From owner-freebsd-fs@FreeBSD.ORG  Sat Sep  4 23:33:04 2004
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1E9B616A4CE; Sat,  4 Sep 2004 23:33:04 +0000 (GMT)
Received: from maui.ebi.ac.uk (maui.ebi.ac.uk [193.62.196.100])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8A6ED43D3F; Sat,  4 Sep 2004 23:33:02 +0000 (GMT)
	(envelope-from kreil@ebi.ac.uk)
Received: from puffin.ebi.ac.uk (puffin.ebi.ac.uk [193.62.196.89])
	by maui.ebi.ac.uk (8.11.7+Sun/8.11.7) with ESMTP id i84NX0F19663;
	Sun, 5 Sep 2004 00:33:00 +0100 (BST)
Received: from puffin.ebi.ac.uk (kreil@localhost)
	by puffin.ebi.ac.uk (8.11.6/8.11.6) with ESMTP id i84NWxC17377;
	Sun, 5 Sep 2004 00:32:59 +0100
Message-Id: <200409042332.i84NWxC17377@puffin.ebi.ac.uk>
X-Mailer: exmh version 2.4 06/23/2000 with nmh-1.0.4
To: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
In-Reply-To: Your message of "Sat, 04 Sep 2004 10:03:11 +0200."
             <6638.1094284991@critter.freebsd.dk> 
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sun, 05 Sep 2004 00:32:59 +0100
From: David Kreil <kreil@ebi.ac.uk>
X-EBI-Information: This email is scanned using www.mailscanner.info.
X-EBI: Found to be clean
X-EBI-SpamCheck: not spam, SpamAssassin (score=-8, required 5,
	HABEAS_SWE -8.00)
cc: freebsd-fs@freebsd.org
cc: David Kreil <kreil@ebi.ac.uk>
cc: freebsd-questions@freebsd.org
Subject: Re: gbde blackening feature - how can on disk keys be "destroyed" 
 thoroughly?
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Sep 2004 23:33:04 -0000


Dear Poul-Henning,

Thank you very much for your comments!

> >From what I can see so far, they are simply overwritten with zeros - is
> >that 
> >right? If so, the blackening feature would be much weakend, as one can read 
> >up to 20 layers of data even under random data (and more under zeros).
> >I would 
> >be most grateful for comments, or suggestions of where/how one could extend 
> >the code to do a secure wipe of the key areas. Also, I know practically
> >nothing 
> >of how I could to best get FreeBSD to physically write to disk 
> >(configurability of hardware cache etc permitting).
> 
> On a modern disk there is no sequence of writes that will guarantee
> you that your data is iretriveable lost.
> Even if you rewrite a thousand times, you cannot guard yourself against
> the sector being replaced by a bad block spare after the first write.

Good point. In the rare chance event that this happens, it would indeed be bad 
news as an attacker would then only have to scan the bad blocks for possible 
copies of the key.

> If your threat-analysis indicates this is a serious threat for you,
> you should arrange for simple physical destruction of your disk to
> be available.
> 
> Most modern disks have one or more holes in the metal only covered
> by a metalic sticker.  Pouring sulfuric acid through those openings
> is a good start.

Hmm... to me, the main benefit of the blackening feature would seem to be the possibility of compliance with a court directive without disclosing confidential data. With multiple key holders, any particular person can maintain that they have done all they could to comply. Not only is the optics of having your disks are found in vats of sulfuric acid rather bad, it's also more unlikely that "a moment of opportunity" arises.

A simple improvement on the present situation would already be if the keys were not overwritten with zeros but with random bits. I don't know how difficult it would be to attempt to physically write random bits multiple times but it would much strengthen the feature apart from the rare cases when the sectors of the masterkey have been remapped into bad blocks.

As rightly pointed out in the manpages, the better the encryption gets, the more likely are attacks via other routes. Reading a few layers of the current masterkey location + all bad blocks with an MFM should cost no more than a few thousand $.

What do you think? Is the required effort disproportional to the intended value of the blackening feature?

With many thanks again for your help

and best regards,

David.


------------------------------------------------------------------------
Dr David Philip Kreil                 ("`-''-/").___..--''"`-._
Research Fellow                        `6_ 6  )   `-.  (     ).`-.__.`)
University of Cambridge                (_Y_.)'  ._   )  `._ `. ``-..-'
++44 1223 764107, fax 333992         _..`--'_..-_/  /--'_.' ,'
www.inference.phy.cam.ac.uk/dpk20   (il),-''  (li),'  ((!.-'