On 29/02/16 18:26, [email protected] wrote: > > Another bigger issue that should be considered is: Implementing a > failsafe mechanism that wipes the persistent drive if a number of failed > attempts are made. > > I really think that type of protection is needed. Say after 5 failed > attempts it locks a user for an hour and after 8 failed attempts it > wipes the drive totally.
The simple answer to this is: it can't be done. In order to enforce a policy like that you must have a process running either in software or firmware - but an adversary is not limited to cracking your encryption using a computer that you control. If they wanted to crack a Tails partition, they would not do it by first booting into Tails! They would copy an image of the encrypted disk onto their own cracking hardware, where processor speed is the only limit on how many decryption attempts they can make. The reason that retry limits can be enforced on an iPhone is because the enemy needs the built-in security coprocessor to generate part of the disk decryption key, and it can refuse to cooperate. But all this does is prevent them from converting PINs into keys - they could desolder the flash chip from the baseboard and brute force the full key just as easily as with any other encrypted storage. In both cases, the attacker is defeated by the strength of the full encryption key. Retry limiting only prevents them from using the user-friendly shortcuts in embedded firmware such as security coprocessors or smart cards. Pure software (such as Tails) cannot enforce anything, because general-purpose hardware cannot be compelled to obey it. All is not lost though. If you want to implement retry-limited PIN-based encryption *in*firmware*, PGP smartcards are your friend. You would keep the symmetric encryption key in pubkey-encrypted form and use the smartcard to unlock it at boot time instead of calculating it through password hashing. This means you can take advantage of the physical security measures (including retry limiting) of the smartcard. Luckily, other people have already done the hard work for you...! http://digitalbrains.com/2014/gpgcryptroot Just remember that the symmetric encryption key will always be brute-forceable in principle, and a hashed-passphrase symmetric key can be made to approach the strength of a random one arbitrarily closely if you're thorough enough. All that the above tricks will gain you is convenience. A
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
