| 1 |
On Sat, Jun 6, 2020 at 3:38 PM Victor Ivanov <vic.m.ivanov@×××××.com> wrote: |
| 2 |
> |
| 3 |
> On 06/06/2020 19:51, Rich Freeman wrote: |
| 4 |
> > Sure, if the attacker has a copy of the header they can spend as much |
| 5 |
> > time as they wish brute-forcing it. However, the same is true if they |
| 6 |
> > have the entire disk, and that is precisely the scenario we're trying |
| 7 |
> > to guard against. |
| 8 |
> |
| 9 |
> Not true. A key file stored outside the header is arguably way more |
| 10 |
> secure than a password - there's no longer a single point of failure. |
| 11 |
> Then there is also the option of having a detached LUKS header that is |
| 12 |
> never written to the block device in the first place which effectively |
| 13 |
> leaves the adversary with a stolen brick. |
| 14 |
|
| 15 |
Maybe we're miscommunicating, but it seems like you're moving the |
| 16 |
goalposts here. My point remains: |
| 17 |
|
| 18 |
The header is as secure as the disk. If the disk is secure against |
| 19 |
brute-force, then so is the header. |
| 20 |
|
| 21 |
Your original point was, "The problem here is that a leaked header |
| 22 |
immediately means a compromised volume." |
| 23 |
|
| 24 |
This makes no sense. The whole reason you're using encryption is to |
| 25 |
protect the data if your disk is stolen/etc. If they steal the disk |
| 26 |
they get the header too. So, if a leaked header means that your |
| 27 |
volume is compromised, then a stolen disk does so as well, which means |
| 28 |
your encryption is worthless. |
| 29 |
|
| 30 |
Now, obviously if you don't store the key in the header or store the |
| 31 |
header on the disk, that is more secure. However, if the key isn't in |
| 32 |
the header then a leaked header does not give an attacker any |
| 33 |
opportunity to brute-force it, because there is nothing to brute |
| 34 |
force. |
| 35 |
|
| 36 |
There are many things that can be done to make the disk more secure, |
| 37 |
like not using a memorable password or not storing the key on the |
| 38 |
disk. Obviously these sorts of solutions create additional problems |
| 39 |
with key management, and if you solve them incorrectly then you might |
| 40 |
actually reduce security. |
| 41 |
|
| 42 |
> I was merely emphasising the fact that |
| 43 |
> when using a password, having the facility to change the password can |
| 44 |
> give a false sense of security |
| 45 |
|
| 46 |
Sure, there is really no point in "rotating passwords" with LUKS. If |
| 47 |
somebody gets a copy of your disk then they effectively have a |
| 48 |
snapshot of your password. If you later change it the data they still |
| 49 |
have a copy of what it used to be. |
| 50 |
|
| 51 |
And if they do have the ability to periodically snapshot your header |
| 52 |
and you keep changing your password, then they can bruteforce all your |
| 53 |
passwords in parallel and if they obtain any of them they can decrypt |
| 54 |
the drive, unless you change the session key and re-encrypt the drive. |
| 55 |
|
| 56 |
With any of these things you have to understand your threat model. |
| 57 |
For example, on my distributed filesystem I'm moving to encrypted |
| 58 |
drives to protect me in case I have to dispose of a drive without the |
| 59 |
opportunity to wipe it first. To do this I'm just going to store my |
| 60 |
keys on the root filesystem so that the systems can be booted without |
| 61 |
interaction. Obviously if somebody compromises the files with the |
| 62 |
keys they can decrypt my drives, but this means that I just have to |
| 63 |
protect a couple of SD cards which contain my root filesystems, |
| 64 |
instead of worrying about each individual hard drive. The drives |
| 65 |
themselves end up being much more secure, because the password used to |
| 66 |
protect each drive is random and long - brute-forcing the password |
| 67 |
will be no easier than brute-forcing AES itself. This doesn't protect |
| 68 |
me at all if somebody breaks into my house and steals everything. |
| 69 |
|
| 70 |
-- |
| 71 |
Rich |
Archives