Re: FileVault on other than home directories on MacOS?

2009-09-28 Thread james hughes


On Sep 22, 2009, at 5:57 AM, Darren J Moffat wrote:


Ivan Krsti  wrote:
TrueCrypt is a fine solution and indeed very helpful if you need  
cross-platform encrypted volumes; it lets you trivially make an  
encrypted USB key you can use on Linux, Windows and OS X. If you're  
*just* talking about OS X, I don't believe TrueCrypt offers any  
advantages over encrypted disk images unless you're big on  
conspiracy theories.


Note my information may be out of date.  I believe that MacOS native  
encrypted disk images (and thus FileVault) uses AES in CBC mode  
without any integrity protection, the Wikipedia article seems to  
confirm that is  (or at least was) the case http://en.wikipedia.org/wiki/FileVault


Unauthenticated CBC is indeed a problem
http://tinyurl.com/ycoaruo


There is also a sleep mode issue identified by the NSA:
http://crypto.nsa.org/vilefault/23C3-VileFault.pdf


I don't think that Jacob Appelbaum or Ralf-Philipp Weinmann work for  
the NSA (but having crypto.nsa.org is cool :-)


TrueCrypt on the other hand uses AES in XTS mode so you get  
confidentiality and integrity.


Technically, you do not get integrity. With XTS (P1619, narrow block  
tweaked cipher) you are not notified of data integrity failures, but  
these data integrity failures have a much reduced usability than CBC.  
With XTS:


1) You can return 16 byte chunks to previous values (ciphertext  
replay) as long as it is to the same place (offset) as it was before.


2) If you change a bit, you will randomize a 16 byte chunk of  
information.


With the P1619.2 mode, I believe, is called TET (IEEE 1619.2, wide  
block tweaked cipher) there are different characteristics. Usually the  
wide block is a sector so it can be 512 or some other value. In this  
case, you do not get complete integrity either. In this case


1) You can return a sector to a previous value (sector reply) as long  
as it is to the same place (offset) as it was before.


2) If you change a bit, you will randomize a complete sector of  
information.


If you change this to ZFS Crypto
http://opensolaris.org/os/project/zfs-crypto/
You get complete integrity detection with the only remaining  
vulnerability that


1) you can return the entire disk to a previous state.

While I may have put you all asleep, the basic premise holds... XTS is  
better than unauthenticated CBC.

http://www.cpni.gov.uk/docs/re-20050509-00385.pdf
http://jvn.jp/niscc/NISCC-004033/index.html
http://www.kb.cert.org/vuls/id/302220




--
Darren J Moffat

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: FileVault on other than home directories on MacOS?

2009-09-28 Thread Jacob Appelbaum
Ivan Krstić wrote:
 On Sep 22, 2009, at 5:57 AM, Darren J Moffat wrote:
 There is also a sleep mode issue identified by the NSA
 
 Unlike FileVault whose keys (have to) persist in memory for the duration
 of the login session, individual encrypted disk images are mounted on
 demand and their keys destroyed from memory on unmount.

The devil is in the details. If you use your default keychain to unlock
a disk, I believe the _passphrase_ is still stored by LoginWindow.app in
plain text... So even if they destroyed keying material properly (do
they? Is there source we can review for how FV works?) when the disk
isn't in use, I somehow doubt that it's really safe to use FileVault in
some circumstances against some attackers. Especially if you have a
laptop and especially if you didn't turn on encrypted swap. Also
especially if you happened to use the encrypted swap feature when it
wasn't working. The list of hilarious bugs goes on and on.

(The LoginWindow.app bug is as old as the hills and I'm one of a dozen
people to have reported it, I bet. Apple still hasn't fixed it because
they rely on a users password being in memory to escalate privileges
without interacting with the user! I hear they're working on a fix but
that it's difficult because many systems rely on this feature.)

I haven't been working on or thinking about VileFault much but I suppose
that we probably could add support for sparse bundles if someone wanted.
I've been bugging Apple for some specifications and so far, it's been
years without a real response.

Most of what we know is in VileFault:
http://code.google.com/p/vilefault/

It would be really awesome if Apple would open up all of this code or at
least publish a specification for how it works. With either we could
have a Fuse file system module to support these disk images on other
platforms...

Best,
Jacob



signature.asc
Description: OpenPGP digital signature


Re: FileVault on other than home directories on MacOS?

2009-09-28 Thread Darren J Moffat

james hughes wrote:
TrueCrypt on the other hand uses AES in XTS mode so you get 
confidentiality and integrity.


Technically, you do not get integrity. With XTS (P1619, narrow block 
tweaked cipher) you are not notified of data integrity failures, but 
these data integrity failures have a much reduced usability than CBC. 
With XTS:


[snip]


If you change this to ZFS Crypto
http://opensolaris.org/os/project/zfs-crypto/
You get complete integrity detection with the only remaining 
vulnerability that


For those not familiar this is because Jim and I choose to use CCM/GCM 
with AES.  ZFS is already using a copy-on-write validated merkle tree. 
The 16 byte tag/MAC from CCM/GCM is stored in the block pointer above 
forming a merkle tree.  Each encrypted block in ZFS has its own IV.  ZFS 
disk blocks are variable size from 512 bytes to (currently) 128k.



1) you can return the entire disk to a previous state.

While I may have put you all asleep, the basic premise holds... XTS is 
better than unauthenticated CBC.


Which is really what I was trying to say and over stated that XTS 
provides integrity. When really what it does is as you said, provides a 
better protection for certain classes of ciphertext modification than 
just using CBC.


--
Darren J Moffat

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: FileVault on other than home directories on MacOS?

2009-09-23 Thread Darren J Moffat

Ivan Krsti  wrote:
TrueCrypt is a fine solution and indeed very helpful if you need 
cross-platform encrypted volumes; it lets you trivially make an 
encrypted USB key you can use on Linux, Windows and OS X. If you're 
*just* talking about OS X, I don't believe TrueCrypt offers any 
advantages over encrypted disk images unless you're big on conspiracy 
theories.


Note my information may be out of date.  I believe that MacOS native 
encrypted disk images (and thus FileVault) uses AES in CBC mode without 
any integrity protection, the Wikipedia article seems to confirm that is 
 (or at least was) the case http://en.wikipedia.org/wiki/FileVault


There is also a sleep mode issue identified by the NSA:

http://crypto.nsa.org/vilefault/23C3-VileFault.pdf

TrueCrypt on the other hand uses AES in XTS mode so you get 
confidentiality and integrity.


--
Darren J Moffat

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: FileVault on other than home directories on MacOS?

2009-09-23 Thread Alec Muffett



In Disk Utility - New Image, select size, properties and encryption
type (AES 128 or 256) and Create.

Then mount and use your encrypted disks as needed.


Just as an aside: on 10.5 and upwards I have taken to using encrypted  
sparse bundles rather than simple images; the advantage of doing this  
is that if you are creating a encrypted filesystem on (say) a 16Gb  
FAT-32 USB stick, then:


a) you are not constrained to a 4Gb encrypted image (otherwise to FAT32)
b) when using the sparse image, your files can be 4Gb
c) you do not eat the entire stick all at once
d) there can be (is?) a degree of garbage collection
e) the stick is still usable as FAT32

- alec

--
alec.muff...@gmail.com
http://www.crypticide.com/dropsafe/



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: FileVault on other than home directories on MacOS?

2009-09-23 Thread Matt Crawford


On Sep 21, 2009, at 3:57 PM, Steven Bellovin wrote:

Is there any way to use FileVault on MacOS except on home  
directories?  I don't much want to use it on my home directory; it  
doesn't play well with Time Machine (remember that availability is  
also a security property); besides, different directories of mine  
have different sensitivity levels.


According to an Apple security person who spoke here about a year ago,  
you can use the underlying CLI to do everything FileVault does, but at  
some other point(s) in the directory tree than home directories.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: FileVault on other than home directories on MacOS?

2009-09-23 Thread Ian G

On 22/09/2009 14:57, Darren J Moffat wrote:


There is also a sleep mode issue identified by the NSA:


An extremely minor point, that looks like Jacob and Ralf-Philipp perhaps 
aka nsa.org, rather than the NSA.gov.


Still useful.

iang

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: FileVault on other than home directories on MacOS?

2009-09-23 Thread Ivan Krstić

On Sep 22, 2009, at 5:57 AM, Darren J Moffat wrote:

There is also a sleep mode issue identified by the NSA


Unlike FileVault whose keys (have to) persist in memory for the  
duration of the login session, individual encrypted disk images are  
mounted on demand and their keys destroyed from memory on unmount.


TrueCrypt on the other hand uses AES in XTS mode so you get  
confidentiality and integrity.


XTS certainly doesn't provide cryptographic integrity. It provides  
different ciphertext malleability characteristics than CBC, in that  
you can only randomize an arbitrary 16-byte block of plaintext instead  
of being able to flip an arbitrary bit (and screw up the previous  
block). However, this comes with other costs inherent to seekable  
narrow-block encryption, so I think it's hard to argue XTS provides  
more integrity than CBC. Or were you referring to something else?


--
Ivan Krstić krs...@solarsail.hcs.harvard.edu | http://radian.org

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: FileVault on other than home directories on MacOS?

2009-09-22 Thread Adam Fields
On Mon, Sep 21, 2009 at 04:57:56PM -0400, Steven Bellovin wrote:
 Is there any way to use FileVault on MacOS except on home  
 directories?  I don't much want to use it on my home directory; it  
 doesn't play well with Time Machine (remember that availability is  
 also a security property); besides, different directories of mine have  
 different sensitivity levels.
 
 I suppose I could install TrueCrypt (other suggestions or comments on  
 TrueVault?), but I prefer to minimize the amount of extra software I  
 have to maintain.

You can just create a regular encrypted disk image using Disk Utility
(and set it to auto-mount using Finder if you want).

- Adam

--
** I design intricate-yet-elegant processes for user and machine problems.
** Custom development project broken? Contact me, I can help.
** Some of what I do: http://workstuff.tumblr.com/post/70505118/aboutworkstuff

[ http://workstuff.tumblr.com ] ... Technology Blog
[ http://www.aquick.org/blog ]  Personal Blog
[ http://www.adamfields.com/resume.html ].. Experience
[ http://www.flickr.com/photos/fields ] ... Photos
[ http://www.twitter.com/fields ].. Twitter
[ http://www.morningside-analytics.com ] .. Latest Venture
[ http://www.confabb.com ]  Founder

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: FileVault on other than home directories on MacOS?

2009-09-22 Thread Ivan Krstić

Steve,

On Sep 21, 2009, at 1:57 PM, Steven Bellovin wrote:

Is there any way to use FileVault on MacOS except on home directories?


FileVault is essentially just the name for a plain encrypted disk  
image which happens to have some voodoo associated with it to get  
pivoted in as your homedir at login. This to say, you can make  
arbitrarily many encrypted disk images with Disk Utility and use them  
as individual encrypted (non-homedir) folders. If you're asking  
whether you can turn on encryption for existing system folders, the  
answer is no; HFS+ itself offers no encryption facilities.


I suppose I could install TrueCrypt (other suggestions or comments  
on TrueVault?), but I prefer to minimize the amount of extra  
software I have to maintain.


TrueCrypt is a fine solution and indeed very helpful if you need cross- 
platform encrypted volumes; it lets you trivially make an encrypted  
USB key you can use on Linux, Windows and OS X. If you're *just*  
talking about OS X, I don't believe TrueCrypt offers any advantages  
over encrypted disk images unless you're big on conspiracy theories.


Cheers,

--
Ivan Krstić krs...@solarsail.hcs.harvard.edu | http://radian.org

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


FileVault on other than home directories on MacOS?

2009-09-21 Thread Steven Bellovin
Is there any way to use FileVault on MacOS except on home  
directories?  I don't much want to use it on my home directory; it  
doesn't play well with Time Machine (remember that availability is  
also a security property); besides, different directories of mine have  
different sensitivity levels.


I suppose I could install TrueCrypt (other suggestions or comments on  
TrueVault?), but I prefer to minimize the amount of extra software I  
have to maintain.



--Steve Bellovin, http://www.cs.columbia.edu/~smb





-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com