From owner-freebsd-hackers@FreeBSD.ORG  Sun Mar  6 16:23:03 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9F92616A4CE
	for <hackers@freebsd.org>; Sun,  6 Mar 2005 16:23:03 +0000 (GMT)
Received: from marlena.vvi.at (marlena.vvi.at [208.252.225.59])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 35EFA43D1F
	for <hackers@freebsd.org>; Sun,  6 Mar 2005 16:23:03 +0000 (GMT)
	(envelope-from www@marlena.vvi.at)
Received: from marlena.vvi.at (localhost.marlena.vvi.at [127.0.0.1])
	by marlena.vvi.at (8.12.10/8.12.9) with ESMTP id j25KRwoH055473;
	Sat, 5 Mar 2005 12:27:59 -0800 (PST)
	(envelope-from www@marlena.vvi.at)
Received: (from www@localhost)
	by marlena.vvi.at (8.12.10/8.12.10/Submit) id j25KRmAF055472;
	Sat, 5 Mar 2005 12:27:48 -0800 (PST)
	(envelope-from www)
Date: Sat, 5 Mar 2005 12:27:48 -0800 (PST)
Message-Id: <200503052027.j25KRmAF055472@marlena.vvi.at>
To: abuse@spamalicious.com
From: "ALeine" <aleine@austrosearch.net>
cc: elric@imrryr.org
cc: briggs@netbsd.org
cc: perry@piermont.com
cc: phk@phk.freebsd.dk
cc: hackers@freebsd.org
cc: tech-security@netbsd.org
cc: ticso@cicely.de
Subject: Re: FUD about CGD and GBDE 
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Mar 2005 16:23:03 -0000

abuse@spamalicious.com wrote:

> > Second of all, the cleaning lady copy attack (described in section
> > 10.3), where someone can regularly make bit-wise copies of the
> > entire disk containing the encrypted image and determine the
> > location of sensitive structures by means of differential analysis
> > is not very practical.
>
> Actually, it's quite practical.  It requires no hardware modification that 
> might be noticed, and it only requires intermittent access to the machine.  
> And as I said above, traffic analysis will yield considerable results toward 
> breaking the encryption.  Do you keep *your* laptop next to you 24/7?  Very 
> few people do.  Some laptop manufacturers (e.g. Dell) even make it 
> particularly easy to remove the disk.

Trying to prove your point by taking my statements out of context is not a
very good way to argue a point. Let me reiterate: 

Second of all, the cleaning lady copy attack (described in section 10.3),
where someone can regularly make bit-wise copies of the entire disk containing
the encrypted image and determine the location of sensitive structures by means
of differential analysis is not very practical. If someone has that kind of
access to your computer then they are more likely to use a hardware keylogger
and intercept the passphrase.

I never implied this kind of attack would be impossible, it is in fact probable.
What I did imply is that this kind of attack is less practical than simply using
a keylogger to intercept the passphrase. If you assume that you are dealing with
an attacker capable of differential analysis, you can also safely assume that
such an attacker knows that employing a keylogger would be an easier way to
achieve the same goal, therefore the attacker would be more likely to resort to
using a keylogger than differential analysis. That is, if we also assume the
attacker is sane and not a masochist.

> While you might claim that the dedication to study the user's behavior and 
> mount such an attack is fanciful, I claim that it is not.  Under observation, 
> GBDE's additional techniques do not stand up to the claim of being "spook 
> strength".

I never made such a claim, you are missing the point. What I am saying is that
as long as there are more practical ways of attacking GBDE in the particular
scenario where an attacker has access to the cold disk in a way that enables
that attacker to, among other possibilities, make bit-wise copies of the disk
on a regular basis in order to perform differential analysis, such an attacker
is more likely to resort to employing other easier methods first.

You cannot use the argument of susceptibility to differential analysis against
GBDE without using the same argument against CGD. In fact, CGD is even more
susceptible to such analysis because eventhough it employs AES 256, it does
nothing to obscure the location of sensitive sectors, while GBDE employs
several mechanisms to achieve that goal and to also severely localize the
extent and impact of a potential compromise resulting from differential
analysis. Your point is therefore moot.

I also believe that it would be beneficial to implement regular rewriting of
randomly picked lock sector(s) at random times during a user specified interval
(up to x rewrites within n seconds) in order to further obscure the write
pattern and provide additional protection for lock sectors.

ALeine
___________________________________________________________________
WebMail FREE http://mail.austrosearch.net