Shaun Savage wrote: > If the boot sequence requires 'password' within the OS to access the OS > then even if someone boot the machine with evil in their head, the OS > will not decrypt it self with out the correct password. This easily > done with a modified init program. As Brian Beattie pointed out, the attacker can still boot from alternate media and corrupt the password file, or alternately Trojan the login program. Very simple bottom line: OS security is TOTALLY ineffective against hostile boot media. > The object is to protect the password file and other boot programs/data. > ~ If they are encrypted with only one way to access them then you may > lose data but the system would be safe. > > I use a USB key that init reads. To make this work, you have to encrypt the entire file system. THAT will prevent the hostile boot media from corrupting files & programs. But then you have a different problem: where do you put the decryption keys to make the file system useful after boot? Shaun Savage proposes putting it on a USB drive. If you leave the USB drive in place, then the attacker gets the key, and the defense is ineffective. If you remove the USB drive, then the machine cannot reboot without human intervention, which badly damages availability for unattended server operation. So the combination of encrypted file system + USB key storage (or any removable key storage) is only really useful for desktops & laptops. Desktops can be controlled with physical access (your office door) so it is mostly for laptops. (Caveat: beware the custodial attack against desktops) Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html Just say ".Nyet"
This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 23:35:11 PST