GBDE-GEOM Based Disk Encryption on FreeBSD

BSD Forums writes "The ever increasing mobility of computers has made protection of data on digital storage media an important requirement in a number of applications and situations. GBDE is a strong cryptographic facility for denying unauthorised access to data stored on a 'cold' disk for decades and longer. GBDE operates on the disk(-partition) level allowing any type of file system or database to be protected. A significant focus has been put on the practical aspects in order to make it possible to deploy GBDE in the real world. FreeBSD's Poul-Henning Kamp says in an email to freebsd-current that he has uploaded this paper and slides which he presented at BSDcon 2003, California, USA."

Who could resist BSD

[Sir+Haxalot]

When they have mascots like this?

Re:Who could resist BSD

[Sir+Haxalot]

Ceren doesn't wear latex anymore.
nooooo :(
She also used to read Slashdot, but when I last time talked with her, she said that she doesn't do that anymore because she's sick of the open sauce zealots.
WHAT... HAVE... YOU... DONE!!!

Re:Who could resist BSD

[Sir+Haxalot]

This guy is hoping she's going to suddenly want to act out that scene in Swordfish. You know the one ;)

Re:Who could resist BSD

[Sir+Haxalot]

I like the mirror in the background ;)

Re:Who could resist BSD

[Sir+Haxalot]

Yeah but how about this? Maybe Windows has something going for it after all.
BTW has anyone else wondered why there seem to be hundreds of webservers devoted to 'OS pr0n'?

Re:Who could resist BSD

[Sir+Haxalot]

She's also 16 years old.
An added bonus!

Re:Who could resist BSD

[Sir+Haxalot]

It worries me how you found that out.

Re:Who could resist BSD

[larry+bagina]

holy fuck! I would eat the corn out of her shit!

good idea

[vonFinkelstien]

Sounds good. Is this what Apple is basing FileVault on or have they took another open source project for that or built it from scratch?

For those of you who do not know. FileVault is data encryption for Panther (Mac OS X.3).

Re:Netcraft confirms

Netcraft confirms: "*BSD is encrypted and undead"

Now I understand the daemon logo.

Filevault is Encrypted Disc Images.

[cmdrbuzz]

FileVault is an encrypted disc image that is automatically mounted when you login.
It uses AES encryption (128 bit)
Its been written within Apple, using existing Apple technologies.
Using Disc Utility you can do the same on Jaguar, except Panther and FileVault make it very easy to do....

Re:Again someone reinvents Theo's ideas.

[Eric+Ass+Raymond]

OpenBSD does not support SMP either.

Re:Again someone reinvents Theo's ideas.

[Z4rd0Z]

1. I highly doubt encrypted disks are Theo's idea.
2. Maybe not everyone wants to run OpenBSD.

Re:Again someone reinvents Theo's ideas.

[dodell]

If you read the article, you'd notice several things:

a) this is completely different from OpenBSD's implementation
b) it's portable across filesystems
c) you wouldn't have written this idiotic post.

Additionally, you obviously know nothing about cryptography, otherwise you'd not make such a stupid assumption about Rijndael, an OPEN algorithm developed outside the United States. It's been out for years and many people have failed miserably when trying to cryptanalyze it.

Additionally, it's also interesting to note that *NO* algorithms available in the mcrypt library are authorized for encryption of 'classified' data, by the NSA. Rijndael is authorized for encryption of 'highly sensitive' and some forms of 'classified' data.

Actually, the NIST and NSA are quite open with information about these algorithms.

Think before you speak.

CD-ROM encryption

[avleeuwen]

One of the cooler features that come with GBDE is the fact that you can encrypt CD-ROM images. This makes for a very secure way of getting someone a lot of sensitive data. A patch was recently posted on the current@ mailing list to allow this.

Re:CD-ROM encryption

[tomstdenis]

Whatever happened to just fucking gpg -c a tar ball?

How many times do you write to a CD-R?

This seems like a "solution to a problem that doesn't exist".

As for Harddisk encryption... that's just stupid. Of the 250,000 files on my disk, 100 of them are private. Why should I waste time/space to secure encrypt the rest of my disk when I could careless if you can read my files [when you break into my house and use my computer no less].

Tom

Re:CD-ROM encryption

[ssimpson]

(LOL - I thought I recognised the attitude from sci.crypt ;)).

This seems like a "solution to a problem that doesn't exist".

Really? Well some companies (PGP, SecurStar, Bestcrypt, SafeBoot etc) make a lot of money out of selling commercial products that perform OTFE. The LOOPAES / CryptoLoop mailing lists seem to be pretty busy too.....

Don't confuse "Tom doesn't have a need for this kind of encryption" with "nobody needs this kind of encryption".

Re:CD-ROM encryption

[vegetablespork]

As for Harddisk encryption... that's just stupid. Of the 250,000 files on my disk, 100 of them are private. Why should I waste time/space to secure encrypt the rest of my disk when I could careless if you can read my files [when you break into my house and use my computer no less].

Perhaps because you'd rather have your adversary spending time trying to decrypt the innocuous stuff, instead of being able to home in on your 100 private files?

Re:CD-ROM encryption

[tomstdenis]

Really? PGP makes lots of money? That's why the project has been sidelined forever and GPG is basically dominating?

Oops...

I don't doubt people need it, I just think most users who do use it are poorly informed on security related issues. Encrypting your entire disk because you may want to keep 3 files private is a huge waste of time and memory.

Tom

Re:CD-ROM encryption

[avleeuwen]

No, you got that wrong. GBDE can also encrypt a partition. This means you create one partition when installing your system that you will encrypt, where you keep your private files. This makes it a lot easier to use than any application level interface (be it PGP/GPG/whatever). This is also explained in the paper, but I guess you didn't read that before commenting.

Re:CD-ROM encryption

[pgr0ss]

1. This is much more important on a laptop where someone can just walk off with your whole computer.

2. If you encrypt a whole drive, then all you have to do is throw your important/private files onto that drive. Once you have it going, it's a lot easier than individually encrypting your files.

Re:CD-ROM encryption

[ls+-lR]

And if you wanted one small file that was somewhere deep in that tarball, what would you do? You'd have to decrypt the entire tarball (creating a temp copy on a hard disk, possibly), and then extract the file from the tarball. However, if you had a filesystem that supported encryption natively, then the driver would just read the appropriate sectors that represent the file, decrypt them, and bingo you have your file.

"Just encrypt the tarball" works if you only have a few things to encrypt, or if you don't do it that often... but if you did this a lot I think you would very quickly appreciate encryption built into the filesystem rather than "tacked on" as a regular file.

Re:linux has had this for years

[avleeuwen]

I suggest you actually read the paper and you'll see that this is not exactly the same. GBDE has far more security levels, is easier to setup and use and can be considered safer too. Again, read the paper to see what I'm talking about.

gbde & vinum

[a1bert]

does gbde work with vinum yet?

MI6

[Cookeisparanoid]

This is great news for all those M16/CIA/etc agents how leave their laptops in the back of taxis!

Re:MI6

[Cookeisparanoid]

That would be taxi-cabs would it?

Re:One shuffle?

[Xner]

I believe he is claiming Rijndael is a group. I don't have any data on that, but I find that quite hard to believe.

Better performance numbers?

[BlueFall]

There are some nice ideas and good thinking here, but does anyone have a link to more interesting performance numbers? I'm curious how well this would work on a workload that was both intense and non-sequential.

And this is news how?

1) GBDE has been available for months. Had you talked about GEOM-Gate, now that would have been interesting.

2) Poul-Henning suffers from extreme NIH complex. This crypto support has been in OpenBSD for 2 years.

3) Do you think he will let anyone touch his code? He didn't for phkmalloc and that piece of shit called devd, what makes you think he will now?

Poul-Henning is probably the most arrogant person I've ever seen. He has negatively influenced FreeBSD in a way I cannot even describe. Now go and mod me down, because I now use NetBSD for all my machines.

Alan

Re:And this is news how?

[setantae]

This crypto support has been in OpenBSD for 2 years

I thought that was just for swap partitions. Correct me if I'm wrong.

Re:And this is news how?

[yanestra]

Excuse me, what's wrong with P.H. not letting other people touch his code? I mean, it works to some extent. What be the reason to make changes?

I have heard that with the DragonFly-BSD project, there is also coming a patch to Poul-Henning Kamp, which is said to bring him to a higher level of co-operation.

Re:And this is news how?

[phkamp]

Gee, I missed this gem :-)

Hi Alan, do I know you ?

OpenBSD has not had any crypto support like this ever, and as far as I know, no other Open Source OS does either.

I will admit that OpenBSD has had some crypto support, but it suffers from a lot of shortcomings, in particular in the usability area. (try to change your password for instance).

I don't know why you think I won't let people change phkmalloc, it's under beer-ware license, so go right ahead. In fact I'm working with an OpenBSD'er right now to get some of their stuff back into the FreeBSD version.

I also have no idea how you could get the idea I wrote devd, and I suggest you send any comments you have about it to the author.

Considering your level of clue here, I will happily admit that I am arrogant enough to be glad you're now not using FreeBSD.

Re:The ever increasing mobility of computers?

[Rosco+P.+Coltrane]

Is this encryption deniable? If not - what's the point?

What for for on a partition ? "Uh, no your honnor, that's not a partition full of encrypted pr0n, that's just some random free space that happens to take up most of my disk ..."

rubberhose

[metatruk]

How is this like rubberhose?

Re:rubberhose

[brakett]

Is the rubberhose project still alive?

I stumbled across the page a feew weeks ago and found it intresting, but it seemed abandoned. (Availible to linux kernel 2.2 etc). Altso the page has disappered, google cache.

Has anybody tried to use robberhose, any experiense to share?

Re:rubberhose

[kasperd]

How is this like rubberhose?

AFAIK rubberhouse works on the filesystem layer, while what is described here work on the block layer. That actually means you can easilly use the two on top of each other (assuming they are available for the same OS). Some of the security properties rubberhose aims for are impossible to do on the block layer. OTOH doing encryption on the block layer is simpler than doing it on the filesystem layer, and you are free to put whatever filesystem you prefer on top of that. Of course even encryption on the block layer can get complicated if you want to make it as secure as possible. Maybe performance can be improved by doing encryption in the filesystem, but proving security gets really tricky.

Re:rubberhose

[TheLink]

Hmm, I thought rubber hose was a term for decryption hardware/techniques that work against strong crypto?

A popular specific method:
WhackWhackWhackWhack
Intermediate results:
OwOwAAAghAiyeeeNoo!Aah!

Repeat till key is obtained.

Re:rubberhose

[kasperd]

I thought rubber hose was a term for decryption hardware/techniques that work against strong crypto?

It is also the name of a filesystem encryption supposed to be resistant to this kind of attack. The victim provides you with a password, and you can decrypt the filesystem and find a number of files. There will be some free space, which is filled with random bytes. There could be another password, which would reveal that some of the aparantly empty space contains more encrypted files. And so it goes on. No matter how many passwords you have, there is no way to know, if the rest of the space is free space with random bytes or there is another one. (At least that is the explanation I have heard).

Re:rubberhose

[vegetablespork]

Unfortunately, unless that system were modified to make it's very use deniable, the name would become all too apt as the target of the investigation is beaten to near death until something sufficiently incriminating is found--and maybe after, since there could always be something worse in the free space.

Re:rubberhose

[TheLink]

"No matter how many passwords you have, there is no way to know, if the rest of the space is free space with random bytes or there is another one."

Translation: No matter how many passwords you give to the hose-wielding cryptanalyst, there is no way to know if the beatings are ever going to stop.

Steganography + straight headerless crypto could be better. I think it's better to figure out a way to store data in MP3s (hard because lots of less audible bits are thrown away). e.g. squeeze 50MB of encrypted data in 20GB of MP3s.

Seems common for lots of people to have GBs worth of MP3s.

A better cover would be a hobby/job as a photographer.

Re:rubberhose

[kasperd]

and maybe after, since there could always be something worse in the free space.

That would remove every incitement to tell them anything, no matter how much you tell them they could think you are hiding something.

Re:rubberhose

[kasperd]

A better cover would be a hobby/job as a photographer.

Yep, store all original uncompressed images (or lossless compressed). That is a good idea, because if you want to manipulate the images later, you want to maintain the quality as long as possible. Of course you can hide something in the least significant bits. And by hashing the bits you are going to overwrite you also have a great random source for your probabilistic encryption.

Re:rubberhose

[vegetablespork]

But if the use of the system could be denied to begin with, there could just be a disk with innocuous data and no "rubberhose" container to start spelunking in to begin with (as far as the adversary knows). Of course, there's then the issue of how that 16 GB of uncompressable text got there to begin with . . .

They say they're using RSA..

[CausticWindow]

as a strong hash function.

I thought this was a bad idea, since RSA is non probabilistic. When used as a hash, you've got neither semantic security nor indistinguishability.

Didn't read what they used the hash for though.

Re:They say they're using RSA..

I believe it's a typo in the paper. The actual
hash function used is SHA, not RSA (see below
in the same paragraph that mentions RSA)

Re:They say they're using RSA..

[kasperd]

I thought this was a bad idea, since RSA is non probabilistic.
A hash function is not supposed to be probabilistic, a hash function must be deterministic, otherwise it wouldn't work. Of course using RSA for hashing is a bad idea not only because of performance, but also because RSA is not a hash function.

When used as a hash, you've got neither semantic security nor indistinguishability.
Semantic security is a concept used about encryptions not hashes. To get semantic security an encryption needs to be probabilistic. RSA is not probabilistic, neither is any symetric block cipher. But they can be used as building blocks in semantic secure encryptions.

Re:They say they're using RSA..

[ssimpson]

Nah, that's a typo. Read further into the paper and you can see they mean SHA2/512 rather than RSA2/512.

Re:They say they're using RSA..

[RealRoadKill]

"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know." Now there is a sig... I almost fell out of my chair laughing!!

Interoperability issues

[chrysalis]

This is not a new idea.

OpenBSD (vn* devices) and Linux (crypto-loop) have this for years. NetBSD also has it. Windows XP also has it.

Now FreeBSD introduces yet another implementation of the same thing.

This is great, but what about interoperability?

Right now, all operating systems I can use encrypted partitions, but the way they do it is different on every system.

If I encrypt my USB memory key on FreeBSD, I won't be able to use it on Linux. Even if the actual file system is the same, even if the encryption algorithm is the same.

This is illogical. Encrypted partitions are nice for small, portable devices, that you can plug on various hosts running various operating systems. That's the theory. But because everyone reinvents the wheel, you can't do that. It won't work.

Now that we have filesystems that almost any operating system out there has support for (ext2/ext3 and vfat), maybe it would be nice to use a common format for the encryption layer.

Re:Interoperability issues

GBDE is *not* the same as the other solutions
you mentioned, it is much more secure. Please
read the paper for details if you want to know
why.

Re:Interoperability issues

[ssimpson]

Windows XP also has it.

Only with the addition of 3rd party products (ScramDisk, PGPDisk, DriveCrypt, BestCrypt etc) - the build in encryption ISN'T drive encryption, but file encryption...

Re:Interoperability issues

[kasperd]

This is great, but what about interoperability?

While I agree interoperability is important, there are some more important problems to solve first. You mention the Linux cryptoloop implementation. But cryptoloop doesn't even interoperate with itself. In earlier versions you could copy the file used for actual storage to a different locations, and it would get unreadable. That was a major problem, because it was bound to eventually cause data loss. Newer version has addressed this issue. During the last few years two or three such flaws have been fixed. But each time it caused the new version to be incompatible with the older versions. This has been troubeling for people having data encrypted with the old version trying to migrate to a later version.

Another problem is, that specifications for the different implementations are not easilly available. I for one would very much have liked to read the specification on a product like PGPdisk. Mostly because it is claimed to be great, but mostly by people not knowing much about security properties in disk encryptions. If I could find the specification I could know, if it is as good as people claim or as bad as I fear.

If you want to implement a disk encryption, and you find existing implementations to be insecure in some way, you have a choice to make. Either you make something compatible with existing systems, and as insecure as those. Or you make something more secure, but at the same time incompatible with all existing implementations.

I find security more important than compatibility.

Re:Interoperability issues

[kasperd]

Better than a specification, why don't you download the full source to PGPDisk and review it for us?

That is certainly not better than a specification. We are talking about 14MB of compressed source code. Trying to find out how good it is without knowing what it is supposed to do is a lot of work. It would be better to first read a specification to find out if that is secure, and afterwards find out if the implementation actually does what the specification says.

Re:Interoperability issues

[chrysalis]

Maybe it is better, faster, stronger.

But it doesn't work outside a development version of one specific operating system.

So it is just as useless as other solutions for portable storage devices that you want to plug into friend's computers.

That is very interesting

[kasperd]

I have been working on article on disk encryption though it is not quite ready to be published yet. I didn't know anybody else was working seriously on this. I know about cryptoloop in Linux. It is bad, but not the worst I have seen described. It is nice to finally see somebody but me realizing that disk encryption is not as simple as those implementing it think. I don't know how the more "professional" products work. What I have realized is, that good disk encryption has an overhead on disk usage. Those "professional" products I have seen just a few details about doesn't have for too litle overhead for good crypto. The system described by the article only protects cold disks, no protection at all for hot disks. What I describe in my own article actually has some protection for hot disks, not much protection though, because the hot disk naturally limits the protection that is possible.

Re:That is very interesting

[geeveees]

"I know about cryptoloop in Linux. It is bad,"

Why is it bad? I don't see any sensible arguments that support your claim.

Go away, troll.

Re:That is very interesting

[kasperd]

Why is it bad?

It use sector numbers as IV.

Re:That is very interesting

[ssimpson]

It use sector numbers as IV.

Granted, that's not great (but the risk is mitigated by using a random encryption key anyway). Note that GBDE uses a static (all zero!) IV - even worse!

Re:That is very interesting

[kasperd]

Granted, that's not great (but the risk is mitigated by using a random encryption key anyway).
The key used by cryptoloop is just the hash of the password. But being random or not is not really the point here. The point is, that it is the same key being used for every sector on the disk, and every time that sector is being written.

Note that GBDE uses a static (all zero!) IV - even worse!
I must admit I didn't read all of it yet. (I'll print out the article tomorrow at the university). I have been thinking about it, if a new random key is used every time a sector is encrypted, the IV might not be necesarry. Though in my suggested implementation I do use an IV for every sector, because I have no proof, that the random key is enough.

Re:That is very interesting

[TheLink]

The GBDE doc says they use a pseudorandom key to encrypt a sector so they can get away with a zero IV.

Haven't figured out why GBDE needs the complex scheme of cherry picker, PRNG and so on.

BTW what did scramdisk use for IV?

Re:That is very interesting

[ssimpson]

See Shauns post, here.

Re:That is very interesting

[kasperd]

scramdisk IV

Sounds way better than just using sector number. But still I'm a litle worried. Actually there is a shortcut to generate those IVs using aproximately half the amount of table data. But what worries me the most is, that the IV is reused every time the same sector is read. With access to a backup of the container, you might be able to abuse this fact.

Re:That is very interesting

[jovlinger]

confusion!

I thought the whole idea about loopback devices was that you abstracted away from the underlying medium, so that you could store the image in a file. So, I'm confused as to where the sectors enter into it.

To quote the article, they say that loopAES is not block-level encryption. I don't understand how it could be anything else.

help!

Re:That is very interesting

[ssimpson]

With access to a backup of the container, you might be able to abuse this fact.

Yes - totally. As a minimum the adversary can tell what blocks have change between a backup and a more recent version of the container.

When is this going to be in Linux kernel?

[2Bits]

Ok, when is this going to be ported to Linux kernel?

This sure looks better than my current somewhat kludgy scheme of using Bestcrypt to mount different virtual drives.

And I just received my USB cryptoki token. Now, combine this disk encryption scheme, a good token for the keys, a good BIOS encryption (anyone has any info this?), the only thing left to do would be working on my good old tin foil hat now :)

Boy, you gotta love this kind of cross-polination among open source projects.

Re:Again someone reinvents Theo's ideas.

[TwistedSquare]

Rijndael, an OPEN algorithm developed outside the United States. ... by the NSA. Rijndael is authorized for encryption of 'highly sensitive' and some forms of 'classified' data. While /. is USA-centric, surely what the NSA says doesn't bother the rest of the world... Quite handy that the NSA are open with information about these algorithms in fact ;-)

Main advantage

[CausticWindow]

of this system, compared to others, is that it is so low level as to be filesystem agnostic.

As long as AES is considered to have decent security, this system could be used.

Random comments...

[ssimpson]

(Full disclosure: I've been involved with the Win32 Scramdisk project in the past)

Hhhm, this is pretty interesting. I am not aware of any other disk encryption program (Scramdisk, DriveCrypt, LoopAES, PGPDisk, BestCrypt etc) that offers sector remapping. It's useful because it prevents standard disk structures from being exploited in a known plaintext attack (note: with current knowledge, this is only a theoretical weakness with AES anyway).

Apart from that it looks a pretty standard On-The-Fly-Encryption (OTFE) system. It does appear to be slightly more complex than most programs, but this is offset by the peer review from (at least...) two very well respected cryptographers - Dr David Wagner and Lucky Green. I am not aware of any of the other OTFE systems being reviewed by anyone half this competent.

Last paragraph of 6 says "RSA2/512" should read SHA2/512.

I'd personally be worried about the use of a static (zero!) IV. I know the key is random, but.....Oh well, if Dr Wagner has peer reviewed it then this can't be much of an issue.

From the paper: "A truly paranoid setup would leave the computer con- figured to boot the Windows system by default, and locate the GBDE data in such a way that it would be destroyed by the act of doing so."

It's likely this wouldn't work - the first thing a half-competent adversary would do is image all disks in a system before booting....It's forensic 101.

Re:Random comments...

[j_dot_bomb]

[I am not aware of any of the other OTFE systems being reviewed by anyone half this competent.]

SecurDoc at winmagic.com was reviewed by Bruce Schneier of Counterpane.

By the way does anyone know if any of these disk encryption systems keep bit flipping (not function) the key so that reading a "hot" dram is a less effective hardware attack ? Or even better any product which encrypts dram like proposed in :http://www.w4g.org/ee565.html

Re:Random comments...

[testset]

OpenBSD encrypts all swap pages if you enable it with:
sysctl -w vm.swapencrypt.enable=1

Re:Interoperability issues - Linux and crypto-loop

[ion++]

OpenBSD (vn* devices) and Linux (crypto-loop) have this for years. NetBSD also has it. Windows XP also has it.

No, cryptoloop in linux can not do the same. Cryptoloop can encrypt, but you can not change password. Luckily there are other ways to do that, PPDD which appears to be using the same princip of storing the real key on the disk, though encrypted with the password. The same princip a friend and me is using in our development of a device-mapper target, deadline is 1. october.
Not having any more knowledge of GEOM, than what i read in the .pdf's of the presentationslides, then i would state that GEOM appears to be very much what device-mapper is in Linux.

This is great, but what about interoperability? Right now, all operating systems I can use encrypted partitions, but the way they do it is different on every system. If I encrypt my USB memory key on FreeBSD, I won't be able to use it on Linux. Even if the actual file system is the same, even if the encryption algorithm is the same.

Very valid point. I hope someone addresses this. I supose it would be rather easy to write a device-mapper target that behaves like GBDE-GEOM

Re:One shuffle?

[ssimpson]

I believe it's an open question (see e.g. here)

Re:The ever increasing mobility of computers?

[ssimpson]

Is this encryption deniable?

Yep - as per the paper, this encryption is deniable (that's to say there is no way of showing that the container file or partition is an encrypted volume without having the passphrase). Thinking of a good reason why you've got a very high entropy 2.5Gb file/partition when the cops kick the door down could be interesting though ;)

Re:Again someone reinvents Theo's ideas.

[kasperd]

Additionally, you obviously know nothing about cryptography, otherwise you'd not make such a stupid assumption about Rijndael, an OPEN algorithm developed outside the United States. It's been out for years and many people have failed miserably when trying to cryptanalyze it.

Anybody who actually read and understood the AES proposal would know, that it is highly unlikely there could be any backdoor. Every design decision had a reason. Wherever multiple choices where available and no technical reason made one better than another, the final decission would be the one giving the least possibility for hiding any kind of backdoor. And BTW it was developed in Belgium.

disk-at-a-time encryption no good

[penguin7of9]

Lots of operating systems have had disk-at-a-time encryption. You can already get it for Windows, but that was apparently not good enough to have that PPT junkie use it either.

Disk-at-a-time (or file-system-at-a-time) encryption just doesn't seem to be convenient enough. Most files simply do not need to be encrypted, and the risk of losing an entire disk due to bugs or losing the pass phrase is just too high, as is the computational cost. People need to be able to decide on a per-file basis what gets encrypted and pick different pass phrases for different files.

In fact, file-at-a-time encryption shouldn't be in the kernel, it is implementable in user code if you have the right hooks. You can build that on top of Plan 9's file system hooks or on top of the CODA hooks in the Linux kernel. Something like the Plastic file system for Linux also would work. But it can also be done at the kernel level; ReiserFS may get file-at-a-time encryption soon.

By the way, if you do want disk-at-a-time encryption, StegFS strikes me as a better choice.

Re:disk-at-a-time encryption no good

[airConditionedGypsy]

In fact, file-at-a-time encryption shouldn't be in the kernel, it is implementable in user code if you have the right hooks.

While it is certainly possible to easily implement file encryption at the user/application layer, I disagree that it should be. Matt Blaze pointed out a number of reasons why in his CFS paper back in 1993.

..if you do want disk-at-a-time encryption, StegFS strikes me as a better choice

StegFS is a neat concept; the only drawback there is the huge performance hit -- besides, the goal of stegFS isn't necessarily to support encryption; it is meant to support plausible deniability of file ownership, and those two goals are very different.

Re:disk-at-a-time encryption no good

[vegetablespork]

What product for current versions of Windows are you referring to that offers disk at a time encryption. Note that that means being able to operate from an encrypted boot drive, not just being able to take a big file, call it a volume, and have it be encrypted.

Re:disk-at-a-time encryption no good

[penguin7of9]

While it is certainly possible to easily implement file encryption at the user/application layer, I disagree that it should be. Matt Blaze pointed out a number of reasons why in his CFS paper back in 1993.

You are confusing implementation at the application layer with implementation in user mode. The crypto-code need not run in kernel mode in order to give users the same behavior and security as a kernel-based implementation; the kernel just needs to provide the right hooks.

besides, the goal of stegFS isn't necessarily to support encryption; it is meant to support plausible deniability of file ownership, and those two goals are very different.

StegFS supports encryption and deniability. Its approach to deniability also happens to greatly increase security.

Re:disk-at-a-time encryption no good

[phkamp]

My main beef with StegFS, as I mention in my paper, is that it may put the user in a position from which innocence cannot be proven.

Re:disk-at-a-time encryption no good

[airConditionedGypsy]

StegFS uses encryption to support deniability; the encryption is a tool, not an end in itself, and is certainly not the option (performance wise) if all you want is data confidentiality.

As to your first point, I'm not sure what the distinction is...I'm saying that the behavior is too complex and not transparent enough if provided at the application level.

An application can use its own code (in userland) to encrypt files. Fine. Or, an application can use kernel code (via whatever syscalls/hooks are provided). Fine.

The problem is that the application is complicated by the need to provided cryptographic services -- file encryption is either too difficult to get done properly at the application layer or not transparent enough at the application level. The filesystem is part of the kernel, and any encryption should be transparent to a process using the file.

Re:disk-at-a-time encryption no good

[penguin7of9]

StegFS uses encryption to support deniability; the encryption is a tool, not an end in itself, and is certainly not the option (performance wise) if all you want is data confidentiality.

Deniability itself greatly increases security, even if there is nobody with a rubber hose standing over you. And it is no accident that deniability requires strong cryptography: deniability is a stronger property, not merely a different property, than encryption.

I'm saying that the behavior is too complex and not transparent enough if provided at the application level.

And both you and Matt are right at that. But "application level" has nothing to do with "user mode". As I was saying, you are confusing "user mode" and "application level". "User mode" means that the code doesn't run in kernel mode. "Application level" means that applications need to know about it. The two are distinct concepts.

The filesystem is part of the kernel, and any encryption should be transparent to a process using the file.

Yes, but not everything that "should be transparent to a process using the file" needs to run in kernel mode. This knee-jerk reaction of putting everything that needs to be "transparent" into the kernel is responsible for kernel bloat, both on Linux and on other systems.

Plan 9, PlasticFS, and CODA show that you can put large parts of the file system code into user mode and yet retain transparency. Look them up, really!

Re:disk-at-a-time encryption no good

[penguin7of9]

That argument strikes me as silly. Even if you used no encryption at all, you couldn't prove that you haven't hidden data somewhere. In fact, you can hide data on a seemingly completely blank disk.

Re:disk-at-a-time encryption no good

[vegetablespork]

Do a search on Google; there is plenty of software around.

If it requires software, it isn't whole disk encryption that encrypts the whole drive and allows booting from it, unless there's a boot stub that can load the OS. Point me to one, or retract that "do a search" crack. I doubt you'll find one (other than in hardware, as you've mentioned.)

Re:disk-at-a-time encryption no good

[airConditionedGypsy]

I'll check them out, thanks...

Re:The ever increasing mobility of computers?

[kasperd]

that's just some random free space that happens to take up most of my disk

Somebody once told me, that he kept a large file with random bytes on his HD, such that he could delete it if he was in an urgent need for more disk space and couldn't find anything else to delete.

master key strorage?

[graf0z]

As far as i understood, GBDE uses - like many other crypto systems - different keys on different levels. There are "master keys" for protecting "sector keys". The master keys are only used for key-encryption, so they should be usable in slow crypting devices like cryptocards or usb cryptodongles. Since the master key never leaves such a token (master key operations are performed on an embedded chip), even a trojan with root privileges could only read data while the token is attached (in a way, they are "--x------"). Some of these cryptotokens even have an own input device (PIN-keypad) such that the passphrase for unlocking the keys cannot be sniffed.

Is it possible to do that (instead of just keeping parts of the key on an usb storage device) with freebsd/GBDE?

I think some ibm thinkpad T30 come with TCPA chip which could (at least theoretically) work as such a token, too.

/graf0z.

Re:master key strorage?

[jareds]

If a malicious program had access to a token that performed decryptions using the master key, it could have the token decrypt all the sector keys and then peruse the disk at its leisure without further access to the token.

Long term storage

[gr8_phk]

Seems to me that archives kept for decades should not be encrypted. Unless you keep the key right there with it, you're likely to loose it. Also, if there is degradation of the data you're likely to loose most of it even if you can find the key. Use physical access controls instead.

Poul-Henning replies...

[phkamp]

Lets see: NIH, OpenBSD, compatibility and all that.

The paper explains this at length (but I guess that the respondent didn't actually read the paper). The primary focus in GBDE was usability and deployability. Most of the prior art in this space cannot even change the pass-phrase without reencrypting the entire disk (which can easily take an entire day).

I wanted to do better than that, and I think I did. By a wide margin.

RSA vs. SHA.

Correct, that is a typo, it is SHA2 which is used.

AES, zero IV etc.

An important part of GBDE is that there is no two-way leverage on any crypto component. This is realized by the use of single-use random bit sector keys. With no two-way leverage and single-use keys, the IV is no longer important.

The comment about the "plausible denial" setup being useless because an intelligent adversary would always take a mirror copy first: That does not affect the plausible denial aspect.

I'll be more than happy to discuss any aspect of GBDE, and would very much like to hear peoples experience and ideas. But I would prefer email (if need be by setting up a mailing list)

Re:Poul-Henning replies...

[ssimpson]

Hi Poul,

The comment about the "plausible denial" setup being useless because an intelligent adversary would always take a mirror copy first: That does not affect the plausible denial aspect.

I assume you're referring to my comment - which wasn't that plausible deniability was not possible because of mirror copies, my exact comment was:

From the paper: "A truly paranoid setup would leave the computer con-figured to boot the Windows system by default, and locate the GBDE data in such a way that it would be destroyed by the act of doing so."

It's likely this wouldn't work - the first thing a half-competent adversary would do is image all disks in a system before booting....It's forensic 101.

E.g. having windows "break" a GBDE volume if it's booted just isn't feasible if you consider your adversary to be skilled.

Re:Poul-Henning replies...

[phkamp]

You're still missing the point :-)

The setup I describe is how a "plausible denial" scheme could be set up. The bit about making a windows boot run over the GBDE data is just normal paranoia, it is not in any way related to or material to the plausible denial argument.

I don't personally give much for "Plausible denial", finding a cover story for even a few megabytes of uncompressible bits will be very hard if not impossible with a skilled adversary.

Therefore I focused in GBDE on giving the user leverage to a defensible non-disclosure stance. For instance by wiping out the master sectors if given enough seconds of warning. And in particular I wanted to make sure the user were never put in an indefensible position of compliance like for instance StegFS can do.

For me it is important that people realize that GBDE is not a solution, it is a tool to implement solutions. With crypto there is no "one size fits all", only hard work and careful planning.

Re:Poul-Henning replies...

[ssimpson]

ok, well we both kind of agree that the idea of booting windows to destroy the volume header doesn't add any/much security against a serious adversary, which was the point I was trying to make....

Re:Poul-Henning replies...

[AKAImBatman]

What I have never understood about encrypted file systems is how they are supposed to be effective. Here's the problem as I see it:

An encrypted file system needs keys for decryption. If keys are stored in a keystore on disk (most common), your data is at risk to anyone who can crack the keystore. This is made easier by the integration of many OSes to use your login password as the keystore password. Given the number of vulnerabilities that /etc/passwd files have, this doesn't seem like a good idea.

To move around this problem, many users of encryption store the keystore on a smart card or USB drive. This gives you the advantage of physically controlling the encryption keys. However, anyone who steals your machine (laptops in particular) while the key is inserted can access your data.

By extension, most OSes will remember a encryption session, so as long as your machine remains powered on, they will have access to your critical data. The solution to this would seem to be to ask for a password every access or time-out the session after a few minutes. While this sounds like a plausible solution, most users will fall into the trap of "ease over security" and modify the timeout to some very long value (say 6 hours) thus defeating this security measure.

I guess what I'm trying to say, is that CryptoFSes only seem to help in the situation where someone steals your machine in a powered off state and fails to obtain your crypto keys. Unfortunately, many thefts occur while people look away for a moment, thus making such security useless.

Any thoughts?

Re:Poul-Henning replies...

[ion++]

I guess what I'm trying to say, is that CryptoFSes only seem to help in the situation where someone steals your machine in a powered off state and fails to obtain your crypto keys. Unfortunately, many thefts occur while people look away for a moment, thus making such security useless.

Any thoughts?

Yes, some thoughts. You are right, this does NOT protect against stealing a "hot" disk, this only protects "cold" disks. The .pdf's from Poul-Henning also states this. So one would have to find another way to protect a running machine, like:

never leave it [running] when you arent looking

dont access secret stuff in places where you can be distracted
These problems are all user related errors. Just because this encryption does NOT protect against stupid users, doesnt mean that using this encryption isnt a good idea. One of the places where i have used, and is using encryption, is on my works servers to avoid people being able to read data if we replace the harddisks, sell the harddisks, or the machine is stolen. How many sensitive data lies on harddisks sold on EBay? Using encryption means that these data will be impossible to read.

Re:Poul-Henning replies...

[AKAImBatman]

You are right, this does NOT protect against stealing a "hot" disk, this only protects "cold" disks

The problem is that the time it takes to boot precludes most users from shutting their machines off when not in use. The one exception to that is Mac iBooks. They are amazingly fast at sleeping and waking up. If the computer locked itself during a sleep, this would take care of the problem for iBooks. However, this still leaves issues with other portables.

In X-Windows, the best thing I can think of is to follow the steps of Unix terminals and lock the computer after X minutes of non-use. You may be able to accomplish this with Windows machines as well. The problem there is that users are much less likely to play with the mouse while reading (due to having a touchpad instead of a mouse) and will quickly get annoyed at the machine locking all the time.

How many sensitive data lies on harddisks sold on EBay? Using encryption means that these data will be impossible to read.

Excellent point. How do you go about storing the keys tho? Are they handled by a domain server of some sort, or are they actually stored on the disks? If the keystores are on the same disks, wouldn't you have a potential security issue anyway? (Although not as bad as unencrypted data, I'll grant you.)

Encrypted file systems are really a good idea. However, The largest area of research is to find a way to keep the data secure without annoying the user to the point of disabling safeguards.

Perhaps this would be a good area to apply "token" authentication? The idea would be that when a program accesses a file, the user is prompted to provide authorization. Once the user provides authorization, that program has a token to access only that file for the duration of its run or until some timeout limit is reached. This would mitigate theft by assuring that only open documents will be accessable during operation. In theory the thief could forceably extract the password or key by direct access to a program's memory. In this case, the timeout becomes a necessity as it will limit the window in which the thief can force the information. Of course, this particular problem can then again be mitigated by using TCPA type hardware (i.e. the software will never know the keys or passwords).

Yet we still haven't solved the keystore problem. If the keystore is on disk (or even in TCPA hardware), it could be forceably cracked. Perhaps the keystore should be worn like a pocket watch? The drive or card would be hooked to the user's clothing thus preventing them from leaving the portable until they remove the keystore from its drive. Not a particularily elegant solution, but perhaps a viable one.

Re:Poul-Henning replies...

[ion++]

The problem is that the time it takes to boot precludes most users from shutting their machines off when not in use. The one exception to that is Mac iBooks. They are amazingly fast at sleeping and waking up. If the computer locked itself during a sleep, this would take care of the problem for iBooks. However, this still leaves issues with other portables. In X-Windows, the best thing I can think of is to follow the steps of Unix terminals and lock the computer after X minutes of non-use. You may be able to accomplish this with Windows machines as well. The problem there is that users are much less likely to play with the mouse while reading (due to having a touchpad instead of a mouse) and will quickly get annoyed at the machine locking all the time.

Yes, that would be nice, but just because this encryption can not provide the described scenario (on it's own) does not mean that it isnt usefull.

Excellent point. How do you go about storing the keys tho? Are they handled by a domain server of some sort, or are they actually stored on the disks? If the keystores are on the same disks, wouldn't you have a potential security issue anyway? (Although not as bad as unencrypted data, I'll grant you.)

The "keys" are stored on the disk, however, they are stored in an encrypted version, which is encrypted with the pass-sentense you supply. This means that you can change the pass-sentense if it gets compromised. This is a good thing. I think the key is stored using 384 bits, and the data 256, but go look in the .pdf's about this encryption.

Encrypted file systems are really a good idea. However, The largest area of research is to find a way to keep the data secure without annoying the user to the point of disabling safeguards.

This is NOT an encrypted filesystem, this is an encrypted block-device. And just like all other block-devices, you can put a filesystem ontop of it. But the filesystem has no knowledge that the underlying block-device is encrypted.

In theory the thief could forceably extract the password or key by direct access to a program's memory.

You'll have to use other ways to protect against this, like never leave your laptop, and only access secure networks, if network at all

Yet we still haven't solved the keystore problem. If the keystore is on disk (or even in TCPA hardware), it could be forceably cracked. Perhaps the keystore should be worn like a pocket watch? The drive or card would be hooked to the user's clothing thus preventing them from leaving the portable until they remove the keystore from its drive. Not a particularily elegant solution, but perhaps a viable one.

Yes we have solved the keystore problem. The actualy key for decrypting the data is stored in an encrypted version. If you try to decrypt the key, how would you know you got the right key? Well you would if you could decrypt the data. However, you can use ALOT more bits to encrypt the key, because it's so much smaller than the data. If you need 2^512 brute force attacks to decrypt the key, but only 2^256 to decrypt the data... why bother with decrypting the key?
Further more, in order to prevent an attacker from using "knownplaintext" (like the EXT2 superblock?) this driver rearranges the ordering of the blocks. SMART!

Miserable failure, or minor success?

[Beryllium+Sphere(tm)]

Agreed, there are no published attacks on full Rijndael that are faster than trying all the keys.

Cryptanalysts normally develop their tools on weakened variants of an algorithm first, kind of like the way kittens practice hunting on mice their mother has already half-killed.

There are successful attacks on reduced-round variants of Rijndael. An impossible differential attack is faster than brute force for 128-bit Rijndael limited to 6 rounds (out of the normal 10) (Biham Keller 2000, Cheon et al 2001). The "Square Attack" (Lucks 2000, Ferguson et al 2000) works against 7 rounds of 192 or 9 rounds of 256 bit keys, at the cost of 2^224 encryptions.

If you're looking for a remotely practical attack you could say the researches "failed miserably", though that seems a bit harsh.

The people who really know crpyto are still comfortable with Rijndael for practical use. The fact that it's fast means it may actually *be* used. A cipher which gets used will provide security to more people than the theoretically unbreakable but problematic-to-use one time pad.

Re:The ever increasing mobility of computers?

"Uh, no your honnor, that's not a partition full of encrypted pr0n, that's just some random free space that happens to take up most of my disk ..."

That is exactly the point of deniability.

Check out Rubberhose: http://www.rubberhose.org (the site seems to be down right now, but Google may have it cached - search for rubberhose.

With rubberhose, you create multiple virtual partitions each with their own key. Without knowing all the keys, there is no way to determine how many partitions their actually are. So, you can tell the judge two of your keys, and you can tell the judge that you only have two keys, and no one can tell whether or not there are more than two encrypted partitions on the disk.

mandatory encryption.

[Jeremy+Erwin]

If encryption is optional, then users might forget to encrypt a file that is sufficiently sensitive to warrant such protection. Moreover, if the swap file (or local equivalent) is not encrypted, some sensitive material might be recoverable by an unfriendly party.

Re:mandatory encryption.

[vegetablespork]

Good point--that, too!

Wagner has read it but has he blessed it?

[Paul+Crowley]

I'm not really convinced by the cryptography in this paper. It's good that Wagner has read it but I wouldn't interpret that as meaning he's put his seal of approval on it.

Incidentally, I presented a paper on disk sector encryption at FSE 2000, you can read it here:

http://www.ciphergoth.org/crypto/mercy/

Re:Again someone reinvents Theo's ideas.

[dodell]

You airhead, that's what I just said.

I said it's "an OPEN algorithm developed outside the United States". Are you being contradictory or needlessly pedantic?