On Oct 24, 2009, at 5:31 PM, Jerry Leichter wrote:
The article at http://www.net-security.org/article.php?id=1322
claims that both are easily broken. I haven't been able to find any
public analyses of Keychain, even though the software is open-source
so it's relatively easy to check. I ran across an analysis of File
Vault not long ago which pointed out some fairly minor nits, but
basically claimed it did what it set out to do.
The white paper for Mac Marshal (http://macmarshal.atc-nycorp.com/mac/MacMarshal_WhitePaper_102.pdf
) leads me to believe that the so-called vulnerability in File Vault
is that the encryption is based on the user's chosen login password:
"So, FileVault is not as secure as simple 128-bit AES. Any means of
obtaining the user’s login password or the FileVault Master recovery
keychain will allow access to the FileVault image."
Does this surprise anyone?
-Greg
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
