On 1 October 2012 19:42, Josh More <[email protected]> wrote: > On Sat, Sep 29, 2012 at 3:27 PM, Robin Wood <[email protected]> wrote: >> On 28 September 2012 00:34, Josh More <[email protected]> wrote: >>> I do not disagree, but I am in a somewhat contrarian mood tonight. >>> >>> Might it be possible, in a ridiculously small number of circumstances, >>> to use the inode number to begin building a map of the disk and >>> thereby reduce the complexity of finding an encryption key after the >>> server has been stolen? (You know, for all those times when someone >>> breaks into a data center to steal a LAMP box ;) >> >> Can you explain more? >> >> The other way out things we came up with over a beer was monitoring it >> to work out how often files were changing and maybe using it to work >> out if other files were being changed due to the inode changing as >> files were rearranged due to optimisation. >> >> Robin > > I know that certain disk encryption technologies store the key in > predictable locations on the hard disk. I don't do much work reversing > crypto, so I can't speak in great detail about it, it's just something > I ran across when comparing systems. But, if this is true on the > system that's leaking inodes data, and you can determine a rate of > change (as you noted in your beer meeting), you may be able to > identify regions of the disk in which the key is unlikely to be > stored. > > It's still a needle in a haystack problem, just a slightly smaller haystack. > > I don't think of it as a realistic attack in most scenarios, but it's > theoretically interesting. Crypto attacks are often based on stacking > mathematical weaknesses, of which this would be one. >
So on a severity level it could possibly be high but the technical effort required in exploiting it would be so high to make it almost impractical. Doesn't really justify much more than a low info disclosure mention in a report then. Robin _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
