Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-22 Thread james hughes


On Jan 18, 2007, at 6:57 PM, Saqib Ali wrote:



When is the last time you checked the code for the open source app
that you "use", to make sure that it is written properly?


30 seconds ago.

What mode is it using? How much information is encrypted under a  
single key. Was the implementation FIPS certified. And the list goes on.


These are important issues.




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-22 Thread james hughes


On Jan 19, 2007, at 4:06 AM, Bill Stewart wrote:


[...] if you're trying to protect against KGB-skilled attacks [...]



On the other hand, if you're trying to protect against
lower-skilled attackers, [...]



I always find these arguments particularly frustrating.

By slowly raising the bar for the lower-skilled criminals, you get  
the effect in Steven's firewall book cover (I forget the version,  
where you must be a certain height to attack the castle.)


For me, the bottom line is that if you protect against the former,  
then you get the latter, and it is only a small matter of time when  
the lower-skilled people will get a script to do the higher quality  
attacks. Remember WEP?


I really have to question continuing a snail's pace information  
protection arms war when we have all the tools we need to properly  
defend ourselves.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-20 Thread Victor Duchovni
On Sat, Jan 20, 2007 at 10:10:47PM +1300, Peter Gutmann wrote:

> Victor Duchovni <[EMAIL PROTECTED]> writes:
> 
> >It took reading the code to determine the following:
> >
> >- ASN.1 Strings extracted from X.509v3 certs are not validated for
> >conformance with the declared character syntax. Strings of type
> >PrintableString or IA5String may hold non-printable or non-ASCII
> >data.
> 
> Just a word in OpenSSL's defence, see the X.509 Style Guide for the reasoning
> behind this.  I don't think any ASN.1-using security toolkit since TIPEM has
> done character-set checking, it would fail to verify a large chunk of the
> certs out there (I once had a TIPEM user complain to me that they had to stop
> using it specifically because it would reject invalid character strings, which
> encompassed a nontrivial portion of their user base).

I understand the motivation, and agree that this is the right thing to
do, indeed in the application (Postfix) I just map the content to UTF8
(using the identity mapping where appropriate) and then decide what
characters are acceptable, I don't need the original ASN.1 string type
after the string is in canonical form.

My point was that not all the fine details are always documented (even in
closed source libraries with funded documentation teams), and having the
source allows me to move beyond cargo-cult programming and to understand
how to use the library correctly. I guess this is RTFS to extract the
semantics out of the syntax documentation.

In addition, I think that the library should-provide idiot-friendly
interfaces for handling ASN.1 string data holding security sensitive
information (CommonName, subjectAltName, ...), because the code one
finds and copies from other projects is not sufficiently careful.

RFC 3820 suggests that it is OK to consider strings of different ASN.1
types as different content for comparison and then, by implication,
just compare the raw content when the types match, but what one finds
is that applications mostly IGNORE the ASN.1 string type and use the
raw octets for comparison, display, ... and they do that at their peril.

It is also almost universal practice (in C code anyway) to not check
for embedded NUL in the ASN.1 strings, and I wonder how may CAs would
issue "eve.biz" a cert for "alice.com\0..eve.biz"? (If the CA's code
handles NUL in octet strings as just another byte, this could happen.

But we digress again, the source is useful in any case, and not just
for full code reviews, used with care it is the ultimate documentation.

-- 

 /"\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-20 Thread Jonathan Thornburg
On Fri, 19 Jan 2007, Bill Stewart wrote:
> Obviously if you're trying to protect against KGB-skilled attacks
> on stolen/confiscated hardware, you'd like to have the swap partition
> encrypted as well as any user data partitions, though you may not care
> whether your read-only utility software was protected
> (e.g. your Knoppix disk or vanilla shared /usr/ or whatever.)
[[...]]
> 
> On the other hand, if you're trying to protect against
> lower-skilled attackers, e.g. laptop thieves who are reselling
> disks to the Nigerians and other hardware on eBay,
> you want to protect your file systems,
> but probably don't need to protect your swap.
> It's certainly nice to do that, of course, and might be a Good Thing
> for Linux and ***BSD to include in their standard swap drivers,

OpenBSD has had swap-space encryption for some years, and recent versions
turn it on in the default install.  I don't know what the other BSDs or
various Linuxen do by default.

OpenBSD's swap encryption uses Rajndael/AES implemented in software.
The performance hit is small on modern hardware, and still acceptable
even on slow hardware (I haven't seen any problems on an old 486/33
laptop I'm using as a home firewall/router).

For laptops (where physical theft is major concern), I think the
combination of an encrypting file system and swap encryption gives a
pretty good -- and readily configurable -- security/performance tradeoff.

ciao,

-- 
-- "Jonathan Thornburg -- remove -animal to reply" <[EMAIL PROTECTED]>
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html  
   "Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
  -- quote by Freire / poster by Oxfam

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-20 Thread Peter Gutmann
Victor Duchovni <[EMAIL PROTECTED]> writes:

>It took reading the code to determine the following:
>
>- ASN.1 Strings extracted from X.509v3 certs are not validated for
>conformance with the declared character syntax. Strings of type
>PrintableString or IA5String may hold non-printable or non-ASCII
>data.

Just a word in OpenSSL's defence, see the X.509 Style Guide for the reasoning
behind this.  I don't think any ASN.1-using security toolkit since TIPEM has
done character-set checking, it would fail to verify a large chunk of the
certs out there (I once had a TIPEM user complain to me that they had to stop
using it specifically because it would reject invalid character strings, which
encompassed a nontrivial portion of their user base).

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-19 Thread Bill Stewart


As far as "Full Disk Encryption"'s usefulness as a term goes,
I'd distinguish between several different kinds of applications
for encrypting the contents of a disk
1 - The disk drive or maybe disk controller card (RAID, SCSI, etc.)
encrypts all the bits written to the drive
and decrypts all the bits read from the drive,
usually with some keying input from the OS.
2 - The operating system's driver software
encrypts/decrypts all bits written to/from the drive
3 - The operating system's file system driver software
encrypts/decrypts all bits written to/from a file system
(which might or might not occupy a drive partition.)
4 - Utility software encrypts/decrypts bits written to/from directories.
5 - Application software encrypts/decrypts contents of files.

Obviously if you're trying to protect against KGB-skilled attacks
on stolen/confiscated hardware, you'd like to have the swap partition
encrypted as well as any user data partitions, though you may not care
whether your read-only utility software was protected
(e.g. your Knoppix disk or vanilla shared /usr/ or whatever.)
Whether you implement that in the disk controller or OS is really
a matter of convenience and user support economics -
if you're a small conspiracy you may want to roll your own,
but if you're a corporate IT shop, you've probably got economic issues
that affect whether you customize the OS (more) or the disks or both
and it's the operational processes that will trip you up.

On the other hand, if you're trying to protect against
lower-skilled attackers, e.g. laptop thieves who are reselling
disks to the Nigerians and other hardware on eBay,
you want to protect your file systems,
but probably don't need to protect your swap.
It's certainly nice to do that, of course, and might be a Good Thing
for Linux and ***BSD to include in their standard swap drivers,
but hopefully your file system drivers would keep their keys
in non-swappable memory, and most other things get overwritten
often enough that attackers not using electron microscopes
probably won't bother with them much.  In most OS's,
swap isn't persistent across system reboots,
so you can actually generate a new key on the fly every time
and not bother the user about entering it, unlike regular filesystems
or full-disk-encryption systems.

Of course, if the KGB *is* after you, they may black-bag your PC
before they confiscate it - if there's a key-logger chip
added to your keyboard or a camera mounted in your ceiling light,
it may not matter how cool your FDE is.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-19 Thread Steve Schear

At 03:57 PM 1/18/2007, Saqib Ali wrote:

When is the last time you checked the code for the open source app
that you "use", to make sure that it is written properly?


When is the last time you carefully checked the code for a closed source 
app that you use? (Besides the one you mentioned  to start this thread)


Steve 


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-19 Thread Victor Duchovni
On Thu, Jan 18, 2007 at 03:57:46PM -0800, Saqib Ali wrote:

> When is the last time you checked the code for the open source app
> that you "use", to make sure that it is written properly?
> 

Yesterday, in the case of OpenSSL, though I was only looking at how
ASN.1 strings that store the subject CN and subjectAltName deal with
the various possible supported encodings, embedded NUL octets, ...

It took reading the code to determine the following:

- ASN.1 Strings extracted from X.509v3 certs are not validated for
conformance with the declared character syntax. Strings of type
PrintableString or IA5String may hold non-printable or non-ASCII
data.

- Rather in OpenSSL all the ASN.1 string types are opaque TLV byte
arrays, with a manifest type and arbitrary content that may or
not be consisten with the type, and may hold embedded NUL bytes
which require some care in C applications, but at least it *is*
possible if is careful, to check that:

ASN_STRING_length(s) == strlen(ASN1_STRING_DATA(s))

- Conversion to UTF8 is implemented correctly, without prematurely
stopping on internal NUL octets. This also checks that BMPString and
UniversalStrings have encoded lengths that are even or divisible by
4 respectively, and that UTF8 input is valid and "minimal".

This means that as a user of the library, I must (and fortunately can):

- Convert the raw ASN.1 encoded data if BMPString or
UniversalString to UTF8.

- Check CommonNames and DNS subjectAltNames for internal NULs,
because I can't rely on no CA to ever mess up and sign a cert for
"alice.com\0.eve.com". This check is not found in most sample
applications that (cargo-cult programming rampant in other
problem spaces is also common with SSL).

- Check CommonNames and DNS subjectAltNames for unexpected
non-printable or non-printable characters as appropriate.

This is not the same as a full code review, but having access to the source
means that I can make sure that my code is a correct use of the interface,
that I am not making unfounded assumptions, and there are no obvious bugs
in the part of the library that I am reviewing.

-- 

 /"\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-18 Thread Saqib Ali

Algorithms can be perfect and implementation sloppy. If you can
review the code you might find the problem, but with proprietary
code, fergetit.


I think you guys are missing the point. The term "Snake-Oil Crypto"
refers to the algorithm and NOT the actual implementation. This is a
"important" distinction.

I am copying Matt Curtain (who maintains Snake-Oil Crypto FAQ) and
Bruce Schneier so that they can correct me if I am wrong.

We all know that many open crypto algorithms (like kerberos, AES) have
been implemented in sloppy manner in both open-source and close-source
world. Being open source doesn't necessarily mean that the
implementation is secure.

When is the last time you checked the code for the open source app
that you "use", to make sure that it is written properly?

saqib
http://www.full-disk-encryption.net




On 1/18/07, Allen <[EMAIL PROTECTED]> wrote:



Saqib Ali wrote:
> Since when did AES-128 become "snake-oil crypto"? How come I missed
> that? Compusec uses AES-128 . And as far as I know AES is NOT
> "snake-oil crypto"

Saqib,

I believe you are correct as to the algorithm, but the snake-oil
is in the implementation,

As I have often said, "A misplaced comma in an English sentence
will merely get you a bad reputation as a writer, however, a
misplaced comma in a nuclear weapons project may leave an
enduring mark on the world."

>
> Closed-source doesn't mean that it is "snake-oil". If that was the
> case, the Microsoft's EFS, and Kerberos implementation would be "snake
> oil" too.

As I recall there have been a few problems with Kerberos in the past.

Best,

Allen

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]




--
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-18 Thread Allen



Saqib Ali wrote:

Since when did AES-128 become "snake-oil crypto"? How come I missed
that? Compusec uses AES-128 . And as far as I know AES is NOT
"snake-oil crypto"


Saqib,

I believe you are correct as to the algorithm, but the snake-oil 
is in the implementation,


As I have often said, "A misplaced comma in an English sentence 
will merely get you a bad reputation as a writer, however, a 
misplaced comma in a nuclear weapons project may leave an 
enduring mark on the world."


Algorithms can be perfect and implementation sloppy. If you can 
review the code you might find the problem, but with proprietary 
code, fergetit.


Closed-source doesn't mean that it is "snake-oil". If that was the
case, the Microsoft's EFS, and Kerberos implementation would be "snake
oil" too.


As I recall there have been a few problems with Kerberos in the past.

Best,

Allen

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-18 Thread Damien Miller
On Thu, 18 Jan 2007, Saqib Ali wrote:

> Since when did AES-128 become "snake-oil crypto"? How come I missed
> that? Compusec uses AES-128 . And as far as I know AES is NOT
> "snake-oil crypto"

It is even easier to use a good cryptographic transform in a way that is
utterly insecure then it is to come up with a secure-looking-but-broken
transform. How does this company apply AES-128 to the task of encrypting
disk sectors? There are lots of ways to do it, many of them wrong.

-d

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-18 Thread Chris Kuethe

On 1/18/07, Saqib Ali <[EMAIL PROTECTED]> wrote:

Since when did AES-128 become "snake-oil crypto"? How come I missed
that? Compusec uses AES-128 . And as far as I know AES is NOT
"snake-oil crypto"


He didn't say that AES is snake oil. He says he wants assurance that
the tool operates correctly. Using AES to generate an XOR key is still
using AES, but it's using it poorly.


Closed-source doesn't mean that it is "snake-oil". If that was the
case, the Microsoft's EFS, and Kerberos implementation would be "snake
oil" too.


He didn't say that closed source is snake oil. He says he wants
assurance that the tool operates correctly. The kind of assurance you
get from having a completely open design and implementation.

This is right up there with Seagate's encrypting disk which Dave Korn
(rightfully) expressed dismay over...

"And the reason is that software vendors, particularity software
vendors in the security world need to have some place to hide their
secrets. And we provide the perfect place to hide secrets, because we
can cryptographically handle things in a way that makes very difficult
to snoop or sniff the secrets. We have hidden operation in the drive
as well as hidden storage place that normally can't be accessed via
ATA commands. So in a way we have a bit of a black box, in terms of a
security device, that no one knows what is going on in there, and it
is a perfect place to hide stuff."

That's just wrong on so many levels. I want to know exactly how my
data is being transformed and stored. I want to be absolutely sure
that the on-disk representation of my data is critically dependent on
my key, and not on some vendor-derived key based on my disk serial
number. I want to know for sure that reading sector -42 won't hand you
back my key. I want to know that my encryption software isn't somehow
leaking my key. etc.

Hand me a crypto tool so well designed, so carefully audited and so
rigourously proven that it's approved for storing the government
secrets until the end of time... I'll still say "that's nice, where's
my copy of the source code".

CK

--
GDB has a 'break' feature; why doesn't it have 'fix' too?

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-18 Thread Saqib Ali

Since when did AES-128 become "snake-oil crypto"? How come I missed
that? Compusec uses AES-128 . And as far as I know AES is NOT
"snake-oil crypto"

Closed-source doesn't mean that it is "snake-oil". If that was the
case, the Microsoft's EFS, and Kerberos implementation would be "snake
oil" too.

I think you are mistaken on the definition of "snake-oil crypto".

Snake-oil crypto refers to "New mathematics", "Proprietary
cryptography", and "Pseudo-mathematical gobbledygook"

Please see the following URL for more into on snake-oil crypto:
http://www.schneier.com/crypto-gram-9902.html#snakeoil

saqib
http://www.full-disk-encryption.net



If I have data that's valuable enough to need encryption, I'm going
to be nervous trusting it to closed-source software.  How do I know
that Compusec's cryto is done properly?  As Bruce Schneier has
famously said, to the user snake-oil crypto looks just like good
crypto -- both scramble the bits enough to look "random" to the eye.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-18 Thread Jonathan Thornburg
On Wed, 17 Jan 2007, Saqib Ali wrote:
[[addressed to Steven Bellovin, but copied to the whole list]]
> I would like to invite you to try out a Free FDE product called
> Compusec < http://www.ce-infosys.com/ >

If I have data that's valuable enough to need encryption, I'm going
to be nervous trusting it to closed-source software.  How do I know
that Compusec's cryto is done properly?  As Bruce Schneier has
famously said, to the user snake-oil crypto looks just like good
crypto -- both scramble the bits enough to look "random" to the eye.

In contrast, even though I haven't personally read the {linux,bsd}
crypto source code, lots of serious crypto geeks have, so I can be
a lot more confident that it's of at least reasonable quality.

Another issue is that closed-source crypto hardware/software has had
back doors planted in it in the past, either for "key recovery when
customers loose their keys", or after pressure by assorted government
agencies.  I'm sure the NSA could bribe someone to backdoor the Linux
kernel, but it would be really hard to keep this a secret when many
"uncontrolled" people get to browse the source code.


> After trying, please let me know if the distinction between "disk
> encryption" (e.g. TrueCrypt) and "full disk encryption" (e.g.
> Compusec) is insufficient.

For the above reasons, I wouldn't trust either of these.
I keep _my_ confidential files under Matt Blaze's CFS; any of the
other open-source {linux,bsd} cryptographic file systems would be
reasonable alternatives.

--
-- "Jonathan Thornburg -- remove -animal to reply" <[EMAIL PROTECTED]>
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html  
   "Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
  -- quote by Freire / poster by Oxfam

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-18 Thread Anne & Lynn Wheeler

Steven M. Bellovin wrote:

Not necessarily -- many of my systems have multiple disk drives and
file systems, some of which are on removable media.  Apart from that,
though, this is reinforcing my point -- what is the threat model?


PC/RT had external scsi disk drive housing ... with scsi disk drive "bricks" 
that could be removed from the housing and locked in safes (when the owner wasn't 
physical present). This was later part of the '80s ... twenty some years ago.

nearly 35 yrs ago ... there was this enormous corporate project and all the 
information on the project was kept strictly confidential. a whole bunch of 
security features were added to prevent leakage of any of the information. they 
even went so far as to claim that even I couldn't access the information ... 
even if I was physical present in the room. It was one of the few times that I 
actually took the bait ... I claimed it would only take me a few minutes ... I 
found the location in memory of the authentication routine and patched one byte 
so all returns from the routine indicated valid authentication (most of the 
time was spent disabling all access to the machine from outside the room since 
i didn't want a real compromise).

This is similar ... but different to more recent "yes card" vulnerability ... where the card is asked if the 
correct PIN has been entered ... and a "yes card" always responds "YES". Would appear to work not 
only for skimming scenario and counterfeit card  but also as a MITM-attack with valid card. misc. past posts 
mentioning "yes card"
http://www.garlic.com/~lynn/subintegrity.html#yescard

In any case, my claim way back then (nearly 35yrs ago) was that the only 
countermeasure to such physical access was encrypting the data. Later, I even 
did prototype filesystem as example ... but at the time ... the processor load 
was excessive (would typically only be justified for small subset of extremely 
sensitive information).

The project back then was called Future System
http://www.garlic.com/~lynn/subtopic.html#futuresys

and was canceled w/o ever being announced. However there were some comments 
that the amount spent on the failed future system project would have bankrupted 
any other computer company.

misc. past posts admitted to haven once risen to the bait in my brash youth.
http://www.garlic.com/~lynn/96.html#24 old manuals
http://www.garlic.com/~lynn/2004g.html#45 command line switches
http://www.garlic.com/~lynn/2006.html#11 Some credible documented evidence that 
a MVS or later op sys has ever been hacked

The scenario was that if I had physical access ... there were a whole variety 
of compromises that wouldn't have been possible otherwise  at least for 
these class of systems ... small footnote about some deployments ... which i 
didn't find out until sometime later
http://www.nsa.gov/selinux/list-archive/0409/8362.cfm

Note that when it started becoming common for people taking portable terminals and later PCs on the road ... for off-site access (reading email, etc) in the very early 80s ... there was vulnerability study done ... and one conclusion was that one of the most weakest points is a hotel PBX closet ... which resulted in design, build and deployment of custom encrypting 2400baud modems for all off-site dial-in access. 

I'm periodically quite dismayed by the cavalier way that many corporations have treated off-site access over the past 20 years. For other comparison, the corporate network, which was larger than arpanet/internet from just about the beginning until possibly sometime mid-85. 
http://www.garlic.com/~lynn/subnetwork.html#internalnet


required link encryptors on all lines that left a corporate facility ... and 
sometime in the mid-80s there were comments that the internal corporate network 
had over half of all the link encryptors in the world (these are things like 
leased lines ... separate from the encrypting dial-up modems).

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-17 Thread Steven M. Bellovin
On Wed, 17 Jan 2007 09:33:54 -0800
"Saqib Ali" <[EMAIL PROTECTED]> wrote:

> On 1/16/07, Steven M. Bellovin <[EMAIL PROTECTED]> wrote:
> > I don't think that that distinction is either necessary or
> > sufficient.
> 
> Dr. Bellovin,

Please -- "Steve".
> 
> I would like to invite you to try out a Free FDE product called
> Compusec < http://www.ce-infosys.com/ >

Does it run on NetBSD?  I don't use Windows
> 
> After trying, please let me know if the distinction between "disk
> encryption" (e.g. TrueCrypt) and "full disk encryption" (e.g.
> Compusec) is insufficient.
> 

My point is that I have some fairly complex operational environments.
The distinction between the "operating system" and everything else
isn't that clear.  What is part of the OS?  The kernel?  The boot
loader? (It has several parts.)  Dynamically-loaded
modules?  /sbin/init?  The shell?  My virtual machines?  The Xen
hypervisor?  (I don't yet run Xen on my laptop.  I will as soon as it
supports power management.)

--Steve Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-17 Thread Saqib Ali

On 1/16/07, Steven M. Bellovin <[EMAIL PROTECTED]> wrote:

I don't think that that distinction is either necessary or sufficient.


Dr. Bellovin,

I would like to invite you to try out a Free FDE product called
Compusec < http://www.ce-infosys.com/ >

After trying, please let me know if the distinction between "disk
encryption" (e.g. TrueCrypt) and "full disk encryption" (e.g.
Compusec) is insufficient.

Note: I am not affiliated with Compusec in any manner.

Thanks
saqib
http://www.full-disk-encryption.net

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-17 Thread David I. Emery
On Tue, Jan 16, 2007 at 11:33:46AM -0500, Steven M. Bellovin wrote:
> On Tue, 16 Jan 2007 08:19:41 -0800
> "Saqib Ali" <[EMAIL PROTECTED]> wrote:
> 
> > Dr. Bellovin,
> > 
> > > In most situations, disk encryption is useless and probably harmful.
> > > It's useless because you're still relying on the OS to prevent
> > > access to the cleartext through the file system, and if the OS can
> > > do that it can do that with an unencrypted disk.
> > 
> > I am not sure I understand this. With FDE, the HDD is unlocked by a
> > pre-boot kernel (linux). It is not the function of the resident OS to
> > unlock the drive.
> 
> Not necessarily -- many of my systems have multiple disk drives and
> file systems, some of which are on removable media.  Apart from that,
> though, this is reinforcing my point -- what is the threat model?

Seems to me the threat model is real and obvious - physical 
access to the disk hardware - either by theft or (worse) by stealth (eg
black bag jobs, or insider access at night or on weekends).

Think of someone either image copying or stealing a drive that
contains valuable data... most of the time this necessarily involves
either powering it down or disconnecting it in a way that can be readily
detected by drive and host interface firmware.   If this results in
zeroization of the working key in the drive requiring some kind of
re-authentication of host to drive and drive to host and then reload of
key before the data can be read it at least becomes significantly harder
to steal data by just unplugging the drive  and either walking out the
door with it in your briefcase or plugging it into another system for an
image copy before returning it to its normal home.

Needless to say if the drive and its contained file systems
aren't encrypted this is pretty low hanging fruit.  Relatively unskilled
attackers can easily capture very valuable material if they can gain
physical access for only a few minutes.

And further, unusual events - disasters such as floods, fires,
tornadoes, building collapses and the like - can result in massive
exposure of confidential data amidst the ruins whereas if the disks in
desktops and servers were encrypted capture of - or covert access to - the
drives in the chaos surrounded a crisis is much less useful to an
adversary.

Obviously it may be possible for really sophisticated attackers
to somehow unplug drives from live machines without the key zeroization
happening and presumably without the host noticing and raising an alarm
and logging the event, but given the mechanical design of modern high
end desktop and server boxes with a common connector for power and
signals for the current generation of SATA drives this is at the very
least significantly more challenging to do without getting noticed or
caught than just causing a fake power fail and removing the disks.   And
it can be made harder by appropriate modest hardware, firmware and system
tweaks too.

Obviously too, a disk whose surface is encrypted with a key it
forgets when the power is off can be quite safely shipped or stored or
even decommissioned and destroyed without much danger of disclosure of
confidential data contained therein.   This is far more useful in
practice than it might in first seem as it reduces costs and risks a lot
in many common situations where drives and even entire machines need to
be moved, stored, sold, scrapped and shipped around in untrusted hands.

And a server or desktop that is depowered (if it is truly
depowered, not always the case with modern hardware) can be assumed to
be in a fairly secure state (presuming the key reload on power up
requires some external intervention) whereas a traditional in-the-clear
disks server or desktop that contains highly sensitive information is in
face MORE vulnerable when powered down in that its  disks can be
removed, image copied, and returned to the system without much of
anything being the wiser.   A powered up machine is much more likely to
at least log anomalous events that can be detected if not suspiciously
crash altogether when its disks are removed or disconnected.   This
paradoxically makes the systems in a typical office more vulnerable
exactly when they are least well monitored and protected - nights and
weekends and other off hours.

So I do think the classic FDE with AES in the drive ASICs does gain
something meaningful against this kind of threat, though obviously the most
sophisticated and careful attacks can defeat it.   But defeating the less
elaborate attacks at least removes an AWFUL lot of low hanging fruit and
in doing so materially increases overall security.   There are far fewer
really sophisticated attackers than common (and often pretty stupid) petty
criminals near computers, after all.

Back under my rock...

-- 
   Dave Emery N1PRE,  [EMAIL PROTECTED]  DIE Consulting, Weston, Mass 02493
"An empty zombie mind with a forlorn barely readable weathe

Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-16 Thread Steve Schear

At 08:08 AM 1/16/2007, Steven M. Bellovin wrote:

On Tue, 16 Jan 2007 07:56:22 -0800
Steve Schear <[EMAIL PROTECTED]> wrote:

> At 06:32 AM 1/16/2007, Steven M. Bellovin wrote:
Legal access is a special case -- what is the law (and practice) in any
given country on forced access to keys?  If memory serves, Mike Godwin
-- a lawyer who strongly supports crypto, etc. -- has opined that under
US law, a subpoena for keys would probably be upheld by the courts.  I
believe that British law explicitly mandates key disclosure.  And of
course, there's always rubber hose cryptanalysis in jurisdictions where
that's acceptable.


That assumes the police or other agencies know who operated the server.  In 
practice, some TOR servers are rented by hosting sites to parties they 
don't know or think they know but really don't.


Steve 


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-16 Thread Steven M. Bellovin
On Tue, 16 Jan 2007 08:58:27 -0800
"Saqib Ali" <[EMAIL PROTECTED]> wrote:

> > Yes, encrypted disks aren't much good unless the OS also encrypts
> > (at least) swap space.  I note that OpenBSD ships with swap-space
> 
> I think you are confusing "Disk Encryption" with "Full Disk Encryption
> (FDE)". They are two different beast.
> 
> FDE encrypts the "entire" boot drive, including the OS, kernel and the
> swap space.
> 
> Disk Encryption, on the other hand, only encrypts the non-OS portion.
> 
> saqib
> http://www.full-disk-encryption.net
> 

I don't think that that distinction is either necessary or sufficient.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-16 Thread Nicholas Bohm

Steven M. Bellovin wrote:
...

Legal access is a special case -- what is the law (and practice) in any
given country on forced access to keys?  If memory serves, Mike Godwin
-- a lawyer who strongly supports crypto, etc. -- has opined that under
US law, a subpoena for keys would probably be upheld by the courts.  I
believe that British law explicitly mandates key disclosure.  And of
course, there's always rubber hose cryptanalysis in jurisdictions where
that's acceptable.


In the UK Part III of the Regulation of Investigatory Powers Act 2000 - 
see http://www.opsi.gov.uk/Acts/acts2000/2023.htm - includes powers 
for certain classes of officials to require encrypted materials to be 
decrypted or to require a key to be provided.  There are some 
safeguards, regarded by some as insufficient.


The powers have not yet been brought into force, but the Government 
intends to bring them into force in the near future.


The powers are of course wholly ineffectual where perfect forward 
secrecy obtains, are of limited value in relation to ephemeral encrypted 
communications where keys are (or may plausibly be claimed to be) 
changed frequently or lost, but may be of some real value in relation to 
encrypted storage media where key preservation, with or without key 
recovery mechanisms, will obviously be important to most users.


Nicholas Bohm
--
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone  01279 870285(+44 1279 870285)
Mobile  07715 419728(+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-16 Thread Brian Gladman
Steven M. Bellovin wrote:
> On Tue, 16 Jan 2007 07:56:22 -0800
> Steve Schear <[EMAIL PROTECTED]> wrote:
> 
>> At 06:32 AM 1/16/2007, Steven M. Bellovin wrote:
>>> Disk encryption, in general, is useful when the enemy has physical
>>> access to the disk.  Laptops -- the case you describe on your page --
>>> do fit that category; I have no quarrel with disk encryption for
>>> them. It's more dubious for desktops and *much* more dubious for
>>> servers.
>> As governments widen their definitions of just who is a potential
>> threat it makes increasing sense for citizens engaged in previous
>> innocuous activities (especially political and financial privacy) to
>> protect their data from being useful if seized.  This goes double for
>> those operating privacy-oriented services and their servers.  As an
>> example, when TOR servers were recently seized in German raids (with
>> the implication that they were being used as conduits for child porn)
>> the police knew enough to only take the hot-swap drives (which were
>> encrypted and therefore paper weights after removal) if only for
>> show.  The main loss to the operators was repair to the cage locks.
>>
> Legal access is a special case -- what is the law (and practice) in any
> given country on forced access to keys?  If memory serves, Mike Godwin
> -- a lawyer who strongly supports crypto, etc. -- has opined that under
> US law, a subpoena for keys would probably be upheld by the courts.  I
> believe that British law explicitly mandates key disclosure.  

The situation here in the UK is that Parliament has passed a law (RIPA)
that allows the UK government to introduce key disclosure powers if it
wishes to do so.

So far these powers have not been bought into operation but the UK
government initiated a consultation last year on whether it should take
this step.  We are still awaiting a decision on this.

   Brian Gladman

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-16 Thread Saqib Ali

Yes, encrypted disks aren't much good unless the OS also encrypts
(at least) swap space.  I note that OpenBSD ships with swap-space


I think you are confusing "Disk Encryption" with "Full Disk Encryption
(FDE)". They are two different beast.

FDE encrypts the "entire" boot drive, including the OS, kernel and the
swap space.

Disk Encryption, on the other hand, only encrypts the non-OS portion.

saqib
http://www.full-disk-encryption.net

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-16 Thread Steven M. Bellovin
On Tue, 16 Jan 2007 08:19:41 -0800
"Saqib Ali" <[EMAIL PROTECTED]> wrote:

> Dr. Bellovin,
> 
> > In most situations, disk encryption is useless and probably harmful.
> > It's useless because you're still relying on the OS to prevent
> > access to the cleartext through the file system, and if the OS can
> > do that it can do that with an unencrypted disk.
> 
> I am not sure I understand this. With FDE, the HDD is unlocked by a
> pre-boot kernel (linux). It is not the function of the resident OS to
> unlock the drive.

Not necessarily -- many of my systems have multiple disk drives and
file systems, some of which are on removable media.  Apart from that,
though, this is reinforcing my point -- what is the threat model?
> 
> > It's harmful because you can
> > lose a key.  (Your web page does address that, but I'm perplexed --
> > what is challenge/response authentication for key recovery?)
> 
> Challenge/Response password recovery, as I understand, is a very
> simplified implementation of Secret Sharing. It allows for 2 parties,
> in this case the IT HelpDesk and the User, to collaborate and recover
> a Secret.
> 1) Upon forgetting the password, the user calls the Help Desk.
> 2) The IT Help Desk authenticates the user in the usual ways (e.g.
> check office voice mail etc), as the policy dictates.
> 3) Once authenticated the user give the partial secret to the
> HelpDesk. 4) The HelpDesk then combine it with the secret they have
> to produce a temporary password.
> 5) The temporary password is then used to unlock the HDD "once", and
> new credentials are created.
> 
I wouldn't call that "challenge/response", I'd call that key escrow.
Key escrow isn't a bad idea for storage encryption, but you need
*really* good authentication mechanisms for the backup channel.
Visualize this phone call to the help desk:  "Hi, I'm Pat, the CFO.
I'm in New York for the Board meeting, and my laptop blue-screened and
won't reboot -- it's not accepting my passphrase.  Help!"  Of course,
more or less by definition, Pat isn't online at that point, so the help
desk can't manipulate anything remotely.  (I should add that most
secondary authentication mechanisms I've seen are garbage, especially
when it comes to people on the road.  Since we're talking about laptops
here, that's a very serious threat.)

I don't dispute the need for FDE for (many) laptops.  But remember that
security is a systems property; it's not something you can get by
bolting on crypto.



--Steve Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-16 Thread Saqib Ali

Legal access is a special case -- what is the law (and practice) in any
given country on forced access to keys?  If memory serves, Mike Godwin


Yup. Disk Crypto has a ugly side as well, as highlighted by the recent
incident where FBI was unable to crack the encryption used by a
pedophile and murderer. There was a long discussion on this topic on
the Security-Basics mailing list:
http://www.xml-dev.com/lurker/thread/20061020.173753.ee4c6a0c.en.html#20061020.173753.ee4c6a0c


saqib
http://www.full-disk-encryption.net

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-16 Thread Saqib Ali

Dr. Bellovin,


In most situations, disk encryption is useless and probably harmful.
It's useless because you're still relying on the OS to prevent access
to the cleartext through the file system, and if the OS can do that it
can do that with an unencrypted disk.


I am not sure I understand this. With FDE, the HDD is unlocked by a
pre-boot kernel (linux). It is not the function of the resident OS to
unlock the drive.


It's harmful because you can
lose a key.  (Your web page does address that, but I'm perplexed --
what is challenge/response authentication for key recovery?)


Challenge/Response password recovery, as I understand, is a very
simplified implementation of Secret Sharing. It allows for 2 parties,
in this case the IT HelpDesk and the User, to collaborate and recover
a Secret.
1) Upon forgetting the password, the user calls the Help Desk.
2) The IT Help Desk authenticates the user in the usual ways (e.g.
check office voice mail etc), as the policy dictates.
3) Once authenticated the user give the partial secret to the HelpDesk.
4) The HelpDesk then combine it with the secret they have to produce a
temporary password.
5) The temporary password is then used to unlock the HDD "once", and
new credentials are created.


--
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-16 Thread Steven M. Bellovin
On Tue, 16 Jan 2007 07:56:22 -0800
Steve Schear <[EMAIL PROTECTED]> wrote:

> At 06:32 AM 1/16/2007, Steven M. Bellovin wrote:
> >Disk encryption, in general, is useful when the enemy has physical
> >access to the disk.  Laptops -- the case you describe on your page --
> >do fit that category; I have no quarrel with disk encryption for
> >them. It's more dubious for desktops and *much* more dubious for
> >servers.
> 
> As governments widen their definitions of just who is a potential
> threat it makes increasing sense for citizens engaged in previous
> innocuous activities (especially political and financial privacy) to
> protect their data from being useful if seized.  This goes double for
> those operating privacy-oriented services and their servers.  As an
> example, when TOR servers were recently seized in German raids (with
> the implication that they were being used as conduits for child porn)
> the police knew enough to only take the hot-swap drives (which were
> encrypted and therefore paper weights after removal) if only for
> show.  The main loss to the operators was repair to the cage locks.
> 
Legal access is a special case -- what is the law (and practice) in any
given country on forced access to keys?  If memory serves, Mike Godwin
-- a lawyer who strongly supports crypto, etc. -- has opined that under
US law, a subpoena for keys would probably be upheld by the courts.  I
believe that British law explicitly mandates key disclosure.  And of
course, there's always rubber hose cryptanalysis in jurisdictions where
that's acceptable.

--Steve Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-16 Thread Steve Schear

At 06:32 AM 1/16/2007, Steven M. Bellovin wrote:

Disk encryption, in general, is useful when the enemy has physical
access to the disk.  Laptops -- the case you describe on your page --
do fit that category; I have no quarrel with disk encryption for them.
It's more dubious for desktops and *much* more dubious for servers.


As governments widen their definitions of just who is a potential threat it 
makes increasing sense for citizens engaged in previous innocuous 
activities (especially political and financial privacy) to protect their 
data from being useful if seized.  This goes double for those operating 
privacy-oriented services and their servers.  As an example, when TOR 
servers were recently seized in German raids (with the implication that 
they were being used as conduits for child porn) the police knew enough to 
only take the hot-swap drives (which were encrypted and therefore paper 
weights after removal) if only for show.  The main loss to the operators 
was repair to the cage locks.


Steve 


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-16 Thread Jonathan Thornburg
On Tue, 16 Jan 2007, Steven M. Bellovin wrote:
[[about full-disk encryption]]
> In most situations, disk encryption is useless and probably harmful.
> It's useless because you're still relying on the OS to prevent access
> to the cleartext through the file system, and if the OS can do that it
> can do that with an unencrypted disk.

Yes, encrypted disks aren't much good unless the OS also encrypts
(at least) swap space.  I note that OpenBSD ships with swap-space
encryption turned on by default.  The encryption is done in software
using Rijndael.  On modern hardware the performance hit is minimal
(compared to the cost of the disk access).  See
  http://www.openbsd.org/papers/swapencrypt.ps
for a discussion of the security model.

ciao,

-- 
-- "Jonathan Thornburg -- remove -animal to reply" <[EMAIL PROTECTED]>
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html  
   "Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
  -- quote by Freire / poster by Oxfam

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-16 Thread Jonathan Thornburg
On Mon, 15 Jan 2007 08:39:18 -0800
"Saqib Ali" <[EMAIL PROTECTED]> wrote:
> An article on how to use freely available Full Disk Encryption (FDE)
> products to protect the secrecy of the data on your laptops. FDE
> solutions helps to prevent data leaks in case the laptop is stolen or
> goes missing. The article includes a brief intro, benefits, drawbacks,
> some tips, and a complete list of FDE solutions in the market.
> 
> http://www.full-disk-encryption.net/intro.php

On Tue, 16 Jan 2007, Steven M. Bellovin wrote:
> I'll turn it around -- why should you use it?
> 
> In most situations, disk encryption is useless and probably harmful.
[[cogent arguments snipped]]

A further point:  Do you really want the granularity of your encryption
to be "one key per disk"?  I much prefer a cryptographic file system
which lets me have separate keys for separate categories of information
(eg one key for my tax forms, a different key for company-confidential
project stuff, a different key for old love letters, still another one
for My Secret Plan For World Domination, etc etc).  These might all
live on the same laptop, but they probably need quite different key
policies.

ciao,

-- 
-- "Jonathan Thornburg -- remove -animal to reply" <[EMAIL PROTECTED]>
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html  
   "Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
  -- quote by Freire / poster by Oxfam

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-16 Thread Steven M. Bellovin
On Mon, 15 Jan 2007 08:39:18 -0800
"Saqib Ali" <[EMAIL PROTECTED]> wrote:

> An article on how to use freely available Full Disk Encryption (FDE)
> products to protect the secrecy of the data on your laptops. FDE
> solutions helps to prevent data leaks in case the laptop is stolen or
> goes missing. The article includes a brief intro, benefits, drawbacks,
> some tips, and a complete list of FDE solutions in the market.
> 
> http://www.full-disk-encryption.net/intro.php
> 
I'll turn it around -- why should you use it?

In most situations, disk encryption is useless and probably harmful.
It's useless because you're still relying on the OS to prevent access
to the cleartext through the file system, and if the OS can do that it
can do that with an unencrypted disk.  It's harmful because you can
lose a key.  (Your web page does address that, but I'm perplexed --
what is challenge/response authentication for key recovery?)

Disk encryption, in general, is useful when the enemy has physical
access to the disk.  Laptops -- the case you describe on your page --
do fit that category; I have no quarrel with disk encryption for them.
It's more dubious for desktops and *much* more dubious for servers.
(Caveat: I'm assuming that when you dispose of systems, you run DBAN or
some such on the drives -- if not, we're back to the physical access
threat.)


--Steve Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]