Slashdot Mirror

← Back to Stories (view on slashdot.org)

GBDE-GEOM Based Disk Encryption on FreeBSD

Posted by michael on from the as-long-as-men-are-capable-of-evil dept.

BSD Forums writes "The ever increasing mobility of computers has made protection of data on digital storage media an important requirement in a number of applications and situations. GBDE is a strong cryptographic facility for denying unauthorised access to data stored on a 'cold' disk for decades and longer. GBDE operates on the disk(-partition) level allowing any type of file system or database to be protected. A significant focus has been put on the practical aspects in order to make it possible to deploy GBDE in the real world. FreeBSD's Poul-Henning Kamp says in an email to freebsd-current that he has uploaded this paper and slides which he presented at BSDcon 2003, California, USA."

5 of 210 comments (clear)

  1. Re:Again someone reinvents Theo's ideas. by dodell · · Score: 5, Informative

    If you read the article, you'd notice several things:

    a) this is completely different from OpenBSD's implementation
    b) it's portable across filesystems
    c) you wouldn't have written this idiotic post.

    Additionally, you obviously know nothing about cryptography, otherwise you'd not make such a stupid assumption about Rijndael, an OPEN algorithm developed outside the United States. It's been out for years and many people have failed miserably when trying to cryptanalyze it.

    Additionally, it's also interesting to note that *NO* algorithms available in the mcrypt library are authorized for encryption of 'classified' data, by the NSA. Rijndael is authorized for encryption of 'highly sensitive' and some forms of 'classified' data.

    Actually, the NIST and NSA are quite open with information about these algorithms.

    Think before you speak.

    --
    www.sitetronics.com/wordpress
  2. Re:They say they're using RSA.. by kasperd · · Score: 3, Informative

    I thought this was a bad idea, since RSA is non probabilistic.
    A hash function is not supposed to be probabilistic, a hash function must be deterministic, otherwise it wouldn't work. Of course using RSA for hashing is a bad idea not only because of performance, but also because RSA is not a hash function.

    When used as a hash, you've got neither semantic security nor indistinguishability.
    Semantic security is a concept used about encryptions not hashes. To get semantic security an encryption needs to be probabilistic. RSA is not probabilistic, neither is any symetric block cipher. But they can be used as building blocks in semantic secure encryptions.

    --

    Do you care about the security of your wireless mouse?
  3. Re:disk-at-a-time encryption no good by airConditionedGypsy · · Score: 4, Informative
    In fact, file-at-a-time encryption shouldn't be in the kernel, it is implementable in user code if you have the right hooks.

    While it is certainly possible to easily implement file encryption at the user/application layer, I disagree that it should be. Matt Blaze pointed out a number of reasons why in his CFS paper back in 1993.

    ..if you do want disk-at-a-time encryption, StegFS strikes me as a better choice

    StegFS is a neat concept; the only drawback there is the huge performance hit -- besides, the goal of stegFS isn't necessarily to support encryption; it is meant to support plausible deniability of file ownership, and those two goals are very different.

    --
    I bootleg Fizzy Lifting Drinks.
  4. Poul-Henning replies... by phkamp · · Score: 4, Informative
    Lets see: NIH, OpenBSD, compatibility and all that.

    The paper explains this at length (but I guess that the respondent didn't actually read the paper). The primary focus in GBDE was usability and deployability. Most of the prior art in this space cannot even change the pass-phrase without reencrypting the entire disk (which can easily take an entire day).

    I wanted to do better than that, and I think I did. By a wide margin.

    RSA vs. SHA.

    Correct, that is a typo, it is SHA2 which is used.

    AES, zero IV etc.

    An important part of GBDE is that there is no two-way leverage on any crypto component. This is realized by the use of single-use random bit sector keys. With no two-way leverage and single-use keys, the IV is no longer important.

    The comment about the "plausible denial" setup being useless because an intelligent adversary would always take a mirror copy first: That does not affect the plausible denial aspect.

    I'll be more than happy to discuss any aspect of GBDE, and would very much like to hear peoples experience and ideas. But I would prefer email (if need be by setting up a mailing list)

    --
    Poul-Henning Kamp -- FreeBSD since before it was called that...
    1. Re:Poul-Henning replies... by phkamp · · Score: 3, Informative
      You're still missing the point :-)

      The setup I describe is how a "plausible denial" scheme could be set up. The bit about making a windows boot run over the GBDE data is just normal paranoia, it is not in any way related to or material to the plausible denial argument.

      I don't personally give much for "Plausible denial", finding a cover story for even a few megabytes of uncompressible bits will be very hard if not impossible with a skilled adversary.

      Therefore I focused in GBDE on giving the user leverage to a defensible non-disclosure stance. For instance by wiping out the master sectors if given enough seconds of warning. And in particular I wanted to make sure the user were never put in an indefensible position of compliance like for instance StegFS can do.

      For me it is important that people realize that GBDE is not a solution, it is a tool to implement solutions. With crypto there is no "one size fits all", only hard work and careful planning.

      --
      Poul-Henning Kamp -- FreeBSD since before it was called that...