lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 12 Dec 2010 09:27:10 +0100
From: news <news@...cean.net>
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Just how secure encrypted linux partitions
 really are?

Another thing : you have to make sure the swap is encrypted or there
will be chances that the passphrase is just sitting there in clear...

Le dimanche 12 décembre 2010 à 09:20 +0100, news a écrit :
> See : http://en.wikipedia.org/wiki/Linux_Unified_Key_Setup
> 
> ASFAIK, dmcrypt is the solution used by all distros around and it
> doesn't support TPM.
> 
> So cracking the disk "just" require the passphrase.
> Though you have to make sure it is not using CBC by default on CentOS,
> otherwise it would be possible to retrieve the passphrase pretty easily.
> 
> JC
> 
> Le dimanche 12 décembre 2010 à 07:14 +0000, Thor (Hammer of God) a
> écrit :
> > > > Hello to All,
> > > >
> > > > If anyone have serious hands-on experience with this, I would like to
> > > > know some hard facts about this matter... I thought to ask you,
> > > > because here're some of the top experts in this field, so I could find few
> > > better places.
> > > > Hope you can nodge me in the right direction, and take the time to
> > > > answer this.
> > > >
> > > > ...
> > > >
> > > > Could some of you please give me some of your thoughts about this?
> > > > And, maybe, what other methods of file system encryption are out there
> > > > which are more secure?
> > > >
> > > If you are using a PBE (password based encryption), its no stronger than the
> > > password. Though stated regarding Microsoft's BitLocker, the same applies
> > > to all PBE systems: "BitLocker, at its core, is a password technology, we simply
> > > have to get the password...", Exploration of Windows 7, Advanced Forensics
> > > Topic (page 70).
> > > 
> > > If your file system key is on a USB thumb drive, the security is probably only
> > > as strong as the physical security on the thumb drive.
> > > 
> > > Jeff
> > 
> > Hey Jeff - not sure if you read the LE deck or just referenced Wikipedia, but regarding Bitlocker, there is a good bit more to it.  Saying to "simply" get the password (not sure who would have written that) isn't "simple."  It's not like the password (passphrase) is stored anywhere...  And yes, there should be some physical security around the USB key, where the actual KEY is, but with Bitlocker anyway, you can leverage TPM, etc to make things far more difficult.
> > 
> > I'm not familiar with CentOS's drive encryption solution - does it operate like bitlocker in that system configuration hashes must match that stored by BL before mounting?   That's one of the benefits of Bitlocker - even if you have the PIN, you can't mount the drive in another machine.   If CentOS acts in a similar manner, then just getting the password won't help.  
> > 
> > When you throw TPM in the mix with a PIN (as the actual deck refers to), then you need the PIN to get to the TPM to get the keys used to check the stored hash against the system before it can mount.  TPM-based encryption is pretty easy, so if CentOS supports that, it very well be far more difficult (or statistically impossible) to decrypt.    In Bitlocker's case, if a recovery key infrastructure is in place, then those could be leveraged as well. 
> > 
> > In any event though, to answer the OP's specific question about getting to the drives in an array and decrypting them without the key, that would indeed be impossible unless there were some other configuration or implementation issue present. 
> > 
> > t
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ