From owner-freebsd-hackers@FreeBSD.ORG Sat May 17 12:04:21 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEB1D37B401 for ; Sat, 17 May 2003 12:04:20 -0700 (PDT) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 22B9543F75 for ; Sat, 17 May 2003 12:04:20 -0700 (PDT) (envelope-from phk@phk.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.9/8.12.9) with ESMTP id h4HJ4JC2006682 for ; Sat, 17 May 2003 21:04:19 +0200 (CEST) (envelope-from phk@phk.freebsd.dk) To: hackers@freebsd.org From: "Poul-Henning Kamp" In-Reply-To: Your message of "Fri, 16 May 2003 10:51:53 CDT." <20030516155153.GY3896@geekpunk.net> Date: Sat, 17 May 2003 21:04:19 +0200 Message-ID: <6681.1053198259@critter.freebsd.dk> Subject: Re: Crypted Disk Question X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 May 2003 19:04:21 -0000 In message <20030516155153.GY3896@geekpunk.net>, "Brandon D. Valentine" writes: >On Thu, May 15, 2003 at 11:23:52PM -0700, Terry Lambert wrote: >> > >> > You might just aswell claim GEOM is useless because they could >> > always torture the password out of you - both views are equally >> > meritless. > >Which password will they torture out of you? =) 1. We're talking about GBDE here, not GEOM. 2. Which choices the user under duress makes, should not be dictated by GBDE or any other cryptographic facility. GBDE tries to leave the maximum number of options open for the user, including: change passphrase, destroy pass-phrase and destroy all master-key material. >There are disk encryption schemes which utilize multiple keys, each key >unlocking a different layer of information. These systems are designed, >at least in part, to facilitate the partial release of information in a >coercion scenario. Outwardly there is no way to determine whether the >key you have been given fully unlocked the disk or whether you were only >given partial access. This is BS. If nothing else, we learned from the Iranian Embassy Hostage incident, that the "Ohh, all adversaries are clueless" assumption is not valid. If somebody gets caught with a disk which contains a lump of data crypted with a multi-level facility, the adversary will know that it is a multi-level facility and the pressure to hand over key material will not cease until the adversary is satisfied that there is no more levels of protection. If the adversary has a mistaken belief about what is on the disk, for instance expecting it to contain details of WMD, instead of the p0rn collection it has, then the pressure will be kept up, because the user can not prove that it does in fact not have a further level of encryption. GBDE takes the opposite approach: There is only a single level, but the user has the ability to nuke the master-key material out of existence with a swift operation. I also have a number of ideas for modes where GBDE is "mined" so that if certain criteria are not fulfilled, it will selfdestruct the master-key bits. If you manage to activate the master-key destruction before the attacker has gotten a bit for bit copy of the disk, you can yield your passphrase to the attacker (when you judge the time and circumstances for doing so is optimal), and the attacker will immediately discover that you gave the correct pass-phrase, that it is useless to them, but most importantly that no other pass-phrase will be helpful either. The attacker therefore nolonger has that as a reason to apply undue force on the user. >Just because the court orders you to unlock your disk you can choose not >to do so. You will be held in contempt of court, possibly charged with >obstruction of justice and most definitely jailed until you produce the >key material. But, if the privacy of the contents of your disk is worth >more to you than your freedom, you can continue to deny the court's >request. Using the GBDE approach, they will have to settle for "destruction of evidence". Typically they will have to prove that you did so deliberately, this is generally a rather soft punishment, since they may not even be able to prove what the evidence you destroyed were, if indeed it was evidence in the first place. >However, hiding information from a court of law is generally not the >goal of encryption of this sort. That, my friend, depends a lot on who you are, what circumstances you are in, and what you are hiding. Cryptographic tools should be as general as possible, and support as many possible uses as possible, and not make assumptions about what life in the real world are if it can be avoided. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.