Re: Security of Mac Keychain, Filevault
Jerry Leichter wrote: NFC? Near Field Communications - the wireless equivalent of whispering in someone's ear. Ideally, a NFC chip should only be able to talk to something that is an inch or so away, and it should be impossible to eavesdrop from more than a foot or so away. Lots of people plan that smart phones shall do financial transactions through NFC. http://www.intomobile.com/2009/04/10/visa-launches-nfc- service-in-Malaysia.html : : Malaysians can now use their Nokia (NYSE: : : NOK) 6212 to make near-field Visa payments : : just wave your phone in front of a sensor and : : bam, instant buy in over 1,800 shops. These transactions are reversible and made through authorized retailers, hence, like the widely shared secret on a credit card, really need very little security. Anyone to anyone irreversible transactions would need considerably higher security, but there appear to be considerable legal and regulatory obstacles to that. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Security of Mac Keychain, Filevault
On Mon, Nov 2, 2009 at 5:41 PM, Jerry Leichter leich...@lrw.com wrote: The trend is for this to get worse, with network-wide shared authentication via OpenID or whatever other standard catches on. Not to derail this, but OpenID is flexible enough to permit fine-grained authentication as well as non-password-based authentication (e.g. smart card) and multi-factor authentication. -- Taral tar...@gmail.com Please let me know if there's any further trouble I can give you. -- Unknown - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Security of Mac Keychain, Filevault
On Nov 1, 2009, at 10:32 PM, Steven Bellovin wrote: On Oct 29, 2009, at 11:25 PM, Jerry Leichter wrote: A couple of days ago, I pointed to an article claiming that these were easy to break, and asked if anyone knew of security analyses of these facilities. I must say, I'm very disappointed with the responses. Almost everyone attacked the person quoted in the article. The attacks they assumed he had in mind were unproven or unimportant or insignificant. Gee ... sounds *exactly* like the response you get from companies when someone finds a vulnerability in their products: It's not proven; who is this person anyway; even if there is an attack, it isn't of any practical importance. Unfortunately, there's no better response here. At time T, someone will assert that X is insecure, and that products exist -- commercial and freeware -- to crack it. This person supplies no evidence except for an incomplete list of products to support the assertion. What do I now know that I didn't know before?... A couple of others wrote to me privately with the same general thought. I see I'm still not managing to make my point. Suppose the world were as in the following diagram: People who say they've looked People who claim Keychain can be Keychain and believe it's good broken easily - Apple Some unknown guy who sells Adi Shamir products for analyzing Macs Neils Ferguson Bruce Schneier Steven Bellovin John Gilmore Perry Metzger Then I'd agree that there's not much to talk about. But that doesn't happen to be the world we live in. Instead, the world we live in is described by the following diagram: People who say they've looked People who claim Keychain can be Keychain and believe it's good broken easily - Apple Some unknown guy who sells products for analyzing Macs Now, this isn't all that different from the following world: People who say they've looked People who claim Keychain can be Keychain and believe it's good broken easily - Apple - though to assert it's *identical* when we have *no* information about the person making the claim is a bit much. Having *no* reputation isn't the same as having a reputation for being a shill or an incompetent. But even in *this* last world ... doesn't it bother people that all we have is a trust us from Apple? Yes, as I acknowledged, Apple's track record is pretty good here - but it's *not* unblemished. I've actually tried to look at Keychain, but most of the guts are built on the Apple crypto provider framework, which is quite a large collection of code to digest with no previous knowledge. So I didn't get anywhere interesting in the time I was in a position to invest. I've been referring specifically to Keychain, about which there appears to be nothing at all published. But the situation is only slightly better - a single 2+ year old paper - for encrypted disk images in general an Filevault in particular. And it's also the same for iPhone's and iPod Touches, which are regularly used to hold passwords (for mail, at the least). -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Security of Mac Keychain, Filevault
On Nov 2, 2009, at 5:36 PM, Jeffrey I. Schiller wrote: - Jerry Leichter leich...@lrw.com wrote: for iPhone's and iPod Touches, which are regularly used to hold passwords (for mail, at the least). I would not (do not) trust the iPhone (or iPod Touch) to protect a high value password. There are two problems with this: So many of the things you'd really like to be able to do with your iPhone/Touch/other smart phone require a key whose value is very difficult to calculate (e.g., just what would you lose if someone could read all your mail?); and services increasing bundle all kinds of things together under one password. For example, all your Google services use the same password; and your Apple Mobile Me mail password is also the key to such things as you contact list (if you sync it) and Back To My Mac (which I now disable, useful as it might be, for just this reason) and your iTunes store account. You can dissociate some of these, directly or indirectly, but the services assume they are tied together and don't work nearly as well if you do that. The trend is for this to get worse, with network-wide shared authentication via OpenID or whatever other standard catches on. Or more to the point I would change any such password if my iPhone went unaccounted for. Oh, absolutely. In the case of the Mac Keychain and Filevault, if implemented correctly, the security hinges on a secret that you know. And you know this ... how? Have you, or anyone you know, vetted the design? Sure, *if* it's all implemented correctly, it maintains *some* set of security properties. Do you even know what those are? I know I don't Pick a good secret (high entropy) and you are good. Pick a poor one, well... However the iPhone’s keychain is not encrypted in a password. Instead it is encrypted in a key derived from the hardware. The iPhone Dev-Team, the folks who regularly jail break the iPhone, seem to have little problem deriving keys from the phone! Note: Setting a phone lock password doesn’t prevent me from accessing the phone using the various jail breaking tools. Presumably once I have control of the phone, I have access to any of the keys on it. That would be my assumption, too. As the value of the information in smartphones grows daily, their vulnerabilities will be more and more of a problem. Remote wipe - assuming it really destroys the data - helps against loss, but does nothing against a deliberate, targeted attack, which can probably copy all the data within minutes. We need some new thinking here. One possible approach, based on an idea IBM played with a couple of years back but that as far as I know never made it into a product: Build a Bluetooth-connected ring or key fob that must be physically quite close to the device to keep it unlocked. IBM did this for laptops, and just locked the screen. For a smartphone, you'd want the phone and the fob to mutually authenticate, and then the fob would transfer a key that could be used to unlock critical data on the phone. When the fob goes out of range, the phone wipes the key and all decrypted data. One can certainly come up with attacks on this - even so simple as the smart mugger scenario: Give me your phone and your fob - but it raises the bar, with minimal inconvenience in normal use. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
re: Security of Mac Keychain, Filevault
A couple of days ago, I pointed to an article claiming that these were easy to break, and asked if anyone knew of security analyses of these facilities. I must say, I'm very disappointed with the responses. Almost everyone attacked the person quoted in the article. The attacks they assumed he had in mind were unproven or unimportant or insignificant. Gee ... sounds *exactly* like the response you get from companies when someone finds a vulnerability in their products: It's not proven; who is this person anyway; even if there is an attack, it isn't of any practical importance. Meanwhile, I know many of us on this list use Macs, and many of us rely on keychain and Filevault, or at least on encrypted disk images. On what rational basis do we rely these? The only analysis of Filevault that I know of is Applebaum and Weinmann's http://crypto.nsa.org/vilefault/23C3-VileFault.pdf , which dates back to 2006, two releases of Mac OS ago. (It found the basic mechanisms sound, with some problems around the edges.) I'm not aware of any analyses of Keychain, although key chains can be extremely high-value. If no one on this list is aware of any analyses, I'd guess they just don't exist. Over all, Apple's designs and implementations of security code have been good, but hardly perfect. (Witness the recent questionable implementation of encryption on the iPhone 3GS.) So these are legitimate issues. Meanwhile, I'm sure many of us have potentially high-value passwords - like our Mobile Me password - stored in our iPhones and iPod Touches. How safe is that? I have yet to see any analysis of that question either (though I suspect the answer is not very). -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com