Re: How to protect an encrypted file system for off-line attack?

[Emanoil Kotsev]

hello, 

the discussion is really interesting and informative.
there's just something I don't understand.

Jeff Soules wrote:

> good.)  In any case, with EncFS we're talking about a technological
> solution in which the encryption key is stored alongside the encrypted
> media, so whatever the password concerns are, this is unsuitable for
> keeping information truly secret when a hostile person might have
> enough physical access to the drive.
> 

does this also apply to cryptofs or whatever luks is using. I'm not very
paranoid and don't have that much to hide, but I'm testing and using
cryptsetup and still didn't find time to read all crypto realted stuff.

thanks in advance - regards




-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Eduardo M KALINOWSKI]

Andrew McGlashan wrote:
> And what if you encrypted the result multiple times with a number of 
> different keys?
>   

Security does not improve so much, actually.

http://en.wikipedia.org/wiki/Meet-in-the-middle_attack

-- 
Unless you love someone, nothing else makes any sense.
-- e.e. cummings

Eduardo M KALINOWSKI
edua...@kalinowski.com.br
http://move.to/hpkb


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Jochen Schulz]

Chris Jones:
> On Fri, Feb 27, 2009 at 08:34:25AM EST, Jochen Schulz wrote:
> 
>> This is a valid question! Depending on the encryption system in use,
>> it cannot be answered satisfactorily. 
> 
> I'm not sure it's related to the encryption/decryption process. 
> 
> What I had in mind when I wrote the above was that with the immense
> volumes of output generated, having a crowd of quick-eyed folks look at
> it one individual dose at a time to determine the likelihood of its
> being the correct "solution" in a timely fashion is not practical.

Sure, it isn't. But if you are, for example, trying to brute-force a
LUKS key's passphrase, there appears to be a way to know whether the
passphrase is correct, or not. But I can only guess how it is done.

>> If a one-time pad is in use where the key is as long as the encrypted
>> document, it cannot be answered at all. 
> 
> Don't take my word for it, but I believe it one-time pads .. as their
> name implies need to be unique to the document to make it impossible to
> decrypt. Otherwise you start introducing regularities.

Sure. But you could just declare your whole hard disk (or a filesystem)
as one document. As long as your purely random key is as long as this
"document", it would still qualify as one-time pad.

>> Even if one key reveals a "good looking" plaintext, the attacker has
>> no way to know whether this plaintext is the right one because other
>> keys lead to other valid looking plaintext. 
> 
> Keeping in mind that what you (the cracker, I mean..) are looking for
> might not be plain text in the first place.

Sorry, what I meant was unencrypted cleartext.

> I guess you could devise some complementary hardware support to your HD
> that would hold all the one-time pads and Mission Impossible style
> destroy itself within seconds in case of an emergency.. but I have a
> feeling that the encryption of an entire file system is more something
> that's meant to protect you from unsophisticated prying without making
> your existence miserable but that it was never meant to address the
> security of strategic files and truly sensitive data.

Why not? What makes filesystem encryption less secure than e-mail or
single file encryption?

J.
-- 
I am worried that my dreams pale in comparison beside TV docu-soaps.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: How to protect an encrypted file system for off-line attack?

[Andrew McGlashan]

Hi,

Chris Jones wrote:

While your brute force decryption is running, how do you determine you
have found the "one key" and decide it's time to stop?

Among trillions of trillions, when do you know you've hit the jackpot?


And what if you encrypted the result multiple times with a number of 
different keys?


You would have to find the first "right" key, then the next and so on until 
you know to stop as you have the final product; each level can be a complete 
success in decryption (ie key found).


As computers get faster and more powerful, the initial encryption could be 
multiplied over and over to keep ahead.  The question would remain though, 
how far ahead should you go -- if you think a computer will be "X" 
powerful/capable in 30 years time, do you encrypt something today to such a 
degree that in 30 years time it would still take "forever" to decrypt by 
cracking the keys (all of them).   ;)


Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Chris Jones]

On Fri, Feb 27, 2009 at 08:34:25AM EST, Jochen Schulz wrote:
> Chris Jones:

> > I have a naive question. 
> > 
> > While your brute force decryption is running, how do you determine
> > you have found the "one key" and decide it's time to stop?

> This is a valid question! Depending on the encryption system in use,
> it cannot be answered satisfactorily. 

I'm not sure it's related to the encryption/decryption process. 

What I had in mind when I wrote the above was that with the immense
volumes of output generated, having a crowd of quick-eyed folks look at
it one individual dose at a time to determine the likelihood of its
being the correct "solution" in a timely fashion is not practical.

Or, in other words, you need not only the decryption but also the
analysis of its results be performed by some computer cloud, with at
least comparable processing power to that of your decrypting machine.
And as I undestand it, this would mean that you need another piece of
software in your setup, one that can mimic our form of intelligence well
enough to distinguish favorites from also-rans.

The bottom-line, as I imagine it, would be that the source data contains
some regularities that are trivial to identify.

When entire file systems are encrypted, this would appear to be a fairly
simple task.  My guess is that on OSS systems such as linux, you would
just about need to look for the first 8 butes of the FSF manifesto and
be done.

When dealing with individual files, I have a feeling you would need to
distinguish between those where the actual data is encapsulated in some
kind of file "format" .. while the data is totally variable there are I
would imagine regularities in the "capsule", and consenquently, cracking
that type of encrypted input and deciding you have found what you are
looking for should not be too difficult. And then there are simple text
files and these are different in essence, because they only contain the
data and nothing else and for all we know this data might be written in
some rare forgotten language the craker team have not knowledge of.. or
(worst case scenario) might even be perfect garbage to look at - such as
a truly random sequence of bits .. in the event what is being decrypted
happens to be a computer-generated key that was used to encrypt other
data elsewhere for instance.

To clarify, and hoping this is a valid example .. should my PIN be
"12345" .. even should the cracker know it is a PIN he is decrypting..
and therefore that it should only comprise digits.. because the bank's
keypad will accept nothing else.. will the decryption process come up
with millions of five-byte combinations that can easily be discarded
because they contain at least one byte that is not the in the 0-9
range.. and only one "valid" solution.. or will there be hundreds of
false positives such as "54321" that will have made all the time and
effort of the decryption less useful than taking a shot at guessing my
favorite 5-digit combinations and entering them tentatively on the ATM's
keypad?

> If a one-time pad is in use where the key is as long as the encrypted
> document, it cannot be answered at all. 

Don't take my word for it, but I believe it one-time pads .. as their
name implies need to be unique to the document to make it impossible to
decrypt. Otherwise you start introducing regularities.

> Even if one key reveals a "good looking" plaintext, the attacker has
> no way to know whether this plaintext is the right one because other
> keys lead to other valid looking plaintext. 

Keeping in mind that what you (the cracker, I mean..) are looking for
might not be plain text in the first place.

> So in this regard, one-time pads are the "perfect" encryption system.
> But unfortunately, it is not feasible to use it for hard disk
> encryption, since nobody is able to remember a passphrase of several
> gigabytes. :)

I guess you could devise some complementary hardware support to your HD
that would hold all the one-time pads and Mission Impossible style
destroy itself within seconds in case of an emergency.. but I have a
feeling that the encryption of an entire file system is more something
that's meant to protect you from unsophisticated prying without making
your existence miserable but that it was never meant to address the
security of strategic files and truly sensitive data.

Thanks for your comments.

CJ



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Jochen Schulz]

Chris Jones:
> 
> I have a naive question. 
> 
> While your brute force decryption is running, how do you determine you
> have found the "one key" and decide it's time to stop?

This is a valid question! Depending on the encryption system in use,
it cannot be answered satisfactorily. If a one-time pad is in use where
the key is as long as the encrypted document, it cannot be answered at
all. Even if one key reveals a "good looking" plaintext, the attacker
has no way to know whether this plaintext is the right one because other
keys lead to other valid looking plaintext. So in this regard, one-time
pads are the "perfect" encryption system. But unfortunately, it is not
feasible to use it for hard disk encryption, since nobody is able to
remember a passphrase of several gigabytes. :)

J.
-- 
People talking a foreign language are romantic and mysterious.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: How to protect an encrypted file system for off-line attack?

[owens]

>
>
>
> Original Message 
>From: cjns1...@gmail.com
>To: debian-user@lists.debian.org
>Subject: Re: How to protect an encrypted file system for off-line
>attack?
>Date: Thu, 26 Feb 2009 18:34:40 -0500
>
>>On Tue, Feb 24, 2009 at 12:56:00AM EST, Ron Johnson wrote:
>>> On 02/23/2009 08:43 PM, Javier wrote:
>>> [snip]
>>> >
>>> >
>>> >As I also have read in the Wikipedia, it is reseonable to crack a
>56bits
>>> >DES, a 64bits AES if you have online access to the machine, and
>probably
>>> >in the future it might be possible to crack a 128bits, even
>offline.
>>> >But, a 256 one? It seems incredible to me. 2^256 is this number:
>>> >
>>> >
>>>
>>11579208923731619542357098500868790785326998466564056403945758400791
>3129639936
>>> >
>>> >which is 10^79 iterations, I can't imagine the amount of power
>needed
>>> >for cracking that...
>>> >Isn't 4x10^80 the amount of atoms in the universe?
>>> 
>>> 25 years ago, I had a KayPro II with CP/M, 64KB RAM and 2 380KB 
>>> FDDs.  (Sun 2s of the same era had a 10MHz MC68010, 4MB RAM and
>cost 
>>> $44,000.)  Now, I've got 131,000x more RAM, 2000x more MHz and
>pair 
>>> of CPUs, and 790x more disk space.
>>> 
>>> What kind of specialized crackers does the NSA have now, and how 
>>> much faster and smaller (thus higher rack density) will they be in
>2035?
>>
>>Sorry to revive and already dead thread .. 
>>
>>I have a naive question. 
>>
>>While your brute force decryption is running, how do you determine
>you
>>have found the "one key" and decide it's time to stop?
>>
>>Among trillions of trillions, when do you know you've hit the
>jackpot?
>>
>>The answer is probably obvious but I just don't see it.
>>
It's not as obvious as you may think.  If you have a copy of both the
plaintext AND the ciphertext then it's clearly obvious (the decrypted
cipher text matches the plaintext).  If you don't then it's the
reverse of Ron's comment (the decrypted version is no longer
gobblygook).
Larry
>>
>>-- 
>>To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
>>with a subject of "unsubscribe". Trouble? Contact listmas...@lists.d
>ebian.org
>>
>>
>>




--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/26/2009 08:42 PM, Ron Johnson wrote:

On 02/26/2009 08:32 PM, Chris Jones wrote:

[snip]



Depending on what was encrypted, and given the time, I'm sure I'd be
able to determine, one tentative key at a time, whether the output is
gobbledygook or not..  But even if the original data was in the most
readily legible and understandable form, how do I go about separating
the output obtained with wrong candidate keys in their trillions from
that obtained with the one true key, used when the data was encrypted?


Forgot the important part: distributed.net somehow figured out how 
to do it, so presumably the NSA can too.



Sorry for being thick.. I don't get it.


That's ok, I'm very tolerant of Democrats.




--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/26/2009 08:32 PM, Chris Jones wrote:

On 02/26/2009 06:51 PM, Chris Jones wrote:

On Thu, Feb 26, 2009 at 07:11:43PM EST, Ron Johnson wrote:

On 02/26/2009 05:34 PM, Chris Jones wrote:



Among trillions of trillions, when do you know you've hit the
jackpot?



When you can decrypt the document with it?



You don't have access to the original unencrypted document to compare
your output/solutions with, obviously you wouldn't need to decrypt it
in the first place.. how do you know when you have successfully
decrypted?

The wrong key either (in the case of cryptfs) won't decrypt the file,
or (alternatively) will create gobbledygook.


I'm not familiar with cryptfs so I do not understand what you mean by
"not decrypting" the file.


$ encfs ~/.crypt ~/crypt
EncFS Password:
Error decoding volume key, password incorrect

$ encfs ~/.crypt ~/crypt
EncFS Password:



Depending on what was encrypted, and given the time, I'm sure I'd be
able to determine, one tentative key at a time, whether the output is
gobbledygook or not..  But even if the original data was in the most
readily legible and understandable form, how do I go about separating
the output obtained with wrong candidate keys in their trillions from
that obtained with the one true key, used when the data was encrypted?

Sorry for being thick.. I don't get it.


That's ok, I'm very tolerant of Democrats.

--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Chris Jones]

> On 02/26/2009 06:51 PM, Chris Jones wrote:
> >On Thu, Feb 26, 2009 at 07:11:43PM EST, Ron Johnson wrote:
> >>On 02/26/2009 05:34 PM, Chris Jones wrote:

> >>>Among trillions of trillions, when do you know you've hit the
> >>>jackpot?

> >>When you can decrypt the document with it?

> >You don't have access to the original unencrypted document to compare
> >your output/solutions with, obviously you wouldn't need to decrypt it
> >in the first place.. how do you know when you have successfully
> >decrypted?
> 
> The wrong key either (in the case of cryptfs) won't decrypt the file,
> or (alternatively) will create gobbledygook.

I'm not familiar with cryptfs so I do not understand what you mean by
"not decrypting" the file.

Depending on what was encrypted, and given the time, I'm sure I'd be
able to determine, one tentative key at a time, whether the output is
gobbledygook or not..  But even if the original data was in the most
readily legible and understandable form, how do I go about separating
the output obtained with wrong candidate keys in their trillions from
that obtained with the one true key, used when the data was encrypted?

Sorry for being thick.. I don't get it.

Thanks,

CJ


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/26/2009 06:51 PM, Chris Jones wrote:

On Thu, Feb 26, 2009 at 07:11:43PM EST, Ron Johnson wrote:

On 02/26/2009 05:34 PM, Chris Jones wrote:


I have a naive question. 


While your brute force decryption is running, how do you determine
you have found the "one key" and decide it's time to stop?

Among trillions of trillions, when do you know you've hit the
jackpot?

The answer is probably obvious but I just don't see it.

When you can decrypt the document with it?


You don't have access to the original unencrypted document to compare
your output/solutions with, obviously you wouldn't need to decrypt it in
the first place.. how do you know when you have successfully decrypted?


The wrong key either (in the case of cryptfs) won't decrypt the 
file, or (alternatively) will create gobbledygook.


--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Chris Jones]

On Thu, Feb 26, 2009 at 07:11:43PM EST, Ron Johnson wrote:
> On 02/26/2009 05:34 PM, Chris Jones wrote:

> >I have a naive question. 
> >
> >While your brute force decryption is running, how do you determine
> >you have found the "one key" and decide it's time to stop?
> >
> >Among trillions of trillions, when do you know you've hit the
> >jackpot?
> >
> >The answer is probably obvious but I just don't see it.
> 
> When you can decrypt the document with it?

You don't have access to the original unencrypted document to compare
your output/solutions with, obviously you wouldn't need to decrypt it in
the first place.. how do you know when you have successfully decrypted?

Thanks,

CJ



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/26/2009 05:34 PM, Chris Jones wrote:
[snip]


Sorry to revive and already dead thread .. 

I have a naive question. 


While your brute force decryption is running, how do you determine you
have found the "one key" and decide it's time to stop?

Among trillions of trillions, when do you know you've hit the jackpot?

The answer is probably obvious but I just don't see it.


When you can decrypt the document with it?

--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Chris Jones]

On Tue, Feb 24, 2009 at 12:56:00AM EST, Ron Johnson wrote:
> On 02/23/2009 08:43 PM, Javier wrote:
> [snip]
> >
> >
> >As I also have read in the Wikipedia, it is reseonable to crack a 56bits
> >DES, a 64bits AES if you have online access to the machine, and probably
> >in the future it might be possible to crack a 128bits, even offline.
> >But, a 256 one? It seems incredible to me. 2^256 is this number:
> >
> >
> >115792089237316195423570985008687907853269984665640564039457584007913129639936
> >
> >which is 10^79 iterations, I can't imagine the amount of power needed
> >for cracking that...
> >Isn't 4x10^80 the amount of atoms in the universe?
> 
> 25 years ago, I had a KayPro II with CP/M, 64KB RAM and 2 380KB 
> FDDs.  (Sun 2s of the same era had a 10MHz MC68010, 4MB RAM and cost 
> $44,000.)  Now, I've got 131,000x more RAM, 2000x more MHz and pair 
> of CPUs, and 790x more disk space.
> 
> What kind of specialized crackers does the NSA have now, and how 
> much faster and smaller (thus higher rack density) will they be in 2035?

Sorry to revive and already dead thread .. 

I have a naive question. 

While your brute force decryption is running, how do you determine you
have found the "one key" and decide it's time to stop?

Among trillions of trillions, when do you know you've hit the jackpot?

The answer is probably obvious but I just don't see it.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Chris Jones]

On Mon, Feb 23, 2009 at 07:53:54PM EST, Ron Johnson wrote:
> On 02/23/2009 06:12 PM, Chris Jones wrote:
> >On Mon, Feb 23, 2009 at 02:34:26PM EST, Ron Johnson wrote:

> >>Given enough time, and resources, *nothing* is untouchable. It's
> >>just a matter of whether They think that the time-effort is worth
> >>being spent on *you*.
> >
> >Like, twenty times the estimated life of the universe.. a thousand
> >times its mass in silicon chips. Everyone involved long dead anyways.

> http://en.wikipedia.org/wiki/EFF_DES_cracker

> When DES was approved as a federal standard in 1976, a machine
> fast enough to test that many keys in a reasonable time would have
> cost an unreasonable amount of money to build.
> 
> http://en.wikipedia.org/wiki/EFF_DES_cracker#Technology

>Advanced Wireless Technologies built 1856 custom ASIC DES chips
>(called Deep Crack or AWT-4500), housed on 29 circuit boards of 64
>chips each. The boards are then fitted in six cabinets. The search
>is coordinated by a single PC which assigns ranges of keys to the
>chips. The entire machine was capable of testing over 90 billion
>keys per second. It would take about 9 days to test every possible
>key at that rate. On average, the correct key would be found in
>half that time.
> 
> In the 11 years since Deep Crack, IC process technology has improved
> by leaps and bounds, and the NSA can throw a whole lot of h/w in
> parallel at brute-force attacks.
> 
> Combine that with Side Channel Attacks (easy if you have the machine
> that did the encryption, and which can discover part of the key) and
> mathematical analysis to determine even more of the key, you suddenly
> see something feasible.

Obsolete sources my end..

Thanks for the heads-up.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/24/2009 03:35 PM, ow...@netptc.net wrote:
[snip]

Ron et al
Actually this was the case with the DES; the NSA put out a RFP and
worked with the potential vendors quite closely during the
development.  IBM (Tuchman and Myers) eventually won the bid.  I
attended a week-long security seminar series in which Myers himself
vociferously denied the trap-door theory.  Who can tell?


*You* (or, more specifically, anyone who knows cryptography) can 
tell whether an algorithm has weaknesses, like a back door.  A 
sufficiently competent programmer can find back doors in code (cc 
not withstanding).


No such back doors were ever found in OSS implementations of DES or AES.

--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[owens]

>
>
>
> Original Message 
>From: ron.l.john...@cox.net
>To: debian-user@lists.debian.org
>Subject: Re: How to protect an encrypted file system for off-line
>attack?
>Date: Tue, 24 Feb 2009 12:47:15 -0600
>
>>On 02/24/2009 09:50 AM, ow...@netptc.net wrote:
>>[snip]
>>> And in fact there always has been suspicion in the crypto
>community
>>> that, in at least some of the ciphers (going back to the original
>>> DES) that the NSA had built in a "trapdoor" such that they could
>>> easily decrypt the message but anyone else, not knowing the
>trapdoor,
>>> would have to use brute force.  Never proven of course.
>>> larry
>>
>>That would only be possible if The Government controlled the source 
>>code, or had an "understanding" with those who write closed-source
>code.
>>
>>-- 
>>Ron Johnson, Jr.
>>Jefferson LA  USA
>>
>>The feeling of disgust at seeing a human female in a Relationship
>>with a chimp male is Homininphobia, and you should be ashamed of
>>yourself.
>>
Ron et al
Actually this was the case with the DES; the NSA put out a RFP and
worked with the potential vendors quite closely during the
development.  IBM (Tuchman and Myers) eventually won the bid.  I
attended a week-long security seminar series in which Myers himself
vociferously denied the trap-door theory.  Who can tell?
Larry
>>
>>-- 
>>To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
>>with a subject of "unsubscribe". Trouble? Contact listmas...@lists.d
>ebian.org
>>
>>
>>




--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/24/2009 12:59 PM, John Hasler wrote:

Ron Johnson writes:

[An NSA backdoor in DES & successors] would only be possible if The
Government controlled the source code, or had an "understanding" with
those who write closed-source code.


The claim is stronger than that.  It is that there are backdoors in the
algorithms: weaknesses that only NSA knows how to exploit.  I find this
extremely unlikely for several obvious reasons.


Mainly that lots of academic mathematicians have looked at it and at 
least one of them is "anti-American" enough to squeal like a stuck 
pig...


--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[John Hasler]

Ron Johnson writes:
> [An NSA backdoor in DES & successors] would only be possible if The
> Government controlled the source code, or had an "understanding" with
> those who write closed-source code.

The claim is stronger than that.  It is that there are backdoors in the
algorithms: weaknesses that only NSA knows how to exploit.  I find this
extremely unlikely for several obvious reasons.
-- 
John Hasler


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/24/2009 09:50 AM, ow...@netptc.net wrote:
[snip]

And in fact there always has been suspicion in the crypto community
that, in at least some of the ciphers (going back to the original
DES) that the NSA had built in a "trapdoor" such that they could
easily decrypt the message but anyone else, not knowing the trapdoor,
would have to use brute force.  Never proven of course.
larry


That would only be possible if The Government controlled the source 
code, or had an "understanding" with those who write closed-source code.


--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Jeff Soules]

>> there's no known practical attack on it. It performs well. So it is
>
> ^
>
> That's the word, of course...  Any government that discovers a successful
> attack is going to keep quiet.

Except in a certain side-channel sense -- any government that
discovers a successful attack on an encryption algorithm it regularly
uses will know that other parties could have discovered the same
attack, and will then need to limit its use of the compromised
algorithm.  That behavior change will be observed by other parties and
will prompt suspicion about a possible vulnerability.
Unless the party that discovered the vulnerability stepped up use of
the compromised algorithm, but only for unimportant data or
misinformation...

Oh, security headgames.

On Tue, Feb 24, 2009 at 5:27 AM, Ron Johnson  wrote:
> On 02/24/2009 02:36 AM, Tzafrir Cohen wrote:
> [snip]
>>
>> Anyway, the AES cipher is one that is very well studied. It has been
>> implemented all over. Just about anybody have tried to attack it and yet
>> there's no known practical attack on it. It performs well. So it is
>
> ^
>
> That's the word, of course...  Any government that discovers a successful
> attack is going to keep quiet.
>
>> a very sane choice as a block cipher.
>
> --
> Ron Johnson, Jr.
> Jefferson LA  USA
>
> The feeling of disgust at seeing a human female in a Relationship
> with a chimp male is Homininphobia, and you should be ashamed of
> yourself.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject
> of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
>
>


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[owens]

>
>
>
> Original Message 
>From: ron.l.john...@cox.net
>To: debian-user@lists.debian.org
>Subject: Re: How to protect an encrypted file system for off-line
>attack?
>Date: Tue, 24 Feb 2009 04:27:31 -0600
>
>>On 02/24/2009 02:36 AM, Tzafrir Cohen wrote:
>>[snip]
>>> 
>>> Anyway, the AES cipher is one that is very well studied. It has
>been 
>>> implemented all over. Just about anybody have tried to attack it
>and 
>>> yet there's no known practical attack on it. It performs well. So
>it is
>>  ^
>>
>>That's the word, of course...  Any government that discovers a 
>>successful attack is going to keep quiet.
>>
>>> a very sane choice as a block cipher.
>>
>>-- 
>>Ron Johnson, Jr.
>>Jefferson LA  USA
>>
>>The feeling of disgust at seeing a human female in a Relationship
>>with a chimp male is Homininphobia, and you should be ashamed of
>>yourself.
>>
>>
And in fact there always has been suspicion in the crypto community
that, in at least some of the ciphers (going back to the original
DES) that the NSA had built in a "trapdoor" such that they could
easily decrypt the message but anyone else, not knowing the trapdoor,
would have to use brute force.  Never proven of course.
larry
>>-- 
>>To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
>>with a subject of "unsubscribe". Trouble? Contact listmas...@lists.d
>ebian.org
>>
>>
>>




--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[owens]

>
>
>
> Original Message 
>From: javu...@gmail.com
>To: debian-user@lists.debian.org
>Subject: Re: How to protect an encrypted file system for off-line
>attack?
>Date: Tue, 24 Feb 2009 03:31:51 +0100
>
>>ow...@netptc.net escribió:
>>>>
>>>>
>>>>  Original Message 
>>>> From: javu...@gmail.com
>>>> To: debian-user@lists.debian.org
>>>> Subject: Re: How to protect an encrypted file system for off-line
>>>> attack?
>>>> Date: Mon, 23 Feb 2009 23:53:27 +0100
>>>>
>>>>> Ron Johnson escribió:
>>>>>> On 02/23/2009 09:26 AM, Javier wrote:
>>>>>>> Ron Johnson escribió:
>>>>>>>> On 02/23/2009 01:28 AM, Jordi Gutiérrez Hermoso wrote:
>>>>>>>>> 2009/2/21 Javier :
>>>>>>>>>> I'm actually using encfs to protect my sensitive data,
>>>>>>>>> Eh...
>>>>>>>>>
>>>>>>>>>   http://xkcd.com/538/
>>>>>>>> That's known as Rubber Hose Decryption.
>>>>>>>>
>>>>>>>
>>>>>>> Oh yes, but if he had the chance to scape, at least the files
>>>> continue
>>>>>>> to be untouchable
>>>>>> Given enough time, and resources, *nothing* is untouchable. 
>It's
>>>> just a
>>>>>> matter of whether They think that the time-effort is worth
>being
>>>> spent
>>>>>> on *you*.
>>>>> Do you mean that there is a way to crack a 256bits AES?
>>>>>
>>> Yep! Given enough plaintext and ciphertext and enough time (or
>>> parallel compute power and less time), a brute force attack will
>>> always work.
>>> Larry
>>
>>What do you mean with "always work"? I mean, is it not going to take
>one
>>million years or so? For example, if you encrypt your /home.
>>
>>
My "solution" was a standard brute force attack.  It seems each time
a new algorithm arises purporting to take "a million years" to break,
it is in fact broken within years and finally days.  In fact IIRC the
RSA system was broken after a challenge from Ron Rivest (the "R") via
a concerted attack using the Internet to parse out the key space.
Larry
>>-- 
>>To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
>>with a subject of "unsubscribe". Trouble? Contact listmas...@lists.d
>ebian.org
>>
>>
>>




--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/24/2009 02:36 AM, Tzafrir Cohen wrote:
[snip]


Anyway, the AES cipher is one that is very well studied. It has been 
implemented all over. Just about anybody have tried to attack it and 
yet there's no known practical attack on it. It performs well. So it is

 ^

That's the word, of course...  Any government that discovers a 
successful attack is going to keep quiet.



a very sane choice as a block cipher.


--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Tzafrir Cohen]

On Mon, Feb 23, 2009 at 03:43:06PM -0500, Celejar wrote:
> On Sun, 22 Feb 2009 20:10:57 -0600
> Ron Johnson  wrote:
> 
> > On 02/22/2009 07:03 PM, Javier wrote:
> 
> ...
> 
> > > And which is better, Blowfish or AES?
> > 
> > AES.
> 
> Source?  Wikipedia just says:
> 
> "Blowfish provides a good encryption rate in software and no effective
> cryptanalysis of it has been found to date. However, the Advanced
> Encryption Standard now receives more attention."
> 
> http://en.wikipedia.org/wiki/Blowfish_(cipher)
> 
> And what about Twofish?

TwoFish was a final candidate for the AES. Generally all five final
candidates (Rijndel - the one selected, Serpent, Twofish, MARS and RC6).
All of those candidates proved[1] sufficiently secure. MARS and RC6 were
generally slower than the other three. IIRC one main weaknes of Twofish
was that it performed poorly on 8-bit processors. This is not such a big
issue for you, I guess.

Anyway, the AES cipher is one that is very well studied. It has been 
implemented all over. Just about anybody have tried to attack it and 
yet there's no known practical attack on it. It performs well. So it is
a very sane choice as a block cipher.

[1] "proved": in a very weak sense of the word. In the sense that after 
a year or so of concentrated effort no attack was found, and their
design seemed solid.

-- 
Tzafrir Cohen | tzaf...@jabber.org | VIM is
http://tzafrir.org.il || a Mutt's
tzaf...@cohens.org.il ||  best
ICQ# 16849754 || friend


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/23/2009 08:43 PM, Javier wrote:
[snip]



As I also have read in the Wikipedia, it is reseonable to crack a 56bits
DES, a 64bits AES if you have online access to the machine, and probably
in the future it might be possible to crack a 128bits, even offline.
But, a 256 one? It seems incredible to me. 2^256 is this number:


115792089237316195423570985008687907853269984665640564039457584007913129639936

which is 10^79 iterations, I can't imagine the amount of power needed
for cracking that...
Isn't 4x10^80 the amount of atoms in the universe?


25 years ago, I had a KayPro II with CP/M, 64KB RAM and 2 380KB 
FDDs.  (Sun 2s of the same era had a 10MHz MC68010, 4MB RAM and cost 
$44,000.)  Now, I've got 131,000x more RAM, 2000x more MHz and pair 
of CPUs, and 790x more disk space.


What kind of specialized crackers does the NSA have now, and how 
much faster and smaller (thus higher rack density) will they be in 2035?


--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Javier]

Ron Johnson escribió:
> On 02/23/2009 06:12 PM, Chris Jones wrote:
>> On Mon, Feb 23, 2009 at 02:34:26PM EST, Ron Johnson wrote:
>>
>>> Given enough time, and resources, *nothing* is untouchable. It's just
>>> a matter of whether They think that the time-effort is worth being
>>> spent on *you*.
>>
>> Like, twenty times the estimated life of the universe.. a thousand times
>> its mass in silicon chips. Everyone involved long dead anyways.
> 
> http://en.wikipedia.org/wiki/EFF_DES_cracker
> When DES was approved as a federal standard in 1976, a machine
> fast enough to test that many keys in a reasonable time would
> have cost an unreasonable amount of money to build.
> 
> 
> http://en.wikipedia.org/wiki/EFF_DES_cracker#Technology
>Advanced Wireless Technologies built 1856 custom ASIC DES chips
>(called Deep Crack or AWT-4500), housed on 29 circuit boards of
>64 chips each. The boards are then fitted in six cabinets. The
>search is coordinated by a single PC which assigns ranges of keys
>to the chips. The entire machine was capable of testing over 90
>billion keys per second. It would take about 9 days to test every
>possible key at that rate. On average, the correct key would be
>found in half that time.
> 
> In the 11 years since Deep Crack, IC process technology has improved by
> leaps and bounds, and the NSA can throw a whole lot of h/w in parallel
> at brute-force attacks.
> 
> Combine that with Side Channel Attacks (easy if you have the machine
> that did the encryption, and which can discover part of the key) and
> mathematical analysis to determine even more of the key, you suddenly
> see something feasible.
> 
> Of course, all this effort would not be spent on a dissident with some
> "naughty books".
> 
>> +1 on RHD and messier (and subtler} techniques... way to go.
> 


As I also have read in the Wikipedia, it is reseonable to crack a 56bits
DES, a 64bits AES if you have online access to the machine, and probably
in the future it might be possible to crack a 128bits, even offline.
But, a 256 one? It seems incredible to me. 2^256 is this number:


115792089237316195423570985008687907853269984665640564039457584007913129639936

which is 10^79 iterations, I can't imagine the amount of power needed
for cracking that...
Isn't 4x10^80 the amount of atoms in the universe?


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Javier]

ow...@netptc.net escribió:
>>
>>
>>  Original Message 
>> From: javu...@gmail.com
>> To: debian-user@lists.debian.org
>> Subject: Re: How to protect an encrypted file system for off-line
>> attack?
>> Date: Mon, 23 Feb 2009 23:53:27 +0100
>>
>>> Ron Johnson escribió:
>>>> On 02/23/2009 09:26 AM, Javier wrote:
>>>>> Ron Johnson escribió:
>>>>>> On 02/23/2009 01:28 AM, Jordi Gutiérrez Hermoso wrote:
>>>>>>> 2009/2/21 Javier :
>>>>>>>> I'm actually using encfs to protect my sensitive data,
>>>>>>> Eh...
>>>>>>>
>>>>>>>   http://xkcd.com/538/
>>>>>> That's known as Rubber Hose Decryption.
>>>>>>
>>>>>
>>>>> Oh yes, but if he had the chance to scape, at least the files
>> continue
>>>>> to be untouchable
>>>> Given enough time, and resources, *nothing* is untouchable.  It's
>> just a
>>>> matter of whether They think that the time-effort is worth being
>> spent
>>>> on *you*.
>>> Do you mean that there is a way to crack a 256bits AES?
>>>
> Yep! Given enough plaintext and ciphertext and enough time (or
> parallel compute power and less time), a brute force attack will
> always work.
> Larry

What do you mean with "always work"? I mean, is it not going to take one
million years or so? For example, if you encrypt your /home.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/23/2009 07:12 PM, Celejar wrote:
[snip]


But it's "not a concern for full 16-round Blowfish", so is that really
a problem?

"There is no effective cryptanalysis on the full-round version of


Where there's smoke, there might be fire.

[snip]


So as I said, anything wrong with Twofish?



Don't know...

--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Celejar]

On Mon, 23 Feb 2009 18:59:56 -0600
Ron Johnson  wrote:

> On 02/23/2009 02:43 PM, Celejar wrote:
> > On Sun, 22 Feb 2009 20:10:57 -0600
> > Ron Johnson  wrote:
> > 
> >> On 02/22/2009 07:03 PM, Javier wrote:
> > 
> > ...
> > 
> >>> And which is better, Blowfish or AES?
> >> AES.
> > 
> > Source?  Wikipedia just says:
> > 
> > "Blowfish provides a good encryption rate in software and no effective
> > cryptanalysis of it has been found to date. However, the Advanced
> > Encryption Standard now receives more attention."
> 
> http://en.wikipedia.org/wiki/Weak_key#List_of_algorithms_with_weak_keys
>  Blowfish. Blowfish's weak keys produce bad S-boxes, since
>  Blowfish's S-boxes are key-dependent. There is a chosen
>  plaintext attack against a reduced-round variant of Blowfish
>  that is made easier by the use of weak keys. This is not a
>  concern for full 16-round Blowfish.
> 
> > http://en.wikipedia.org/wiki/Blowfish_(cipher)

But it's "not a concern for full 16-round Blowfish", so is that really
a problem?

"There is no effective cryptanalysis on the full-round version of
Blowfish known publicly as of 2009[update]. A sign extension bug in one
publication of C code has been identified.

In 1996, Serge Vaudenay found a known-plaintext attack requiring 28r +
1 known plaintexts to break, where r is the number of rounds. Moreover,
he also found a class of weak keys that can be detected and broken by
the same attack with only 24r + 1 known plaintexts. This attack cannot
be used against the regular Blowfish; it assumes knowledge of the
key-dependent S-boxes. Vincent Rijmen, in his Ph.D. thesis, introduced
a second-order differential attack that can break four rounds and no
more. There remains no known way to break the full 16 rounds, apart
from a brute-force search.

Bruce Schneier notes that while Blowfish is still in use, he recommends
using the more recent Twofish algorithm instead."

http://en.wikipedia.org/wiki/Blowfish_(cipher)#Cryptanalysis_of_Blowfish

> > And what about Twofish?

So as I said, anything wrong with Twofish?

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Celejar]

On Tue, 24 Feb 2009 00:10:54 +0100
Javier  wrote:

...

> I've discovered that the program apg is very nice, it can produce
> lengthy but pronounceable pass phrases like these (40 readable chars,
> probably equivalent to a 256bit random one):

Or pwgen.

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/23/2009 02:43 PM, Celejar wrote:

On Sun, 22 Feb 2009 20:10:57 -0600
Ron Johnson  wrote:


On 02/22/2009 07:03 PM, Javier wrote:


...


And which is better, Blowfish or AES?

AES.


Source?  Wikipedia just says:

"Blowfish provides a good encryption rate in software and no effective
cryptanalysis of it has been found to date. However, the Advanced
Encryption Standard now receives more attention."


http://en.wikipedia.org/wiki/Weak_key#List_of_algorithms_with_weak_keys
Blowfish. Blowfish's weak keys produce bad S-boxes, since
Blowfish's S-boxes are key-dependent. There is a chosen
plaintext attack against a reduced-round variant of Blowfish
that is made easier by the use of weak keys. This is not a
concern for full 16-round Blowfish.


http://en.wikipedia.org/wiki/Blowfish_(cipher)

And what about Twofish?


--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/23/2009 06:12 PM, Chris Jones wrote:

On Mon, Feb 23, 2009 at 02:34:26PM EST, Ron Johnson wrote:


Given enough time, and resources, *nothing* is untouchable. It's just
a matter of whether They think that the time-effort is worth being
spent on *you*.


Like, twenty times the estimated life of the universe.. a thousand times
its mass in silicon chips. Everyone involved long dead anyways.


http://en.wikipedia.org/wiki/EFF_DES_cracker
When DES was approved as a federal standard in 1976, a machine
fast enough to test that many keys in a reasonable time would
have cost an unreasonable amount of money to build.


http://en.wikipedia.org/wiki/EFF_DES_cracker#Technology
   Advanced Wireless Technologies built 1856 custom ASIC DES chips
   (called Deep Crack or AWT-4500), housed on 29 circuit boards of
   64 chips each. The boards are then fitted in six cabinets. The
   search is coordinated by a single PC which assigns ranges of keys
   to the chips. The entire machine was capable of testing over 90
   billion keys per second. It would take about 9 days to test every
   possible key at that rate. On average, the correct key would be
   found in half that time.

In the 11 years since Deep Crack, IC process technology has improved 
by leaps and bounds, and the NSA can throw a whole lot of h/w in 
parallel at brute-force attacks.


Combine that with Side Channel Attacks (easy if you have the machine 
that did the encryption, and which can discover part of the key) and 
mathematical analysis to determine even more of the key, you 
suddenly see something feasible.


Of course, all this effort would not be spent on a dissident with 
some "naughty books".



+1 on RHD and messier (and subtler} techniques... way to go.


--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[owens]

>
>
>
> Original Message 
>From: javu...@gmail.com
>To: debian-user@lists.debian.org
>Subject: Re: How to protect an encrypted file system for off-line
>attack?
>Date: Mon, 23 Feb 2009 23:53:27 +0100
>
>>Ron Johnson escribió:
>>> On 02/23/2009 09:26 AM, Javier wrote:
>>>> Ron Johnson escribió:
>>>>> On 02/23/2009 01:28 AM, Jordi Gutiérrez Hermoso wrote:
>>>>>> 2009/2/21 Javier :
>>>>>>> I'm actually using encfs to protect my sensitive data,
>>>>>> Eh...
>>>>>>
>>>>>>   http://xkcd.com/538/
>>>>> That's known as Rubber Hose Decryption.
>>>>>
>>>>
>>>>
>>>> Oh yes, but if he had the chance to scape, at least the files
>continue
>>>> to be untouchable
>>> 
>>> Given enough time, and resources, *nothing* is untouchable.  It's
>just a
>>> matter of whether They think that the time-effort is worth being
>spent
>>> on *you*.
>>
>>Do you mean that there is a way to crack a 256bits AES?
>>
Yep! Given enough plaintext and ciphertext and enough time (or
parallel compute power and less time), a brute force attack will
always work.
Larry
>>
>>-- 
>>To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
>>with a subject of "unsubscribe". Trouble? Contact listmas...@lists.d
>ebian.org
>>
>>
>>




--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Chris Jones]

On Mon, Feb 23, 2009 at 02:34:26PM EST, Ron Johnson wrote:

> Given enough time, and resources, *nothing* is untouchable. It's just
> a matter of whether They think that the time-effort is worth being
> spent on *you*.

Like, twenty times the estimated life of the universe.. a thousand times
its mass in silicon chips. Everyone involved long dead anyways.

+1 on RHD and messier (and subtler} techniques... way to go.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Javier]

Jordi Gutiérrez Hermoso escribió:
> 2009/2/23 Javier :
>> The main point here is: if he is lucky enough, no police would enter
>> into his house.
> 
> Since this has become a tinfoil hat thread more than an encryption thread...
> 
> My own personal solution to the problem has been this: my hard drive
> decryption password is 25 random printable ASCII characters. And I do
> mean random. It's something like >]\gj-eR4cn-nc;i...@{gawa*po, which I
> have committed to *muscle memory*. That is, if you ask me what my
> password is, I genuinely don't know it, because I have to sit in front
> of a keyboard to type it out, and I often make mistakes. I also rotate
> it once a year. My hope is that this means the password can't be
> obtained from me under duress, because I would be unable to type it
> out without making mistakes if I were under duress.
> 
> My paranoia is vaguely justified, since I live in Mexico and we do
> have an ongoing history of torture in this country, although I'm not
> too sure what the torturers could want from my hard drive except my
> homemade pr0n (that's really the reason I encrypt my laptop's hard
> drive, so that in case of theft my girlfriend and I don't end up in
> RedTube). How do you justify your paranoia, Javier? ;-)
> 
> - Jordi G. H.
> 
> 

I've discovered that the program apg is very nice, it can produce
lengthy but pronounceable pass phrases like these (40 readable chars,
probably equivalent to a 256bit random one):

# apg -m 40
WoitshEfHoQuagAdCurnashiawRaikBatJakEax,
gohoirAsejhukcaroldOafyebgimwacpokAtulv,
JewvudNuitImEbotThitObijedTehosenyebbev?
OjRalavCiHomOn3omesDifNicEfBisyokaddagOo
ubhousWicyerfeaTwephijhuDreapNogJosisIj5
ZykAdbeinAckrahapecdofsEnLojkitfucAxooj*


About my paranoia... not that much. I've never used encryption until
now, I have nothing to hide to police, and am living in Spain, which is
supposed to be a good democratic country. But I have recently adquired a
laptop, and there is sensible data in it, like passwords, private mail
from people with truly despotic goverments, personal photos, and some
private data from the work which might be convenient to protect. I'm
more worried about friends...


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Javier]

Ron Johnson escribió:
> On 02/23/2009 09:26 AM, Javier wrote:
>> Ron Johnson escribió:
>>> On 02/23/2009 01:28 AM, Jordi Gutiérrez Hermoso wrote:
 2009/2/21 Javier :
> I'm actually using encfs to protect my sensitive data,
 Eh...

   http://xkcd.com/538/
>>> That's known as Rubber Hose Decryption.
>>>
>>
>>
>> Oh yes, but if he had the chance to scape, at least the files continue
>> to be untouchable
> 
> Given enough time, and resources, *nothing* is untouchable.  It's just a
> matter of whether They think that the time-effort is worth being spent
> on *you*.

Do you mean that there is a way to crack a 256bits AES?


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Celejar]

On Mon, 23 Feb 2009 00:06:02 -0500
Jeff Soules  wrote:

> Hi Javier,
> 
> Thank you for your reply.  Given the hypothetical (but all too
> possible) situation you describe, there are different considerations.
> 
> > Now imagine the worst situation, that a friend wants to protect his data
> > from his corrupt dictatorial government
> 
> Absolutely a possibility.  There are many levels of secrecy --
> filesystem encryption prevents the contents from being known, but does
> not hide the fact that there is a secret.  The presence of a secret
> could be enough right there.  The kind of government you describe
> doesn't need to find evidence in order to "disappear" a person.  This
> also makes it all the more possible that, if his house is raided and
> encrypted files are found, someone might try to torture the
> information out of him.  (Even if the partition is named something
> harmless-sounding, I can't imagine cops anywhere who wouldn't demand
> it be decrypted so they could check it, and refusal would not look
> good.)  In any case, with EncFS we're talking about a technological
> solution in which the encryption key is stored alongside the encrypted
> media, so whatever the password concerns are, this is unsuitable for
> keeping information truly secret when a hostile person might have
> enough physical access to the drive.
> 
> I think it is entirely too likely that a government like this either
> would be able to compromise the data (with or without recovering the
> passwords), or would be willing to punish him just for having
> encrypted data to begin with, if they know he has it.
> 
> > Then my question is: is EncFS good enough to protect his data?
> > I think the SD with stored password is a good solution. While he is not
> > in the house, he can carry the SD or have it hidden somewhere. While he
> > is in the house, and police enter, he might have enough time to probably
> > destroy the SD and turn off the computer.
> 
> With the level of danger involved here, I think the security issue is
> more that there be some rapid way to destroy any evidence of the
> existence of the data (possibly destroying the data itself), rather
> than making sure the password stays safe.  Destroying the SD card is a
> start, but really a person under this kind of government would need to
> be able to say "No, there are no secrets," not "Here's a filesystem
> that you can't read."
> 
> That was my point in the original email -- while there are some
> interesting technical problems here, I think in this case the digital
> security is less important than the social/personal security
> surrounding it.  Or, rather, the digital security will not wind up
> being the weakest link in the chain.

This is exactly the sort of problem that StegFS was invented to solve.
Unfortunately, there has never been a stable release, and development
has stagnated.

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Celejar]

On Sun, 22 Feb 2009 20:10:57 -0600
Ron Johnson  wrote:

> On 02/22/2009 07:03 PM, Javier wrote:

...

> > And which is better, Blowfish or AES?
> 
> AES.

Source?  Wikipedia just says:

"Blowfish provides a good encryption rate in software and no effective
cryptanalysis of it has been found to date. However, the Advanced
Encryption Standard now receives more attention."

http://en.wikipedia.org/wiki/Blowfish_(cipher)

And what about Twofish?

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/23/2009 09:26 AM, Javier wrote:

Ron Johnson escribió:

On 02/23/2009 01:28 AM, Jordi Gutiérrez Hermoso wrote:

2009/2/21 Javier :

I'm actually using encfs to protect my sensitive data,

Eh...

  http://xkcd.com/538/

That's known as Rubber Hose Decryption.




Oh yes, but if he had the chance to scape, at least the files continue
to be untouchable


Given enough time, and resources, *nothing* is untouchable.  It's 
just a matter of whether They think that the time-effort is worth 
being spent on *you*.



  and saving the data, could save other people
involved, too.
Note that they would kill or torture him anyway. Even they would kill
him faster if there were no encryption...


That might be a good thing.

--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Jordi Gutiérrez Hermoso]

2009/2/23 Javier :
> The main point here is: if he is lucky enough, no police would enter
> into his house.

Since this has become a tinfoil hat thread more than an encryption thread...

My own personal solution to the problem has been this: my hard drive
decryption password is 25 random printable ASCII characters. And I do
mean random. It's something like >]\gj-eR4cn-nc;i...@{gawa*po, which I
have committed to *muscle memory*. That is, if you ask me what my
password is, I genuinely don't know it, because I have to sit in front
of a keyboard to type it out, and I often make mistakes. I also rotate
it once a year. My hope is that this means the password can't be
obtained from me under duress, because I would be unable to type it
out without making mistakes if I were under duress.

My paranoia is vaguely justified, since I live in Mexico and we do
have an ongoing history of torture in this country, although I'm not
too sure what the torturers could want from my hard drive except my
homemade pr0n (that's really the reason I encrypt my laptop's hard
drive, so that in case of theft my girlfriend and I don't end up in
RedTube). How do you justify your paranoia, Javier? ;-)

- Jordi G. H.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Barclay, Daniel]

Jeff Soules wrote:
...
> 
>> The most intrusive attacks, where an attacker has complete control of
>> the user's machine (and can therefor modify EncFS, or FUSE, or the
>> kernel itself) are not guarded against. Do not assume that encrypted
>> files will protect your sensitive data if you enter your password into a
>> compromised computer.  ...
> 
> Seems to me that the man page is talking about two situations:
> 
> #1. Someone has rooted your box.  In this case, your encryption can be
> bypassed, because unless your secret passphrase is actually an entire
> RSA key, the password is just a gatekeeper and everything needed to
> decrypt the fs is on the box.  A (sufficiently clever) attacker with
> root (and enough time) could modify the EncFS program itself to bypass
> the password check and just decrypt your files.

The password should be used to _encrypt_ the encryption key.   Then you're
not vulnerable to bypassing of a password check.

But, as you said, if the machine is compromised, then once you enter the
password, the data can be decrypted.

Daniel
-- 
(Plain text sometimes corrupted to HTML "courtesy" of Microsoft Exchange.) [F]

Re: How to protect an encrypted file system for off-line attack?

[Javier]

Jeff Soules escribió:
> Hi Javier,
> 
> Thank you for your reply.  Given the hypothetical (but all too
> possible) situation you describe, there are different considerations.
> 
>> Now imagine the worst situation, that a friend wants to protect his data
>> from his corrupt dictatorial government
> 
> Absolutely a possibility.  There are many levels of secrecy --
> filesystem encryption prevents the contents from being known, but does
> not hide the fact that there is a secret.  The presence of a secret
> could be enough right there.  The kind of government you describe
> doesn't need to find evidence in order to "disappear" a person.  This
> also makes it all the more possible that, if his house is raided and
> encrypted files are found, someone might try to torture the
> information out of him.  (Even if the partition is named something
> harmless-sounding, I can't imagine cops anywhere who wouldn't demand
> it be decrypted so they could check it, and refusal would not look
> good.)  In any case, with EncFS we're talking about a technological
> solution in which the encryption key is stored alongside the encrypted
> media, so whatever the password concerns are, this is unsuitable for
> keeping information truly secret when a hostile person might have
> enough physical access to the drive.
> 
> I think it is entirely too likely that a government like this either
> would be able to compromise the data (with or without recovering the
> passwords), or would be willing to punish him just for having
> encrypted data to begin with, if they know he has it.
> 
>> Then my question is: is EncFS good enough to protect his data?
>> I think the SD with stored password is a good solution. While he is not
>> in the house, he can carry the SD or have it hidden somewhere. While he
>> is in the house, and police enter, he might have enough time to probably
>> destroy the SD and turn off the computer.
> 
> With the level of danger involved here, I think the security issue is
> more that there be some rapid way to destroy any evidence of the
> existence of the data (possibly destroying the data itself), rather
> than making sure the password stays safe.  Destroying the SD card is a
> start, but really a person under this kind of government would need to
> be able to say "No, there are no secrets," not "Here's a filesystem
> that you can't read."
> 
> That was my point in the original email -- while there are some
> interesting technical problems here, I think in this case the digital
> security is less important than the social/personal security
> surrounding it.  Or, rather, the digital security will not wind up
> being the weakest link in the chain.
> 
> I wonder if in this situation it might be more appropriate to store
> the encrypted filesystem on an external pluggable device, like a USB
> key.  If a person in this environment were not using many multimedia
> files, then storage needs might be very moderate, able to fit on some
> of the larger USB keys (8-16 GB) that can be had for around US $30.
> (I don't know what kind of budget a person in this situation might
> have).  But by storing any incriminating files on an external medium,
> preferably a (physically) small one, and then encrypting that, a
> person could both hide the very existence of prohibited data, and also
> have a data store that can be more easily hidden or destroyed during a
> police raid.  (Chuck it in the sewer or something if needs be).  If
> the computer is seized or stolen while the person is away, oh well;
> there's nothing incriminating on the computer, not even any suspicious
> encrypted filesystems.  That's if there is a reasonable reaction time
> before being taken into custody.  I really don't know whether it'd be
> better to keep this on his person with a plan to ditch or destroy it,
> or to find a hiding place the police wouldn't check where it could be
> accessed without arousing suspicion.
> 
> Good luck to any person who finds himself in such a situation.
> 
> 
> As to passwords, another method that works well is to take the
> initials of a memorable phrase, and then make a few predictable
> changes.  For instance, you could take the phrase "working to enhance
> civil liberties by overthrowing kings and dictators" to create
> w2EcLx0K&D -- which has a decent 10-char length with some character
> distribution while remaining very memorable.
> 
> 
> I hope all this helps.


Thank you for your help.
The main point here is: if he is lucky enough, no police would enter
into his house. If he has little luck, police would enter while he is
not in the house, and probably has time to scape, so for this the
encryption is very good. With very bad luck, police could enter his
house and arrest him, but in this case the encryption will still be
useful, as it can save other people.

Of course, this would be just a little part of what he would do. There
would be more important issues, like taking care about not being
discovered in his movements and comm

Re: How to protect an encrypted file system for off-line attack?

[Javier]

Ron Johnson escribió:
> On 02/23/2009 01:28 AM, Jordi Gutiérrez Hermoso wrote:
>> 2009/2/21 Javier :
>>> I'm actually using encfs to protect my sensitive data,
>>
>> Eh...
>>
>>   http://xkcd.com/538/
> 
> That's known as Rubber Hose Decryption.
> 


Oh yes, but if he had the chance to scape, at least the files continue
to be untouchable and saving the data, could save other people
involved, too.
Note that they would kill or torture him anyway. Even they would kill
him faster if there were no encryption...


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/23/2009 01:28 AM, Jordi Gutiérrez Hermoso wrote:

2009/2/21 Javier :

I'm actually using encfs to protect my sensitive data,


Eh...

  http://xkcd.com/538/


That's known as Rubber Hose Decryption.

--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Jordi Gutiérrez Hermoso]

2009/2/21 Javier :
> I'm actually using encfs to protect my sensitive data,

Eh...

  http://xkcd.com/538/

- Jordi G. H.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Jeff Soules]

Hi Javier,

Thank you for your reply.  Given the hypothetical (but all too
possible) situation you describe, there are different considerations.

> Now imagine the worst situation, that a friend wants to protect his data
> from his corrupt dictatorial government

Absolutely a possibility.  There are many levels of secrecy --
filesystem encryption prevents the contents from being known, but does
not hide the fact that there is a secret.  The presence of a secret
could be enough right there.  The kind of government you describe
doesn't need to find evidence in order to "disappear" a person.  This
also makes it all the more possible that, if his house is raided and
encrypted files are found, someone might try to torture the
information out of him.  (Even if the partition is named something
harmless-sounding, I can't imagine cops anywhere who wouldn't demand
it be decrypted so they could check it, and refusal would not look
good.)  In any case, with EncFS we're talking about a technological
solution in which the encryption key is stored alongside the encrypted
media, so whatever the password concerns are, this is unsuitable for
keeping information truly secret when a hostile person might have
enough physical access to the drive.

I think it is entirely too likely that a government like this either
would be able to compromise the data (with or without recovering the
passwords), or would be willing to punish him just for having
encrypted data to begin with, if they know he has it.

> Then my question is: is EncFS good enough to protect his data?
> I think the SD with stored password is a good solution. While he is not
> in the house, he can carry the SD or have it hidden somewhere. While he
> is in the house, and police enter, he might have enough time to probably
> destroy the SD and turn off the computer.

With the level of danger involved here, I think the security issue is
more that there be some rapid way to destroy any evidence of the
existence of the data (possibly destroying the data itself), rather
than making sure the password stays safe.  Destroying the SD card is a
start, but really a person under this kind of government would need to
be able to say "No, there are no secrets," not "Here's a filesystem
that you can't read."

That was my point in the original email -- while there are some
interesting technical problems here, I think in this case the digital
security is less important than the social/personal security
surrounding it.  Or, rather, the digital security will not wind up
being the weakest link in the chain.

I wonder if in this situation it might be more appropriate to store
the encrypted filesystem on an external pluggable device, like a USB
key.  If a person in this environment were not using many multimedia
files, then storage needs might be very moderate, able to fit on some
of the larger USB keys (8-16 GB) that can be had for around US $30.
(I don't know what kind of budget a person in this situation might
have).  But by storing any incriminating files on an external medium,
preferably a (physically) small one, and then encrypting that, a
person could both hide the very existence of prohibited data, and also
have a data store that can be more easily hidden or destroyed during a
police raid.  (Chuck it in the sewer or something if needs be).  If
the computer is seized or stolen while the person is away, oh well;
there's nothing incriminating on the computer, not even any suspicious
encrypted filesystems.  That's if there is a reasonable reaction time
before being taken into custody.  I really don't know whether it'd be
better to keep this on his person with a plan to ditch or destroy it,
or to find a hiding place the police wouldn't check where it could be
accessed without arousing suspicion.

Good luck to any person who finds himself in such a situation.


As to passwords, another method that works well is to take the
initials of a memorable phrase, and then make a few predictable
changes.  For instance, you could take the phrase "working to enhance
civil liberties by overthrowing kings and dictators" to create
w2EcLx0K&D -- which has a decent 10-char length with some character
distribution while remaining very memorable.


I hope all this helps.


> I think the SD with stored password is a good solution. While he is not
> in the house, he can carry the SD or have it hidden somewhere. While he
> is in the house, and police enter, he might have enough time to probably
> destroy the SD and turn off the computer.
>
> What would you recommend in this imaginary case?




On Sun, Feb 22, 2009 at 8:03 PM, Javier  wrote:
> Jeff Soules escribió:
>> As Ron said, the problem you're describing is a little bit different
>> from the one the man page talks about.
>>
>>> The most intrusive attacks, where an attacker has complete control of
>>> the user's machine (and can therefor modify EncFS, or FUSE, or the
>>> kernel itself) are not guarded against. Do not assume that encrypted
>>> files will prote

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/22/2009 07:03 PM, Javier wrote:
[snip]

Now imagine the worst situation, that a friend wants to protect his data
from his corrupt dictatorial government, and he doesn't want to directly
make the question here, because he is afraid.


From your name, we can reasonably narrow it down.  I.e., he's 
probably not in the PRC...



I think the SD with stored password is a good solution. While he is not
in the house, he can carry the SD


And if he's caught, they find it on him.


  or have it hidden somewhere.


That which is hidden can be found.


   While he
is in the house, and police enter, he might


He goes thru the hassle of encrypting everything, then relies on 
"might"



 have enough time to probably
destroy the SD and turn off the computer.


Pulling the plug, though, is pretty quick.


What would you recommend in this imaginary case?


For him to use his memory.  But even then, rubber hose decryption 
can be quite effective.


Annyhow, I'd suggest that sensitive files be stored in an 
innocuously-named encfs directory mounted with the --idle= option.



Also, I have seen that encfs support up to 2048 characters for the pass
phrase. Is it better to have a very large random pass, or it is
irrelevant at some point?


If he can remember a long phrase, longer is always better...

Something like the first 5 or six words of a widely-known (but 
seemingly irrelevant) document.



And which is better, Blowfish or AES?


AES.

--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: How to protect an encrypted file system for off-line attack?

[Javier]

Jeff Soules escribió:
> As Ron said, the problem you're describing is a little bit different
> from the one the man page talks about.
> 
>> The most intrusive attacks, where an attacker has complete control of
>> the user's machine (and can therefor modify EncFS, or FUSE, or the
>> kernel itself) are not guarded against. Do not assume that encrypted
>> files will protect your sensitive data if you enter your password into a
>> compromised computer.  How you determine that the computer is safe to
>> use is beyond the scope of this documentation.
> 
> Seems to me that the man page is talking about two situations:
> 
> #1. Someone has rooted your box.  In this case, your encryption can be
> bypassed, because unless your secret passphrase is actually an entire
> RSA key, the password is just a gatekeeper and everything needed to
> decrypt the fs is on the box.  A (sufficiently clever) attacker with
> root (and enough time) could modify the EncFS program itself to bypass
> the password check and just decrypt your files.
> 
> #2. Your box is keylogged, or (for some unknown reason) you put in
> your decryption password on a compromised/keylogged other box.  This
> isn't strictly an offline attack, it could happen remotely if the
> password is compromised.  I suppose you could get around this by
> automating the way your fs password is input (although if it's
> automated input over stdin, couldn't a properly designed keylogger
> still eavesdrop on it?), but that's kind of missing the point, which
> is if situation #2 happens, you will soon find yourself in situation
> #1.  There, the real questions to ask are "how do I avoid getting a
> keylogger" and "how do I catch a user account compromise before the
> attacker can gain root." Taking steps in response to those questions
> will make you much more secure across the board.
> 
> 
> If you're simply worried about protecting your filesystem from offline
> attacks, i.e. someone has physical access to your computer without
> having rooted it or whatever, then (as always with security) it
> becomes a question of how good is good enough.  How long can someone
> sit at your computer trying to log in before it locks out for half an
> hour?  How long before you (or someone else) comes back to stop them?
> Having logged in, how long before they manage to decrypt the
> filesystem without using EncFS?  Etc.  We're starting to talk about a
> very dedicated attacker at this point, who must have a compelling
> motivation for attacking your box specifically; these aren't
> government secrets, right?  At any rate, in this kind of situation,
> other security considerations and means of attack
> (http://xkcd.com/538/) start to come into play.  In fact, the main
> scenarios I can imagine are either that you're trying to keep personal
> files secret from a prying but technically skilled family member, or
> that you're protecting a corporate environment from some kind of
> industrial espionage (although again, in the latter case I think
> you're more vulnerable to social engineering attacks than strictly
> technological ones).
> Though I would wonder if, in those scenarios, having the password
> automatically input from an SD card or something might actually
> decrease your security.  If you're talking about offline attacks,
> that's someone with access to the computer's physical environment (and
> who may even have seen you put in the SD card while you mount
> encrypted FSs).  A non-compromised, keyed-in password would actually
> provide more protection in that case than an SD card that's sitting on
> your desk somewhere and that any joe could plug in.
> 
> 
> After all that, if this problem still seems compelling to you, then I
> suppose the best situation would be for you to have an SD card or
> whatever, kept secure and separate from the box, that feeds the actual
> encryption key into the system, with that key not being stored locally
> at all.  Ideally you would also have some kind of second password
> check required to get the program to actually use the RSA key, so you
> can depend on both something you have and something you know.  I've no
> idea how to implement this technically; I don't see a facility in
> EncFS to do anything like this.  Also, this setup makes your data
> brittle; if your SD card gets wet or zapped, your filesystem is gone.
> There's always compromises between security and convenience, and
> security and resilience of data.
> 
> And, joy of joys, make sure you store your backups somewhere nice and
> secure.  With your EncFS setup you probably want to store the backups
> of the encrypted filesystem away from all the others, so that someone
> getting ahold of them has to crack the actual encryption rather than
> just hunt around for the key.


Ok, thank you for your help. I've read it carefully.

Now imagine the worst situation, that a friend wants to protect his data
from his corrupt dictatorial government, and he doesn't want to directly
make the question he

Re: How to protect an encrypted file system for off-line attack?

[Jeff Soules]

As Ron said, the problem you're describing is a little bit different
from the one the man page talks about.

> The most intrusive attacks, where an attacker has complete control of
> the user's machine (and can therefor modify EncFS, or FUSE, or the
> kernel itself) are not guarded against. Do not assume that encrypted
> files will protect your sensitive data if you enter your password into a
> compromised computer.  How you determine that the computer is safe to
> use is beyond the scope of this documentation.

Seems to me that the man page is talking about two situations:

#1. Someone has rooted your box.  In this case, your encryption can be
bypassed, because unless your secret passphrase is actually an entire
RSA key, the password is just a gatekeeper and everything needed to
decrypt the fs is on the box.  A (sufficiently clever) attacker with
root (and enough time) could modify the EncFS program itself to bypass
the password check and just decrypt your files.

#2. Your box is keylogged, or (for some unknown reason) you put in
your decryption password on a compromised/keylogged other box.  This
isn't strictly an offline attack, it could happen remotely if the
password is compromised.  I suppose you could get around this by
automating the way your fs password is input (although if it's
automated input over stdin, couldn't a properly designed keylogger
still eavesdrop on it?), but that's kind of missing the point, which
is if situation #2 happens, you will soon find yourself in situation
#1.  There, the real questions to ask are "how do I avoid getting a
keylogger" and "how do I catch a user account compromise before the
attacker can gain root." Taking steps in response to those questions
will make you much more secure across the board.


If you're simply worried about protecting your filesystem from offline
attacks, i.e. someone has physical access to your computer without
having rooted it or whatever, then (as always with security) it
becomes a question of how good is good enough.  How long can someone
sit at your computer trying to log in before it locks out for half an
hour?  How long before you (or someone else) comes back to stop them?
Having logged in, how long before they manage to decrypt the
filesystem without using EncFS?  Etc.  We're starting to talk about a
very dedicated attacker at this point, who must have a compelling
motivation for attacking your box specifically; these aren't
government secrets, right?  At any rate, in this kind of situation,
other security considerations and means of attack
(http://xkcd.com/538/) start to come into play.  In fact, the main
scenarios I can imagine are either that you're trying to keep personal
files secret from a prying but technically skilled family member, or
that you're protecting a corporate environment from some kind of
industrial espionage (although again, in the latter case I think
you're more vulnerable to social engineering attacks than strictly
technological ones).
Though I would wonder if, in those scenarios, having the password
automatically input from an SD card or something might actually
decrease your security.  If you're talking about offline attacks,
that's someone with access to the computer's physical environment (and
who may even have seen you put in the SD card while you mount
encrypted FSs).  A non-compromised, keyed-in password would actually
provide more protection in that case than an SD card that's sitting on
your desk somewhere and that any joe could plug in.


After all that, if this problem still seems compelling to you, then I
suppose the best situation would be for you to have an SD card or
whatever, kept secure and separate from the box, that feeds the actual
encryption key into the system, with that key not being stored locally
at all.  Ideally you would also have some kind of second password
check required to get the program to actually use the RSA key, so you
can depend on both something you have and something you know.  I've no
idea how to implement this technically; I don't see a facility in
EncFS to do anything like this.  Also, this setup makes your data
brittle; if your SD card gets wet or zapped, your filesystem is gone.
There's always compromises between security and convenience, and
security and resilience of data.

And, joy of joys, make sure you store your backups somewhere nice and
secure.  With your EncFS setup you probably want to store the backups
of the encrypted filesystem away from all the others, so that someone
getting ahold of them has to crack the actual encryption rather than
just hunt around for the key.


On Sat, Feb 21, 2009 at 11:16 AM, Javier  wrote:
> Sorry for my ignorance in this respect, I hope you can help me.
>
> I'm actually using encfs to protect my sensitive data, but this is what
> is said in the manual:
>
> """The most intrusive attacks, where an attacker has complete control of
> the user's machine (and can therefor modify EncFS, or FUSE, or the
> kernel itself) are not guarded a

Re: How to protect an encrypted file system for off-line attack?

[Ron Johnson]

On 02/21/2009 10:16 AM, Javier wrote:

Sorry for my ignorance in this respect, I hope you can help me.

I'm actually using encfs to protect my sensitive data, but this is what
is said in the manual:

"""The most intrusive attacks, where an attacker has complete control of
the user’s machine (and can therefor modify EncFS, or FUSE, or the
kernel itself) are not guarded against. Do not assume that encrypted
files will protect your sensitive data if you enter your password into a
compromised computer.  How you determine that the computer is safe to
use is beyond the scope of this documentation."""

So my question is: how can I truly protect a filesystem against offline
attacks?


But that's different from the issues raised in the quote from the 
man page.



I have thinking of using an SD card for storing the passwords in, and
some kind of script or program to automatically retrive password from
the card when needed.


   -S, --stdinpass
   Read password from standard input, without prompt‐
   ing.  This may be useful for scripting encfs mounts.

   Note that you should make sure the filesystem and
   mount points exist first.  Otherwise encfs will
   prompt for the filesystem creation options, which
   may interfere with your script.



   Then, if I retire the card, then my filesystem is
secure.


Your filesystem is inaccessible, even to you!!  (Unless you remember 
the passphrase...)



But I also have more questions... is the AES encoder that encfs uses by
default secure enough? If not, is there another way to use another one,
for example, GnuPG?


--
Ron Johnson, Jr.
Jefferson LA  USA

The feeling of disgust at seeing a human female in a Relationship
with a chimp male is Homininphobia, and you should be ashamed of
yourself.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

How to protect an encrypted file system for off-line attack?

[Javier]

Sorry for my ignorance in this respect, I hope you can help me.

I'm actually using encfs to protect my sensitive data, but this is what
is said in the manual:

"""The most intrusive attacks, where an attacker has complete control of
the user’s machine (and can therefor modify EncFS, or FUSE, or the
kernel itself) are not guarded against. Do not assume that encrypted
files will protect your sensitive data if you enter your password into a
compromised computer.  How you determine that the computer is safe to
use is beyond the scope of this documentation."""

So my question is: how can I truly protect a filesystem against offline
attacks?

I have thinking of using an SD card for storing the passwords in, and
some kind of script or program to automatically retrive password from
the card when needed. Then, if I retire the card, then my filesystem is
secure.

But I also have more questions... is the AES encoder that encfs uses by
default secure enough? If not, is there another way to use another one,
for example, GnuPG?

Thank you.



-- 
gpg --keyserver pool.sks-keyservers.net --recv-keys AFC23C68


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org