Slashdot Mirror
GBDE-GEOM Based Disk Encryption on FreeBSD
BSD Forums writes "The ever increasing mobility of computers has made protection of data on digital storage media an important requirement in a number of applications and situations. GBDE is a strong cryptographic facility for denying unauthorised access to data stored on a 'cold' disk for decades and longer. GBDE operates on the disk(-partition) level allowing any type of file system or database to be protected. A significant focus has been put on the practical aspects in order to make it possible to deploy GBDE in the real world. FreeBSD's Poul-Henning Kamp says in an email to freebsd-current that he has uploaded this paper and slides which he presented at BSDcon 2003, California, USA."
When they have mascots like this?
I have over 70 freaks, do you?
For those of you who do not know. FileVault is data encryption for Panther (Mac OS X.3).
Netcraft confirms: "*BSD is encrypted and undead"
Now I understand the daemon logo.
FileVault is an encrypted disc image that is automatically mounted when you login.
It uses AES encryption (128 bit)
Its been written within Apple, using existing Apple technologies.
Using Disc Utility you can do the same on Jaguar, except Panther and FileVault make it very easy to do....
OpenBSD does not support SMP either.
BOO! TERRO
Let me know how you fit Sweden into this - Denmark lost power due to the power failure that caused 1/3 of Sweden to be out of power for 2 hours.
it's in my head
1. I highly doubt encrypted disks are Theo's idea.
2. Maybe not everyone wants to run OpenBSD.
You had me at "dicks fuck assholes".
If you read the article, you'd notice several things:
a) this is completely different from OpenBSD's implementation
b) it's portable across filesystems
c) you wouldn't have written this idiotic post.
Additionally, you obviously know nothing about cryptography, otherwise you'd not make such a stupid assumption about Rijndael, an OPEN algorithm developed outside the United States. It's been out for years and many people have failed miserably when trying to cryptanalyze it.
Additionally, it's also interesting to note that *NO* algorithms available in the mcrypt library are authorized for encryption of 'classified' data, by the NSA. Rijndael is authorized for encryption of 'highly sensitive' and some forms of 'classified' data.
Actually, the NIST and NSA are quite open with information about these algorithms.
Think before you speak.
www.sitetronics.com/wordpress
Would you mind being more specific about that claim of ours?
One of the cooler features that come with GBDE is the fact that you can encrypt CD-ROM images. This makes for a very secure way of getting someone a lot of sensitive data. A patch was recently posted on the current@ mailing list to allow this.
The simplest way is to use the cryptographic loop device. Cook up a filesystem on a block of data loopback mounted through the device. The key management of this is not very good but other tools offer key escrow as well.
(may suggest you store all your mp3 files on one of these and have a friend on a foreign country ssh in with a -L loopback and enter the key). Once the system is reset there is no way to get the data back unless the court can order the foreign national to give them the key.
Better still combine this with a floppy boot and the show is over.
There was also a big power outage in Southern Finland, basically at the capital city area.
Nah, it's not war against terror. More like the joys of privatized companies who don't invest enough to keep their networks running.
does gbde work with vinum yet?
Denmark, Norway, Sweden, Finland - to an AK-74 wielding mohammedian from the wastelands of Afghanistan there is no difference: secular, western nations where people - women in particular - have way too much freedom.
These people are heatless fanatics bent on abuse, torture and imposement of their inhuman religion on every man, woman and child on this planet. It must stop here and it must stop now. You left-wing whingers with your diversity crap just don't get it.
This is great news for all those M16/CIA/etc agents how leave their laptops in the back of taxis!
I think you mean `ever increasing reach of pigs and spooks`. Is this encryption deniable? If not - what's the point? You have to keep your secret data safe from legal attacks as well as just mathmatical ones.
There are some nice ideas and good thinking here, but does anyone have a link to more interesting performance numbers? I'm curious how well this would work on a workload that was both intense and non-sequential.
1) GBDE has been available for months. Had you talked about GEOM-Gate, now that would have been interesting.
2) Poul-Henning suffers from extreme NIH complex. This crypto support has been in OpenBSD for 2 years.
3) Do you think he will let anyone touch his code? He didn't for phkmalloc and that piece of shit called devd, what makes you think he will now?
Poul-Henning is probably the most arrogant person I've ever seen. He has negatively influenced FreeBSD in a way I cannot even describe. Now go and mod me down, because I now use NetBSD for all my machines.
Alan
How is this like rubberhose?
as a strong hash function.
I thought this was a bad idea, since RSA is non probabilistic. When used as a hash, you've got neither semantic security nor indistinguishability.
Didn't read what they used the hash for though.
How small a thought it takes to fill a whole life
This is not a new idea.
OpenBSD (vn* devices) and Linux (crypto-loop) have this for years. NetBSD also has it. Windows XP also has it.
Now FreeBSD introduces yet another implementation of the same thing.
This is great, but what about interoperability?
Right now, all operating systems I can use encrypted partitions, but the way they do it is different on every system.
If I encrypt my USB memory key on FreeBSD, I won't be able to use it on Linux. Even if the actual file system is the same, even if the encryption algorithm is the same.
This is illogical. Encrypted partitions are nice for small, portable devices, that you can plug on various hosts running various operating systems. That's the theory. But because everyone reinvents the wheel, you can't do that. It won't work.
Now that we have filesystems that almost any operating system out there has support for (ext2/ext3 and vfat), maybe it would be nice to use a common format for the encryption layer.
{{.sig}}
I have been working on article on disk encryption though it is not quite ready to be published yet. I didn't know anybody else was working seriously on this. I know about cryptoloop in Linux. It is bad, but not the worst I have seen described. It is nice to finally see somebody but me realizing that disk encryption is not as simple as those implementing it think. I don't know how the more "professional" products work. What I have realized is, that good disk encryption has an overhead on disk usage. Those "professional" products I have seen just a few details about doesn't have for too litle overhead for good crypto. The system described by the article only protects cold disks, no protection at all for hot disks. What I describe in my own article actually has some protection for hot disks, not much protection though, because the hot disk naturally limits the protection that is possible.
Do you care about the security of your wireless mouse?
Ok, when is this going to be ported to Linux kernel?
:)
This sure looks better than my current somewhat kludgy scheme of using Bestcrypt to mount different virtual drives.
And I just received my USB cryptoki token. Now, combine this disk encryption scheme, a good token for the keys, a good BIOS encryption (anyone has any info this?), the only thing left to do would be working on my good old tin foil hat now
Boy, you gotta love this kind of cross-polination among open source projects.
Rijndael, an OPEN algorithm developed outside the United States. ... by the NSA. Rijndael is authorized for encryption of 'highly sensitive' and some forms of 'classified' data.
While /. is USA-centric, surely what the NSA says doesn't bother the rest of the world... Quite handy that the NSA are open with information about these algorithms in fact ;-)
No the AES is fine. Don't worry.
-- the NSA
Surely you want tits?
of this system, compared to others, is that it is so low level as to be filesystem agnostic.
As long as AES is considered to have decent security, this system could be used.
How small a thought it takes to fill a whole life
(Full disclosure: I've been involved with the Win32 Scramdisk project in the past)
Hhhm, this is pretty interesting. I am not aware of any other disk encryption program (Scramdisk, DriveCrypt, LoopAES, PGPDisk, BestCrypt etc) that offers sector remapping. It's useful because it prevents standard disk structures from being exploited in a known plaintext attack (note: with current knowledge, this is only a theoretical weakness with AES anyway).
Apart from that it looks a pretty standard On-The-Fly-Encryption (OTFE) system. It does appear to be slightly more complex than most programs, but this is offset by the peer review from (at least...) two very well respected cryptographers - Dr David Wagner and Lucky Green. I am not aware of any of the other OTFE systems being reviewed by anyone half this competent.
Last paragraph of 6 says "RSA2/512" should read SHA2/512.
I'd personally be worried about the use of a static (zero!) IV. I know the key is random, but.....Oh well, if Dr Wagner has peer reviewed it then this can't be much of an issue.
From the paper: "A truly paranoid setup would leave the computer con- figured to boot the Windows system by default, and locate the GBDE data in such a way that it would be destroyed by the act of doing so."
It's likely this wouldn't work - the first thing a half-competent adversary would do is image all disks in a system before booting....It's forensic 101.
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
That sounds a lot like the USA, with it's "family values" - supported by claiming "God bless America" (incidently, the same god is called Allah and is claimed to support the fight _against_ the US .. )
it's in my head
No, cryptoloop in linux can not do the same. Cryptoloop can encrypt, but you can not change password. Luckily there are other ways to do that, PPDD which appears to be using the same princip of storing the real key on the disk, though encrypted with the password. The same princip a friend and me is using in our development of a device-mapper target, deadline is 1. october. .pdf's of the presentationslides, then i would state that GEOM appears to be very much what device-mapper is in Linux.
Not having any more knowledge of GEOM, than what i read in the
Very valid point. I hope someone addresses this. I supose it would be rather easy to write a device-mapper target that behaves like GBDE-GEOM
Allah is not God. If you had any thoughts in your head that weren't about spreading lies about religion, you'd understand this.
Additionally, you obviously know nothing about cryptography, otherwise you'd not make such a stupid assumption about Rijndael, an OPEN algorithm developed outside the United States. It's been out for years and many people have failed miserably when trying to cryptanalyze it.
Anybody who actually read and understood the AES proposal would know, that it is highly unlikely there could be any backdoor. Every design decision had a reason. Wherever multiple choices where available and no technical reason made one better than another, the final decission would be the one giving the least possibility for hiding any kind of backdoor. And BTW it was developed in Belgium.
Do you care about the security of your wireless mouse?
Lots of operating systems have had disk-at-a-time encryption. You can already get it for Windows, but that was apparently not good enough to have that PPT junkie use it either.
Disk-at-a-time (or file-system-at-a-time) encryption just doesn't seem to be convenient enough. Most files simply do not need to be encrypted, and the risk of losing an entire disk due to bugs or losing the pass phrase is just too high, as is the computational cost. People need to be able to decide on a per-file basis what gets encrypted and pick different pass phrases for different files.
In fact, file-at-a-time encryption shouldn't be in the kernel, it is implementable in user code if you have the right hooks. You can build that on top of Plan 9's file system hooks or on top of the CODA hooks in the Linux kernel. Something like the Plastic file system for Linux also would work. But it can also be done at the kernel level; ReiserFS may get file-at-a-time encryption soon.
By the way, if you do want disk-at-a-time encryption, StegFS strikes me as a better choice.
Allah, God and Jehova (Jahve) are three names for the same deity. If you knew anything about religion you would know that, and you might even know the extreme similarities between Islam, Judaism and Christianity.
Sadly, it seems you don't.
it's in my head
The Two Great Encryption Tabboos are disk encryption and voice encryption. It's great to see one of the free OSes finally get around to offering encrypted disk support. (No, loopback kludges on Linux don't count.) For all the nay-sayers who don't see the security value of this, you have no idea how common computer theft is, and often the goal of the theft is the information on the computers, not the hardware itself. Yes, sophisticated thieves can defeat hardware encryption by keeping the power on and using various hardware analyzer tools to read stuff directly out of RAM, but that is a level of difficulty far above and beyond what most regular criminals (or even law enforcement agencies) have. So this is a great development!
Do you understand that? Just because something is useless to you, doesn't mean others don't need it. On my home PC here (running Redhat 9), I don't need passwords because a) it's completely firewalled, not running any net services and b) it's in my bedroom. Passwords are a security feature I don't need! But other people do need them. The same is true for any kind of security feature. Admittedly, disk encryption is one of the more exotic and less needed features, but like ALL OTHER security features, when it's what you need, there is nothing else that will do. There have certainly been times when I could have used encrypted CDs, but they weren't available.
Is it possible to do that (instead of just keeping parts of the key on an usb storage device) with freebsd/GBDE?
I think some ibm thinkpad T30 come with TCPA chip which could (at least theoretically) work as such a token, too.
Seems to me that archives kept for decades should not be encrypted. Unless you keep the key right there with it, you're likely to loose it. Also, if there is degradation of the data you're likely to loose most of it even if you can find the key. Use physical access controls instead.
Actually, the NIST and NSA are quite open with information about these algorithms.
Not surprising, really. If your security depends on keeping the algorithm secret then you are depending on security through obscurity and you are screwed. You have to start with the assumption that the your opponent has the algorithm.
"Yes, your honor, I am a collector of random bits. I have accumulated a whole partition, in fact my entire disk drive, full of wonderful random bits. No, of course there are no files there and I don't have a /home/me directory."
The paper explains this at length (but I guess that the respondent didn't actually read the paper). The primary focus in GBDE was usability and deployability. Most of the prior art in this space cannot even change the pass-phrase without reencrypting the entire disk (which can easily take an entire day).
I wanted to do better than that, and I think I did. By a wide margin.
RSA vs. SHA.
Correct, that is a typo, it is SHA2 which is used.
AES, zero IV etc.
An important part of GBDE is that there is no two-way leverage on any crypto component. This is realized by the use of single-use random bit sector keys. With no two-way leverage and single-use keys, the IV is no longer important.
The comment about the "plausible denial" setup being useless because an intelligent adversary would always take a mirror copy first: That does not affect the plausible denial aspect.
I'll be more than happy to discuss any aspect of GBDE, and would very much like to hear peoples experience and ideas. But I would prefer email (if need be by setting up a mailing list)
Poul-Henning Kamp -- FreeBSD since before it was called that...
Sure, we all know that *BSD is a failure, but why? Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personas?
The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.
A trip to COLUMBINE!
The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.
It is common knowledge that *BSD is dying, that ever hapless *BSD is mired in an irrecoverable and mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but FreeBSD may be hurting the most. Look at the numbers. The loss of user base for FreeBSD continues in a head spinning downward spiral.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of BSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major marketing surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among hobbyist dilettante dabblers. In truth, for all practical purposes *BSD is already dead. It is a dead man walking.
Fact: *BSD is dying
There is almost no difference between the BSDs as workstations. X is X, you've got all the same wms, browsers, etc. If you have no clue, then just stfu.
11. Let's hope you get columbined.
Linux...Windows XP also has it.
This is great, but what about interoperability?
Perhaps if Linux and Windows XP had source code licenses that were compatible with BSD, then the BSD group wouldn't need to make a crypto wheel?!?
When will BSD trolls get columbined?
When the administrators of this 'blog finally decide to do something about them.
IE - code to not accept their same posts that they have re-posted for the last 2 years.
Look at how fast the posts about the declining value of VA Linux->VA software stock was squashed. The admins here could do the same, but have opted not to.
If someone was to do the same to GNU/Linux - the trolling posts wouln't make it past a month.
What We Can Learn From BSD
By Chinese Karma Whore, Version 1.0
Everyone knows about BSD's failure and imminent demise. As we pore over the history of BSD, we'll uncover a story of fatal mistakes, poor priorities, and personal rivalry, and we'll learn what mistakes to avoid so as to save Linux from a similarly grisly fate.
Let's not be overly morbid and give BSD credit for its early successes. In the 1970s, Ken Thompson and Bill Joy both made significant contributions to the computing world on the BSD platform. In the 80s, DARPA saw BSD as the premiere open platform, and, after initial successes with the 4.1BSD product, gave the BSD company a 2 year contract.
These early triumphs would soon be forgotten in a series of internal conflicts that would mar BSD's progress. In 1992, AT&T filed suit against Berkeley Software, claiming that proprietary code agreements had been haphazardly violated. In the same year, BSD filed countersuit, reciprocating bad intentions and fueling internal rivalry. While AT&T and Berkeley Software lawyers battled in court, lead developers of various BSD distributions quarreled on Usenet. In 1995, Theo de Raadt, one of the founders of the NetBSD project, formed his own rival distribution, OpenBSD, as the result of a quarrel that he documents on his website. Mr. de Raadt's stubborn arrogance was later seen in his clash with Darren Reed, which resulted in the expulsion of IPF from the OpenBSD distribution.
As personal rivalries took precedence over a quality product, BSD's codebase became worse and worse. As we all know, incompatibilities between each BSD distribution make code sharing an arduous task. Research conducted at MIT found BSD's filesystem implementation to be "very poorly performing." Even BSD's acclaimed TCP/IP stack has lagged behind, according to this study.
Problems with BSD's codebase were compounded by fundamental flaws in the BSD design approach. As argued by Eric Raymond in his watershed essay, The Cathedral and the Bazaar, rapid, decentralized development models are inherently superior to slow, centralized ones in software development. BSD developers never heeded Mr. Raymond's lesson and insisted that centralized models lead to 'cleaner code.' Don't believe their hype - BSD's development model has significantly impaired its progress. Any achievements that BSD managed to make were nullified by the BSD license, which allows corporations and coders alike to reap profits without reciprocating the goodwill of open-source. Fortunately, Linux is not prone to this exploitation, as it is licensed under the GPL.
The failure of BSD culminated in the resignation of Jordan Hubbard and Michael Smith from the FreeBSD core team. They both believed that FreeBSD had long lost its earlier vitality. Like an empire in decline, BSD had become bureaucratic and stagnant. As Linux gains market share and as BSD sinks deeper into the mire of decay, their parting addresses will resound as fitting eulogies to BSD's demise.
flask of ripe urine
passed to bsd lips
bsd drinks up
Agreed, there are no published attacks on full Rijndael that are faster than trying all the keys.
Cryptanalysts normally develop their tools on weakened variants of an algorithm first, kind of like the way kittens practice hunting on mice their mother has already half-killed.
There are successful attacks on reduced-round variants of Rijndael. An impossible differential attack is faster than brute force for 128-bit Rijndael limited to 6 rounds (out of the normal 10) (Biham Keller 2000, Cheon et al 2001). The "Square Attack" (Lucks 2000, Ferguson et al 2000) works against 7 rounds of 192 or 9 rounds of 256 bit keys, at the cost of 2^224 encryptions.
If you're looking for a remotely practical attack you could say the researches "failed miserably", though that seems a bit harsh.
The people who really know crpyto are still comfortable with Rijndael for practical use. The fact that it's fast means it may actually *be* used. A cipher which gets used will provide security to more people than the theoretically unbreakable but problematic-to-use one time pad.
Put on the Harry Carray glasses and have a Bud!
who put saddam there in the first place? who sold him anthrax? who trained the bearded-wallah? who did arms deals with iran? who supports women's rights in kuwait and saudi? god bless whoever does.
I disagree with Kasperd.
From reading about Rubberhose a couple months ago:
Rubberhose and GBDE-GEOM both work at the block level.
Rubberhose allows you to create several (many?) different cryptographic partitions on one physical device. No one can tell how many partitions there actually are unless he/she has knows all the password for each partition. That is, it is impossible to distinguish between empty space and partitions you don't have the keys for.
This allows you to beat the "rubberhose attack" (where you get beaten with a rubberhose). You can disclose passwords to non-critical partitions when they beat you. They can never be sure that you have (or have not) disclosed the passwords to all the partitions.
If you write to the rubberhose disk without all the passwords, you risk overwriting partitions whose passwords you do not know.
The reason I think Rubberhose runs beneath the filesystem is that I remember reading that it move d blocks around on the physical device so that anaylsis of write frequencies would not disclose the existence of additional partitions.
As of a few months ago, Rubberhose was still developmental, and was running only on Linux.
If encryption is optional, then users might forget to encrypt a file that is sufficiently sensitive to warrant such protection. Moreover, if the swap file (or local equivalent) is not encrypted, some sensitive material might be recoverable by an unfriendly party.
BSD people are all losers who have a compelling need to feel "different". It is much like self-proclaimed homosexuals. You have an empty spot in your psyche which requires you to always need to be associated with the peculiar and different. Your most important concern in life is hardly the operating system itself. It is the need to feel "special". Maybe your momma didn't cuddle you enough, who knows.
BSD is deader than an AIDS faggot sucking on a 70 KV
high tension wire with a ground rod shoved up his ass.
OpenBSD is dead.
I'm not really convinced by the cryptography in this paper. It's good that Wagner has read it but I wouldn't interpret that as meaning he's put his seal of approval on it.
Incidentally, I presented a paper on disk sector encryption at FSE 2000, you can read it here:
http://www.ciphergoth.org/crypto/mercy/
Xenu loves you!
You airhead, that's what I just said.
I said it's "an OPEN algorithm developed outside the United States". Are you being contradictory or needlessly pedantic?
www.sitetronics.com/wordpress
Yes, indeed! This is a sound method for breaking even the toughest crypto in less than a day, why in some cases even within minutes! Here's how it works: Dissident D has information N from which key B can be derived using a publicly known algorithm which can in turn be used to decrypt ciphertext C using yet another publicly known algorithm. Dissident D desires that the plaintext P can only be derived from C by a party P which is trusted by D. Interrogator I however also desires to gain knowledge of P and therefore using the rubber hose R beats Dissident D into the face sending blood B, skin S and flesh F flying all over the interrogation room partially obscuring the view through the one-way mirror M in the interrogation room. Interrogator I applies R to Dissident D round after round until either enough knowledge of N is acquired to derive B and in turn derive P from C or D expires.