Maybe common disk encryption is so compromised, there's no point to implementing?

Tony Su tonysu at su-networking.com
Sat May 3 09:39:02 PDT 2014


Tracy,
You'd have to be a little more explanatory if you believe that full disk
encryption is still valid.

I'm in the early stages of inspecting and verifying what I've read that
these encryption methods are completely exposed if a memory dump can be
obtained immediately after a login attempt (and of course failure). From
what I've read, all machines will load the required "secrets" into memory
to compare with input so are completely exposed. If necessary, it also
seems that even after a complete poweroff, volatile memory remains intact
for a few seconds so in some circumstances that also might be a
vulnerability.

It seems to me if true that this is exactly the type of compromise that
hits at the purpose of full disk encryption, the protection of "data at
rest" -- You don't want someone to be able to enable "data at rest" to be
"not at rest."

So, for example Elcomsoft and Passware claim to have compromised full disk
encryption even if using TPM and released commercial products which are
supposed to crack Bitlocker, TrueCrypt, et al 2 years ago (2012)... in only
30 minutes or less.

Tony


On Sat, May 3, 2014 at 8:01 AM, Stewart C. Strait <sstrait1 at san.rr.com>wrote:

> On Fri, May 02, 2014 at 04:55:12PM -0700, Tracy Reed wrote:
> > On Wed, Apr 23, 2014 at 11:19:05AM PDT, Tony Su spake thusly:
> > > Maybe disk encryption is practically useless today, is actually a
> > > maintenance point of failure without much value?!
> >
> > No.
>
> Maybe I'm misinterpreting something, but no cryptosystem can stand up to
> having the keys or intermediate results intercepted in addition to the
> ciphertext. This has been a problem for hundreds of years--people have
> been stealing or otherwise obtaining codebooks, cipher key sheets,
> and enciphering worksheets for this whole time.
>
> I get the impression that these disk encryptions are being cracked because
> the attacker is getting access to machines that have not been turned off
> or even used heavily since the last encryption or decryption was done.
> Or are they finding credentials that were swapped to disk and not
> overwritten,
> or what?
>
> I would assume it takes a lot of care to set up disk encryption so that
> it erases the keys and intermediate work properly when you
> close all your encrypted files and tell (maybe by default) the system
> that you want to secure the encrypted part of the system.
>
> But it's a big deal if actually doing a normal shutdown doesn't secure
> things.
>
> Stewart Strait
>
>
> --
> KPLUG-List at kernel-panic.org
> http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
>


More information about the KPLUG-List mailing list