Slashdot Mirror
GBDE-GEOM Based Disk Encryption on FreeBSD
BSD Forums writes "The ever increasing mobility of computers has made protection of data on digital storage media an important requirement in a number of applications and situations. GBDE is a strong cryptographic facility for denying unauthorised access to data stored on a 'cold' disk for decades and longer. GBDE operates on the disk(-partition) level allowing any type of file system or database to be protected. A significant focus has been put on the practical aspects in order to make it possible to deploy GBDE in the real world. FreeBSD's Poul-Henning Kamp says in an email to freebsd-current that he has uploaded this paper and slides which he presented at BSDcon 2003, California, USA."
For those of you who do not know. FileVault is data encryption for Panther (Mac OS X.3).
One of the cooler features that come with GBDE is the fact that you can encrypt CD-ROM images. This makes for a very secure way of getting someone a lot of sensitive data. A patch was recently posted on the current@ mailing list to allow this.
There are some nice ideas and good thinking here, but does anyone have a link to more interesting performance numbers? I'm curious how well this would work on a workload that was both intense and non-sequential.
I have been working on article on disk encryption though it is not quite ready to be published yet. I didn't know anybody else was working seriously on this. I know about cryptoloop in Linux. It is bad, but not the worst I have seen described. It is nice to finally see somebody but me realizing that disk encryption is not as simple as those implementing it think. I don't know how the more "professional" products work. What I have realized is, that good disk encryption has an overhead on disk usage. Those "professional" products I have seen just a few details about doesn't have for too litle overhead for good crypto. The system described by the article only protects cold disks, no protection at all for hot disks. What I describe in my own article actually has some protection for hot disks, not much protection though, because the hot disk naturally limits the protection that is possible.
Do you care about the security of your wireless mouse?
(Full disclosure: I've been involved with the Win32 Scramdisk project in the past)
Hhhm, this is pretty interesting. I am not aware of any other disk encryption program (Scramdisk, DriveCrypt, LoopAES, PGPDisk, BestCrypt etc) that offers sector remapping. It's useful because it prevents standard disk structures from being exploited in a known plaintext attack (note: with current knowledge, this is only a theoretical weakness with AES anyway).
Apart from that it looks a pretty standard On-The-Fly-Encryption (OTFE) system. It does appear to be slightly more complex than most programs, but this is offset by the peer review from (at least...) two very well respected cryptographers - Dr David Wagner and Lucky Green. I am not aware of any of the other OTFE systems being reviewed by anyone half this competent.
Last paragraph of 6 says "RSA2/512" should read SHA2/512.
I'd personally be worried about the use of a static (zero!) IV. I know the key is random, but.....Oh well, if Dr Wagner has peer reviewed it then this can't be much of an issue.
From the paper: "A truly paranoid setup would leave the computer con- figured to boot the Windows system by default, and locate the GBDE data in such a way that it would be destroyed by the act of doing so."
It's likely this wouldn't work - the first thing a half-competent adversary would do is image all disks in a system before booting....It's forensic 101.
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
Is this encryption deniable?
Yep - as per the paper, this encryption is deniable (that's to say there is no way of showing that the container file or partition is an encrypted volume without having the passphrase). Thinking of a good reason why you've got a very high entropy 2.5Gb file/partition when the cops kick the door down could be interesting though ;)
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
What product for current versions of Windows are you referring to that offers disk at a time encryption. Note that that means being able to operate from an encrypted boot drive, not just being able to take a big file, call it a volume, and have it be encrypted.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
As to your first point, I'm not sure what the distinction is...I'm saying that the behavior is too complex and not transparent enough if provided at the application level.
An application can use its own code (in userland) to encrypt files. Fine. Or, an application can use kernel code (via whatever syscalls/hooks are provided). Fine.
The problem is that the application is complicated by the need to provided cryptographic services -- file encryption is either too difficult to get done properly at the application layer or not transparent enough at the application level. The filesystem is part of the kernel, and any encryption should be transparent to a process using the file.
I bootleg Fizzy Lifting Drinks.
"Uh, no your honnor, that's not a partition full of encrypted pr0n, that's just some random free space that happens to take up most of my disk ..."
That is exactly the point of deniability.
Check out Rubberhose: http://www.rubberhose.org (the site seems to be down right now, but Google may have it cached - search for rubberhose.
With rubberhose, you create multiple virtual partitions each with their own key. Without knowing all the keys, there is no way to determine how many partitions their actually are. So, you can tell the judge two of your keys, and you can tell the judge that you only have two keys, and no one can tell whether or not there are more than two encrypted partitions on the disk.