| 1 |
On Sat, Feb 20, 2016 at 5:55 AM, lee <lee@××××××××.de> wrote: |
| 2 |
> Rich Freeman <rich0@g.o> writes: |
| 3 |
> |
| 4 |
>> develop. (Before somebody points out LUKS, be aware that Bitlocker |
| 5 |
>> lets you do full-disk encyption that is secure without having to |
| 6 |
>> actually type a decryption key at any point. Remove the hard drive or |
| 7 |
>> boot from a CD, and the disks are unreadable - you can only read them |
| 8 |
>> if you boot off them on the original PC.) |
| 9 |
> |
| 10 |
> And how do you read the disks when this original machine is broken? |
| 11 |
> |
| 12 |
|
| 13 |
Well, in general you still want to have backups. I believe many of |
| 14 |
these sorts of solutions do let you escrow a key elsewhere. |
| 15 |
|
| 16 |
> It doesn't seem very secure, either. When your laptop that uses |
| 17 |
> Bitlocker gets into the wrong hands, whoever has it can read the disks. |
| 18 |
|
| 19 |
Kinda-sorta. They can boot the machine, but now they're stuck at a |
| 20 |
login prompt. In order to extract data from the computer they need to |
| 21 |
defeat password-throttling, the kernel, and so on. They have to go |
| 22 |
through the front-door. The main protection is against offline |
| 23 |
password cracking/etc. |
| 24 |
|
| 25 |
I'd think the biggest vulnerability of something like Bitlocker would |
| 26 |
be against direct memory attacks. I assume that the session keys are |
| 27 |
stored in RAM - I can't imagine that all drive reads/writes are |
| 28 |
streamed through the TPM. So, extracting the keys from RAM after |
| 29 |
bootup would be the biggest risk. If the user data is encrypted using |
| 30 |
user-entered passwords you're still going to have all the security of |
| 31 |
a LUKS-like solution but with the advantage of rate limiting of |
| 32 |
attacks. |
| 33 |
|
| 34 |
In ChromeOS they took a different approach. They use UEFI secure boot |
| 35 |
to protect the OS, and then encrypt user data using a key derived from |
| 36 |
the user's password and the TPM, using the TPM to rate-limit attacks. |
| 37 |
In this design only the user's private data is protected from reading, |
| 38 |
but to crack it they still have to boot the system normally and go |
| 39 |
through the front door. There is no way to offline-crack the user's |
| 40 |
weak hand-entered password. They either need to send that password |
| 41 |
through the TPM (I'm not sure if they can do that offline or not - |
| 42 |
probably they can, but it is still rate-limited by the TPM itself), or |
| 43 |
they need to directly brute-force the AES key which is of course |
| 44 |
impractical. |
| 45 |
|
| 46 |
The problem with LUKS is that it doesn't do anything to rate-limit |
| 47 |
attacks since there is no hardware component to it. Of course it is |
| 48 |
designed to make attacks more expensive using multiple rounds/etc to |
| 49 |
make up for the weakness of memorized passwords. |
| 50 |
|
| 51 |
-- |
| 52 |
Rich |
Archives