Re: mlock(1)

[Valdis . Kletnieks]

On Sat, 25 Sep 2004 04:58:48 +0200, Andrea Arcangeli said:

> I don't even think "save their key securely" (I mean saving anything
> related to the swapsuspend encryption key on disk) is needed. A mixture
> of a on-disk key + passphrase would not be more secure than a simple
> "passphrase" alone, because the on-disk key would be in cleartext and
> readable from the attacker. the only usable key is the one in the user memory,
> it cannot be saved in the computer anywhere. Peraphs for additional
> security (and to avoid having to type and remember it) one could use an
> usb pen to store and fetch the key... but then I leave the fun to the
> usb folks since to do that usb should kick off before resume overwrites
> the kernel image ;)

Well, obviously saving the actual key on the disk is a losing idea, but saving
"key hashed by passphrase" would work (similar to how PGP or SSH don't save the
actual key, but rather the key hashed by something).

I suspect that having the *entire* key be the passphrase remembered by the user
is also a non-starter security-wise (unless we do something like Jari Ruusu's
loop-AES stuff does and forces a minimim 20-char passphrase) - there's going to
be all too many blocks in the swsusp area that are "known plaintext" and easily
brute-forceable for most passphrases that users are likely to actually use.

So in order to make it at all secure, we really need to save on the disk
a key with O(128 bits) of entropy, perturbed by enough bits that are *not*
to be found anywhere on the machine so that it isn't a slam-dunk for an attacker.

Do any of the crypto experts lurking have ideas/opinions on just how many
bits we need to store externally (be it in a USB dongle, a thumbprint, a
passphrase, whatever)?

Attachment: pgp00000.pgp
Description: PGP signature