Re: Security of Mac Keychain, Filevault

2009-11-08 Thread James A. Donald

Jerry Leichter wrote:
 NFC?

Near Field Communications - the wireless equivalent of
whispering in someone's ear.  Ideally, a NFC chip should
only be able to talk to something that is an inch or so
away, and it should be impossible to eavesdrop from more
than a foot or so away.

Lots of people plan that smart phones shall do financial
transactions through NFC.

http://www.intomobile.com/2009/04/10/visa-launches-nfc-
service-in-Malaysia.html
: : Malaysians can now use their Nokia (NYSE:
: :	NOK) 6212 to make near-field Visa payments  
: :	just wave your phone in front of a sensor and

: : bam, instant buy in over 1,800 shops.

These transactions are reversible and made through
authorized retailers, hence, like the widely shared
secret on a credit card, really need very little
security.  Anyone to anyone irreversible transactions
would need considerably higher security, but there
appear to be considerable legal and regulatory obstacles
to that.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Security of Mac Keychain, Filevault

2009-11-03 Thread Taral
On Mon, Nov 2, 2009 at 5:41 PM, Jerry Leichter leich...@lrw.com wrote:
 The trend is for this to get worse, with
 network-wide shared authentication via OpenID or whatever other standard
 catches on.

Not to derail this, but OpenID is flexible enough to permit
fine-grained authentication as well as non-password-based
authentication (e.g. smart card) and multi-factor authentication.

-- 
Taral tar...@gmail.com
Please let me know if there's any further trouble I can give you.
-- Unknown

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Security of Mac Keychain, Filevault

2009-11-02 Thread Steven Bellovin


On Oct 29, 2009, at 11:25 PM, Jerry Leichter wrote:

A couple of days ago, I pointed to an article claiming that these  
were easy to break, and asked if anyone knew of security analyses of  
these facilities.


I must say, I'm very disappointed with the responses.  Almost  
everyone attacked the person quoted in the article.  The attacks  
they assumed he had in mind were unproven or unimportant or  
insignificant.  Gee ... sounds *exactly* like the response you get  
from companies when someone finds a vulnerability in their  
products:  It's not proven; who is this person anyway; even if there  
is an attack, it isn't of any practical importance.


Unfortunately, there's no better response here.

At time T, someone will assert that X is insecure, and that products  
exist -- commercial and freeware -- to crack it.  This person supplies  
no evidence except for an incomplete list of products to support the  
assertion.  What do I now know that I didn't know before?


One way to judge is by reputation.  If, say, Adi Shamir says it, I'm  
very inclined to believe it, even without wading through the technical  
details.  If the posting comes from a notorious crank, I'll likely  
discard the message unread because cranks tend to misread technical  
papers.  If it's someone I've never heard of, I have to make the  
decision based on the evidence presented and what I already know.   
What was the evidence here?


The article made no verifiable or falsifiable technical statements, so  
there's nothing to evaluate in that respect.  I've never heard of any  
freeeware to crack Filevault; given the familiarity of the readership  
of this list in the aggregate with the free software world, it seems  
unlikely that such software exists.  He did point to some commercial  
software to attack Filevault, but it works by password guessing.  For  
his business -- forensic analysis -- I suspect that that technique is  
extremely useful; I doubt that anyone on this list would disagree.   
But that's not the same as a flaw in MacOS.


Beyond that, we're left with *no* new information.  What basis does  
this article give us to conclude that Filevault is -- or is not --  
insecure?  I have no more reason to trust it or distrust it than I had  
before reading that article.


A proper evaluation of Filevault would, of course, be a good idea.   
But that statement is equally true after the article as before.



--Steve Bellovin, http://www.cs.columbia.edu/~smb





-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Security of Mac Keychain, Filevault

2009-11-02 Thread Jerry Leichter

On Nov 1, 2009, at 10:32 PM, Steven Bellovin wrote:



On Oct 29, 2009, at 11:25 PM, Jerry Leichter wrote:

A couple of days ago, I pointed to an article claiming that these  
were easy to break, and asked if anyone knew of security analyses  
of these facilities.


I must say, I'm very disappointed with the responses.  Almost  
everyone attacked the person quoted in the article.  The attacks  
they assumed he had in mind were unproven or unimportant or  
insignificant.  Gee ... sounds *exactly* like the response you get  
from companies when someone finds a vulnerability in their  
products:  It's not proven; who is this person anyway; even if  
there is an attack, it isn't of any practical importance.


Unfortunately, there's no better response here.

At time T, someone will assert that X is insecure, and that  
products exist -- commercial and freeware -- to crack it.  This  
person supplies no evidence except for an incomplete list of  
products to support the assertion.  What do I now know that I didn't  
know before?...

A couple of others wrote to me privately with the same general thought.

I see I'm still not managing to make my point.  Suppose the world were  
as in the following diagram:


People who say they've looked   People who claim 
Keychain can be
Keychain and believe it's good  broken easily
-
Apple   
Some unknown guy who sells
Adi Shamir  
products for analyzing Macs
Neils Ferguson
Bruce Schneier
Steven Bellovin
John Gilmore
Perry Metzger

Then I'd agree that there's not much to talk about.  But that doesn't  
happen to be the world we live in.  Instead, the world we live in is  
described by the following diagram:


People who say they've looked   People who claim 
Keychain can be
Keychain and believe it's good  broken easily
-
Apple   
Some unknown guy who sells

products for analyzing Macs

Now, this isn't all that different from the following world:

People who say they've looked   People who claim 
Keychain can be
Keychain and believe it's good  broken easily
-
Apple   

 - though to assert it's *identical* when we have *no* information  
about the person making the claim is a bit much.  Having *no*  
reputation isn't the same as having a reputation for being a shill or  
an incompetent.


But even in *this* last world ... doesn't it bother people that all we  
have is a trust us from Apple?  Yes, as I acknowledged, Apple's  
track record is pretty good here - but it's *not* unblemished.


I've actually tried to look at Keychain, but most of the guts are  
built on the Apple crypto provider framework, which is quite a large  
collection of code to digest with no previous knowledge.  So I didn't  
get anywhere interesting in the time I was in a position to invest.


I've been referring specifically to Keychain, about which there  
appears to be nothing at all published.  But the situation is only  
slightly better - a single 2+ year old paper - for encrypted disk  
images in general an Filevault in particular.  And it's also the same  
for iPhone's and iPod Touches, which are regularly used to hold  
passwords (for mail, at the least).


-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Security of Mac Keychain, Filevault

2009-11-02 Thread Jerry Leichter

On Nov 2, 2009, at 5:36 PM, Jeffrey I. Schiller wrote:


- Jerry Leichter leich...@lrw.com wrote:

for iPhone's and iPod Touches, which are regularly used to hold
passwords (for mail, at the least).


I would not (do not) trust the iPhone (or iPod Touch) to protect a
high value password.
There are two problems with this:  So many of the things you'd really  
like to be able to do with your iPhone/Touch/other smart phone require  
a key whose value is very difficult to calculate (e.g., just what  
would you lose if someone could read all your mail?); and services  
increasing bundle all kinds of things together under one password.   
For example, all your Google services use the same password; and your  
Apple Mobile Me mail password is also the key to such things as you  
contact list (if you sync it) and Back To My Mac (which I now disable,  
useful as it might be, for just this reason) and your iTunes store  
account.  You can dissociate some of these, directly or indirectly,  
but the services assume they are tied together and don't work nearly  
as well if you do that.  The trend is for this to get worse, with  
network-wide shared authentication via OpenID or whatever other  
standard catches on.



Or more to the point I would change any such
password if my iPhone went unaccounted for.

Oh, absolutely.


In the case of the Mac Keychain and Filevault, if implemented
correctly, the security hinges on a secret that you know.
And you know this ... how?  Have you, or anyone you know, vetted the  
design?  Sure, *if* it's all implemented correctly, it maintains  
*some* set of security properties.  Do you even know what those are?   
I know I don't



Pick a good
secret (high entropy) and you are good. Pick a poor one, well...

However the iPhone’s keychain is not encrypted in a password. Instead
it is encrypted in a key derived from the hardware. The iPhone
Dev-Team, the folks who regularly jail break the iPhone, seem to have
little problem deriving keys from the phone! Note: Setting a phone
lock password doesn’t prevent me from accessing the phone using the
various jail breaking tools. Presumably once I have control of the
phone, I have access to any of the keys on it.

That would be my assumption, too.

As the value of the information in smartphones grows daily, their  
vulnerabilities will be more and more of a problem.  Remote wipe -  
assuming it really destroys the data - helps against loss, but does  
nothing against a deliberate, targeted attack, which can probably copy  
all the data within minutes.  We need some new thinking here.  One  
possible approach, based on an idea IBM played with a couple of years  
back but that as far as I know never made it into a product:  Build a  
Bluetooth-connected ring or key fob that must be physically quite  
close to the device to keep it unlocked.  IBM did this for laptops,  
and just locked the screen.  For a smartphone, you'd want the phone  
and the fob to mutually authenticate, and then the fob would transfer  
a key that could be used to unlock critical data on the phone.  When  
the fob goes out of range, the phone wipes the key and all decrypted  
data.  One can certainly come up with attacks on this - even so simple  
as the smart mugger scenario:  Give me your phone and your fob - but  
it raises the bar, with minimal inconvenience in normal use.

-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


re: Security of Mac Keychain, Filevault

2009-11-01 Thread Jerry Leichter
A couple of days ago, I pointed to an article claiming that these were  
easy to break, and asked if anyone knew of security analyses of these  
facilities.


I must say, I'm very disappointed with the responses.  Almost everyone  
attacked the person quoted in the article.  The attacks they assumed  
he had in mind were unproven or unimportant or insignificant.  Gee ...  
sounds *exactly* like the response you get from companies when someone  
finds a vulnerability in their products:  It's not proven; who is this  
person anyway; even if there is an attack, it isn't of any practical  
importance.


Meanwhile, I know many of us on this list use Macs, and many of us  
rely on keychain and Filevault, or at least on encrypted disk images.   
On what rational basis do we rely these?  The only analysis of  
Filevault that I know of is Applebaum and Weinmann's http://crypto.nsa.org/vilefault/23C3-VileFault.pdf 
, which dates back to 2006, two releases of Mac OS ago.  (It found the  
basic mechanisms sound, with some problems around the edges.)  I'm not  
aware of any analyses of Keychain, although key chains can be  
extremely high-value.  If no one on this list is aware of any  
analyses, I'd guess they just don't exist.


Over all, Apple's designs and implementations of security code have  
been good, but hardly perfect.  (Witness the recent questionable  
implementation of encryption on the iPhone 3GS.)  So these are  
legitimate issues.  Meanwhile, I'm sure many of us have potentially  
high-value passwords - like our Mobile Me password - stored in our  
iPhones and iPod Touches.  How safe is that?  I have yet to see any  
analysis of that question either (though I suspect the answer is not  
very).

-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com