
zeroization of the working key in the drive requiring some kind of
re-authentication of host to drive and drive to host and then reload of
key before the data can be read it at least becomes significantly harder
to steal data by just unplugging the drive  and either walking out the
door with it in your briefcase or plugging it into another system for an
image copy before returning it to its normal home.

        Needless to say if the drive and its contained file systems
aren't encrypted this is pretty low hanging fruit.  Relatively unskilled
attackers can easily capture very valuable material if they can gain
physical access for only a few minutes.

        And further, unusual events - disasters such as floods, fires,
tornadoes, building collapses and the like - can result in massive
exposure of confidential data amidst the ruins whereas if the disks in
desktops and servers were encrypted capture of - or covert access to - the
drives in the chaos surrounded a crisis is much less useful to an

        Obviously it may be possible for really sophisticated attackers
to somehow unplug drives from live machines without the key zeroization
happening and presumably without the host noticing and raising an alarm
and logging the event, but given the mechanical design of modern high
end desktop and server boxes with a common connector for power and
signals for the current generation of SATA drives this is at the very
least significantly more challenging to do without getting noticed or
caught than just causing a fake power fail and removing the disks.   And
it can be made harder by appropriate modest hardware, firmware and system
tweaks too.

        Obviously too, a disk whose surface is encrypted with a key it
forgets when the power is off can be quite safely shipped or stored or
even decommissioned and destroyed without much danger of disclosure of
confidential data contained therein.   This is far more useful in
practice than it might in first seem as it reduces costs and risks a lot
in many common situations where drives and even entire machines need to
be moved, stored, sold, scrapped and shipped around in untrusted hands.

        And a server or desktop that is depowered (if it is truly
depowered, not always the case with modern hardware) can be assumed to
be in a fairly secure state (presuming the key reload on power up
requires some external intervention) whereas a traditional in-the-clear
disks server or desktop that contains highly sensitive information is in
face MORE vulnerable when powered down in that its  disks can be
removed, image copied, and returned to the system without much of
anything being the wiser.   A powered up machine is much more likely to
at least log anomalous events that can be detected if not suspiciously
crash altogether when its disks are removed or disconnected.   This
paradoxically makes the systems in a typical office more vulnerable
exactly when they are least well monitored and protected - nights and
weekends and other off hours.

        So I do think the classic FDE with AES in the drive ASICs does gain
something meaningful against this kind of threat, though obviously the most
sophisticated and careful attacks can defeat it.   But defeating the less
elaborate attacks at least removes an AWFUL lot of low hanging fruit and
in doing so materially increases overall security.   There are far fewer
really sophisticated attackers than common (and often pretty stupid) petty
criminals near computers, after all.

        Back under my rock...

   Dave Emery N1PRE,  [EMAIL PROTECTED]  DIE Consulting, Weston, Mass 02493
"An empty zombie mind with a forlorn barely readable weatherbeaten
'For Rent' sign still vainly flapping outside on the weed encrusted pole - in 
celebration of what could have been, but wasn't and is not to be now either."

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to