On 6/21/07, evb <[EMAIL PROTECTED]> wrote: > ... > :consider that while data is at rest, the encryption program > :for access to the EFS is modified to copy keys to unused > :partition space which can be scavenged later or delivered via > :networked malware. > > Could you kindly provide a citation for this proposition. Thank you, Eric
see [0] for a description of key recovery from memory via an unprivileged process. [1] is a nice tale of worldwide covert key leakage in this vein. the ssl hack [2] a notable encounter with trojan'd security software. there are plenty of texts on the subject with regards to "pre-boot authentication". this aims to keep authentication for disk encryption key access trusted by using a secure boot sequence (external pre-boot auth device, trusted security module verified bootloader, read only ISO boot, etc). if your laptop or workstation is in untrusted hands they can easily implement the trojan key recovery described above when operating system and other components are exposed on disk. FDE resists such modifications. a hardware keystroke logger can be thwarted by dual or multi-factor authentication. (passphrase + USB key fob to boot FDE, etc) best regards, 0. Cache Attacks and Countermeasures: the Case of AES http://www.wisdom.weizmann.ac.il/~tromer/papers/cache.pdf NOTE: with ring0/root privs you can simply directly read keys from memory. 1. Crypto AG covert key leakage http://mediafilter.org/caq/cryptogate/ 2. OpenSSH Security Advisory (adv.trojan) http://www.openssh.org/txt/trojan.adv _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
