On Thu, 2003-01-02 at 21:14, Crispin Cowan wrote: > Shaun Savage wrote: > > > If the boot sequence requires 'password' within the OS to access the OS > > then even if someone boot the machine with evil in their head, the OS > > will not decrypt it self with out the correct password. This easily > > done with a modified init program. > > As Brian Beattie pointed out, the attacker can still boot from alternate > media and corrupt the password file, or alternately Trojan the login > program. Or reflash the bios. > Very simple bottom line: OS security is TOTALLY ineffective against > hostile boot media. > > > The object is to protect the password file and other boot programs/data. > > ~ If they are encrypted with only one way to access them then you may > > lose data but the system would be safe. > > > > I use a USB key that init reads. > > To make this work, you have to encrypt the entire file system. THAT will > prevent the hostile boot media from corrupting files & programs. No it won't. It will prevent them from reading it, not corrupting it. (A few bits here... A few bits there... And you have a real mess on your hands.) It also does not prevent media from rewriting the partition table. (Such as some of the newer partitioning schemes from Microsoft.) > But then you have a different problem: where do you put the decryption > keys to make the file system useful after boot? Shaun Savage proposes > putting it on a USB drive. If you leave the USB drive in place, then the > attacker gets the key, and the defense is ineffective. If you remove the > USB drive, then the machine cannot reboot without human intervention, > which badly damages availability for unattended server operation. So the > combination of encrypted file system + USB key storage (or any removable > key storage) is only really useful for desktops & laptops. Desktops can > be controlled with physical access (your office door) so it is mostly > for laptops. (Caveat: beware the custodial attack against desktops) And beware of gravity attacks on laptops. Smart cards or physical tokens are a possibility. (Although there are evidently ways to recover private keys from both.) There is evidently a DARPA project that is working on a proximity-based drive encryption. The system is only unencrypted when you are physically close to the machine. When you move away, it starts encrypting the hard drive. Not certain how practical it would be in practice, but it is an interesting idea. -- Alan <alan@private>
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:13:08 PST