Re: Encrypted Filesystems (was: signing fs's)

Gregory Maxwell (nullc@limelight)
Sun, 29 Dec 1996 18:02:46 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Andrew G. Morgan: "Re: Encrypted Filesystems (was: signing fs's) (fwd)"
Previous message: Andrew G. Morgan: "Re: Encrypted Filesystems (was: signing fs's)"
Maybe in reply to: Gregory Maxwell: "Encrypted Filesystems (was: signing fs's)"

>Gregory Maxwell wrote:
<snip>
>> about this: The computer contains a simple card with cmos like memory
>> (and power source).. It contains the magic key... It's attached to a
>> microswitch on the case... If the case is opened then it 'forgets' the
>> password.. Also the floppy would be disabled inside the case... This way
>> if theres a power out or a system reboot in the middle of the night a
>> sysadm doesn't need to be there to check it out...

>This is not secure. An attacker can always open the case replace the hard
>disk with an imposter containing a rougue kernel that boots, probes the cmos
>for its value and writes it to the screen. The attacker can then use this
>info to modify the filesystem as desired.

No, an attacker couldn't.. If you reread my post I suggested a 'cmos like
device' that 'forgets' the password if the system is tampered with...
So unless he knew where the microswitch was and used a torch to cut around
that part of the case he would not be able to snatch it... And he would
probable not know this system was in place unless he was in insider as
its operation would be invisible until it was tripped...

As for you second point.. Your correct.. I thought you were planning on
encrypting it and signing it.. I didn't realise you ment only for tamper
detection.... My card idea still stands though... It could even be setup
so that it needed two passwords to that a single sysadm couldn't go it
and hex edit security policies.. :) But before we go about securing the
hardware I'd think that there would need to be a big overhaul of system
security... The vms like discussions going on a bit back seemed smart...
The hardware would really be most useful as a tripwire on the software
tripwire config and program... (what you are suggesting is already done
in userland (on a smaller scale) by a program called 'tripwire')..

As for MD5 being as fast as a harddrive.. What about someone with a 5
disk scsi array? I doubt MD5 could do 20meg/s even on a PPRO.... Sure
it's faster then my IDE raid0 1.2wd & 800wd.. but why would I be
concerned with that kinda security..... I think it would be better to
have a e2fs attr for 'checksummed' and a tripwire program that monitored
marked files.. The checksummer could be in the kernel and the test could
also be in the kernel.. And if you are really paranoid then you could
have that little tamper detector hardware I suggested (which I doubt
would cost much to produce) which could make sure no one rebooted the
system and played with the filesystem.. But this all would be a very hard
undertaking unless there was support for a userland security daemon..
(like kerneld)... Which could handle very fine grained security...

As for the exportability of hashes... Considering it reletivly easy to
build a good block cipher from a hash, it prob wont be long until some
countries outlaw them too... :)

Next message: Andrew G. Morgan: "Re: Encrypted Filesystems (was: signing fs's) (fwd)"
Previous message: Andrew G. Morgan: "Re: Encrypted Filesystems (was: signing fs's)"
Maybe in reply to: Gregory Maxwell: "Encrypted Filesystems (was: signing fs's)"