[dm-crypt] LUKS and backdoors

Christoph Anton Mitterer calestyo at scientia.net
Sun Oct 20 03:58:36 CEST 2013

On Sun, 2013-10-20 at 03:27 +0200, Arno Wagner wrote:
> On Sun, Oct 20, 2013 at 02:49:59AM +0200, Christoph Anton Mitterer wrote:
> > 
> [...]
> > Anyway... who should put they key in such a place? If you're already
> > that far, that some evil application is running with enough rights on
> > your system to do that,... you're screwed anyway, and nothing can help
> > you with that.
> Indeed. And this app needs root-permissions as it is writing
> data to raw partitions. 

Maybe I need to revise my own statement a tiny bit, that the whole thing
seemed to be a non-issue to me.

1) If an attacker successfully attacks a system that is somehow
connected to the internet, to an extent where he can read your master
keys and write to raw devices.... you're screwed as I said.
Whether or not the attacker wants to remain silent doesn't matter... if
not he simply sends all data he wants over the wire or if he wants to
remain silent (and remove his rootkit/whatever) after getting the
masterkey,... he doesn't need to store it locally,... he will always
find some way to send it via the internet, and be it via hidden

2) If a system is absolutely offline, one can argue that an attacker
indeed would want to store the plain master key at some place (locally)
where he can recover it later on, to decrypt your data (e.g. after
breaking in to your house)...
But then again,... he already has to be in your system.... so in that
case you'd already use compromised software and the attacker could just
use no encryption and simply hide that from you... or use really a key
that he already knows...

And even if you forget about all that (which makes the thing IMHO again
a non issue),... there are plenty of places left (not only the headers)
where such information could be stored.
EFI system partition, the BIOS CMOS or other firmware EEPROMs, perhaps
in tricky ways in the MBR or the the MBR post gap.
Or actually, at any place of the disk... it does not really matter
whether there's a filesystem or not.... chances are good that the block
is never used or rewritten,... or he simply replaces your fs driver and
reserves some blocks (that he already knows) from being used and places
the key there... I'm sure you'd never notice.

So again,.. once you're system is compromised to such a level... you're
simply screwed.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5165 bytes
Desc: not available
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20131020/31303cd6/attachment-0001.bin>

More information about the dm-crypt mailing list