Re: FileVault on other than home directories on MacOS?
james hughes wrote: TrueCrypt on the other hand uses AES in XTS mode so you get confidentiality and integrity. Technically, you do not get integrity. With XTS (P1619, narrow block tweaked cipher) you are not notified of data integrity failures, but these data integrity failures have a much reduced usability than CBC. With XTS: [snip] If you change this to ZFS Crypto http://opensolaris.org/os/project/zfs-crypto/ You get complete integrity detection with the only remaining vulnerability that For those not familiar this is because Jim and I choose to use CCM/GCM with AES. ZFS is already using a copy-on-write validated merkle tree. The 16 byte tag/MAC from CCM/GCM is stored in the block pointer above forming a merkle tree. Each encrypted block in ZFS has its own IV. ZFS "disk" blocks are variable size from 512 bytes to (currently) 128k. 1) you can return the entire disk to a previous state. While I may have put you all asleep, the basic premise holds... XTS is better than unauthenticated CBC. Which is really what I was trying to say and over stated that XTS provides integrity. When really what it does is as you said, provides a better protection for certain classes of ciphertext modification than just using CBC. -- Darren J Moffat - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: FileVault on other than home directories on MacOS?
Ivan Krstić wrote: > On Sep 22, 2009, at 5:57 AM, Darren J Moffat wrote: >> There is also a sleep mode issue identified by the NSA > > Unlike FileVault whose keys (have to) persist in memory for the duration > of the login session, individual encrypted disk images are mounted on > demand and their keys destroyed from memory on unmount. The devil is in the details. If you use your default keychain to unlock a disk, I believe the _passphrase_ is still stored by LoginWindow.app in plain text... So even if they destroyed keying material properly (do they? Is there source we can review for how FV works?) when the disk isn't in use, I somehow doubt that it's really safe to use FileVault in some circumstances against some attackers. Especially if you have a laptop and especially if you didn't turn on encrypted swap. Also especially if you happened to use the encrypted swap feature when it wasn't working. The list of hilarious bugs goes on and on. (The LoginWindow.app bug is as old as the hills and I'm one of a dozen people to have reported it, I bet. Apple still hasn't fixed it because they rely on a users password being in memory to escalate privileges without interacting with the user! I hear they're working on a fix but that it's difficult because many systems rely on this "feature.") I haven't been working on or thinking about VileFault much but I suppose that we probably could add support for sparse bundles if someone wanted. I've been bugging Apple for some specifications and so far, it's been years without a real response. Most of what we know is in VileFault: http://code.google.com/p/vilefault/ It would be really awesome if Apple would open up all of this code or at least publish a specification for how it works. With either we could have a Fuse file system module to support these disk images on other platforms... Best, Jacob signature.asc Description: OpenPGP digital signature
Re: FileVault on other than home directories on MacOS?
On Sep 22, 2009, at 5:57 AM, Darren J Moffat wrote: Ivan Krsti wrote: TrueCrypt is a fine solution and indeed very helpful if you need cross-platform encrypted volumes; it lets you trivially make an encrypted USB key you can use on Linux, Windows and OS X. If you're *just* talking about OS X, I don't believe TrueCrypt offers any advantages over encrypted disk images unless you're big on conspiracy theories. Note my information may be out of date. I believe that MacOS native encrypted disk images (and thus FileVault) uses AES in CBC mode without any integrity protection, the Wikipedia article seems to confirm that is (or at least was) the case http://en.wikipedia.org/wiki/FileVault Unauthenticated CBC is indeed a problem http://tinyurl.com/ycoaruo There is also a sleep mode issue identified by the NSA: http://crypto.nsa.org/vilefault/23C3-VileFault.pdf I don't think that Jacob Appelbaum or Ralf-Philipp Weinmann work for the NSA (but having "crypto.nsa.org" is cool :-) TrueCrypt on the other hand uses AES in XTS mode so you get confidentiality and integrity. Technically, you do not get integrity. With XTS (P1619, narrow block tweaked cipher) you are not notified of data integrity failures, but these data integrity failures have a much reduced usability than CBC. With XTS: 1) You can return 16 byte chunks to previous values (ciphertext replay) as long as it is to the same place (offset) as it was before. 2) If you change a bit, you will randomize a 16 byte chunk of information. With the P1619.2 mode, I believe, is called TET (IEEE 1619.2, wide block tweaked cipher) there are different characteristics. Usually the wide block is a sector so it can be 512 or some other value. In this case, you do not get complete integrity either. In this case 1) You can return a sector to a previous value (sector reply) as long as it is to the same place (offset) as it was before. 2) If you change a bit, you will randomize a complete sector of information. If you change this to ZFS Crypto http://opensolaris.org/os/project/zfs-crypto/ You get complete integrity detection with the only remaining vulnerability that 1) you can return the entire disk to a previous state. While I may have put you all asleep, the basic premise holds... XTS is better than unauthenticated CBC. http://www.cpni.gov.uk/docs/re-20050509-00385.pdf http://jvn.jp/niscc/NISCC-004033/index.html http://www.kb.cert.org/vuls/id/302220 -- Darren J Moffat - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: FileVault on other than home directories on MacOS?
On Sep 22, 2009, at 5:57 AM, Darren J Moffat wrote: There is also a sleep mode issue identified by the NSA Unlike FileVault whose keys (have to) persist in memory for the duration of the login session, individual encrypted disk images are mounted on demand and their keys destroyed from memory on unmount. TrueCrypt on the other hand uses AES in XTS mode so you get confidentiality and integrity. XTS certainly doesn't provide cryptographic integrity. It provides different ciphertext malleability characteristics than CBC, in that you can only randomize an arbitrary 16-byte block of plaintext instead of being able to flip an arbitrary bit (and screw up the previous block). However, this comes with other costs inherent to seekable narrow-block encryption, so I think it's hard to argue XTS provides "more" integrity than CBC. Or were you referring to something else? -- Ivan Krstić | http://radian.org - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: FileVault on other than home directories on MacOS?
On 22/09/2009 14:57, Darren J Moffat wrote: There is also a sleep mode issue identified by the NSA: An extremely minor point, that looks like Jacob and Ralf-Philipp perhaps "aka nsa.org", rather than the NSA.gov. Still useful. iang - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: FileVault on other than home directories on MacOS?
On Sep 21, 2009, at 3:57 PM, Steven Bellovin wrote: Is there any way to use FileVault on MacOS except on home directories? I don't much want to use it on my home directory; it doesn't play well with Time Machine (remember that availability is also a security property); besides, different directories of mine have different sensitivity levels. According to an Apple security person who spoke here about a year ago, you can use the underlying CLI to do everything FileVault does, but at some other point(s) in the directory tree than home directories. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: FileVault on other than home directories on MacOS?
In Disk Utility -> New Image, select size, properties and encryption type (AES 128 or 256) and Create. Then mount and use your encrypted disks as needed. Just as an aside: on 10.5 and upwards I have taken to using encrypted sparse bundles rather than simple images; the advantage of doing this is that if you are creating a encrypted filesystem on (say) a 16Gb FAT-32 USB stick, then: a) you are not constrained to a 4Gb encrypted image (otherwise to FAT32) b) when using the sparse image, your files can be >4Gb c) you do not eat the entire stick all at once d) there can be (is?) a degree of garbage collection e) the stick is still usable as FAT32 - alec -- alec.muff...@gmail.com http://www.crypticide.com/dropsafe/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: FileVault on other than home directories on MacOS?
Ivan Krsti wrote: TrueCrypt is a fine solution and indeed very helpful if you need cross-platform encrypted volumes; it lets you trivially make an encrypted USB key you can use on Linux, Windows and OS X. If you're *just* talking about OS X, I don't believe TrueCrypt offers any advantages over encrypted disk images unless you're big on conspiracy theories. Note my information may be out of date. I believe that MacOS native encrypted disk images (and thus FileVault) uses AES in CBC mode without any integrity protection, the Wikipedia article seems to confirm that is (or at least was) the case http://en.wikipedia.org/wiki/FileVault There is also a sleep mode issue identified by the NSA: http://crypto.nsa.org/vilefault/23C3-VileFault.pdf TrueCrypt on the other hand uses AES in XTS mode so you get confidentiality and integrity. -- Darren J Moffat - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: FileVault on other than home directories on MacOS?
Steve, On Sep 21, 2009, at 1:57 PM, Steven Bellovin wrote: Is there any way to use FileVault on MacOS except on home directories? FileVault is essentially just the name for a plain encrypted disk image which happens to have some voodoo associated with it to get pivoted in as your homedir at login. This to say, you can make arbitrarily many encrypted disk images with Disk Utility and use them as individual encrypted (non-homedir) folders. If you're asking whether you can turn on encryption for existing system folders, the answer is no; HFS+ itself offers no encryption facilities. I suppose I could install TrueCrypt (other suggestions or comments on TrueVault?), but I prefer to minimize the amount of extra software I have to maintain. TrueCrypt is a fine solution and indeed very helpful if you need cross- platform encrypted volumes; it lets you trivially make an encrypted USB key you can use on Linux, Windows and OS X. If you're *just* talking about OS X, I don't believe TrueCrypt offers any advantages over encrypted disk images unless you're big on conspiracy theories. Cheers, -- Ivan Krstić | http://radian.org - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: FileVault on other than home directories on MacOS?
On Mon, Sep 21, 2009 at 04:57:56PM -0400, Steven Bellovin wrote: > Is there any way to use FileVault on MacOS except on home > directories? I don't much want to use it on my home directory; it > doesn't play well with Time Machine (remember that availability is > also a security property); besides, different directories of mine have > different sensitivity levels. > > I suppose I could install TrueCrypt (other suggestions or comments on > TrueVault?), but I prefer to minimize the amount of extra software I > have to maintain. You can just create a regular encrypted disk image using Disk Utility (and set it to auto-mount using Finder if you want). - Adam -- ** I design intricate-yet-elegant processes for user and machine problems. ** Custom development project broken? Contact me, I can help. ** Some of what I do: http://workstuff.tumblr.com/post/70505118/aboutworkstuff [ http://workstuff.tumblr.com ] ... Technology Blog [ http://www.aquick.org/blog ] Personal Blog [ http://www.adamfields.com/resume.html ].. Experience [ http://www.flickr.com/photos/fields ] ... Photos [ http://www.twitter.com/fields ].. Twitter [ http://www.morningside-analytics.com ] .. Latest Venture [ http://www.confabb.com ] Founder - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: FileVault on other than home directories on MacOS?
On Sep 22, 2009, at 6:57 AM, Steven Bellovin wrote: Is there any way to use FileVault on MacOS except on home directories? I don't much want to use it on my home directory; it doesn't play well with Time Machine (remember that availability is also a security property); besides, different directories of mine have different sensitivity levels. I suppose I could install TrueCrypt (other suggestions or comments on TrueVault?), but I prefer to minimize the amount of extra software I have to maintain. Hi Steven You can just use encrypted disk images, which is IIRC what FileVault uses. In Disk Utility -> New Image, select size, properties and encryption type (AES 128 or 256) and Create. Then mount and use your encrypted disks as needed. Cheers - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com