[dm-crypt] Passphrase protected key file?

Arno Wagner arno at wagner.name
Thu Jul 14 23:44:03 CEST 2011

On Thu, Jul 14, 2011 at 11:21:28PM +0200, Heiko Rosemann wrote:
> On 07/14/2011 09:27 PM, Arno Wagner wrote:
> > On Thu, Jul 14, 2011 at 04:12:45PM +0200, Heiko Rosemann wrote:
> >> On 07/14/2011 03:35 PM, Arno Wagner wrote:
> >>> Indeed. But are there any realistic scenarios where
> >>> 
> >>> a) a passphrase is signifiacntly less secure than an encrypted 
> >>> passphrase stored on USB with a second pasphrase to decrypt that
> >>> 
> >>> and
> >>> 
> >>> b) the attacker does not have the possibility to patch 
> >>> GnuPG/cryptup/other things that make the second passphrase just
> >>> as weak as the first one?
> >>> 
> >>> My claim is that a realistic risk analysis will show there are
> >>> no such scenarios that are typical and hence having an encrypted 
> >>> passphrase on an USB stick does not offer improved security.
> >> 
> >> Improved security over which other setup?
> >> 
> >> a) Unencrypted passphrase stored on a USB key. Here the second 
> >> encryption step will probably give additional security in case the
> >> user looses the USB key.
> > 
> > And the default situation does not have an USB key. So a net security
> > loss.
> > 
> >> b) Directly entering passphrase without the need of a USB key. Here
> >> we have a typical risk of users using the same passphrase for
> >> different things or even of writing it down (on a post-it note on
> >> the screen or keyboard...). If we depend upon a USB stick with the
> >> real passphrase (encrypted by the one on the post-it note) being
> >> present at boot the attacker won't be able to utilize that
> >> passphrase.
> > 
> > If we have stupid users, they will just tape the USB key to the 
> > monitor besides the post-it. Or put it on a pice of string. Then
> > passphrase reuse will have the original risks, no improvement by USB
> > key usage.
> > 
> > If they are not stupid, they will have different passphrases and not
> > post-it to the screen.
> True up to that point where remembering a great number of different good
> passphrases becomes impossible.

That is a problem, yes. But let's face it, how many do you have? 
I have one for disk encryption (reuse there is not a big risk,
all are under my control) and one for GnuPG and that is it.
> >> If we move kernel+initrd+cryptsetup to the USB stick and boot the 
> >> machine from USB, we can even encrypt the entire harddisk, thus
> >> even someone with physical access to the machine cannot patch
> >> cryptsetup/gnupg.
> > 
> > Leaveing the scenario there. In this scenario we can use the 
> > conventional passphrase input mechnism without any loss of security.
> > no need for an encrypted passphrase on the USB key.
> If the LUKS-drive gets lost or stolen together with (knowledge about)
> the conventional passphrase (i.e. a laptop with a passphrase-post-it)
> the thief will still need to steal the USB key as well, if there is an
> encrypted passphrase on it. I'm not sure about others, but I tend to
> carry my USB keys in my pocket or on my keychain, not in my laptop case.

But I bet you do not have a post-it with the passphrase on
the laptop either ;-)

> >> P.S: Thinking of law enforcement as the attacker (guess that is not
> >> that a great risk for most of us), it is possible to destroy all
> >> access to your data by destroying all the USB keys with the
> >> encrypted passphrase on them - and then you can even tell them your
> >> passphrase...
> > 
> > You an do that with LUKS, just overwrite the slots you are using with
> > random passphrases. The question is what is easier. My guess would be
> > that fast destruction of USB keys is not that easy.
> It depends :)
> The main advantage I see about the USB key option is that the USB key
> does not have to be in the same room as the encrypted device. I.e. the
> FBI could come to your home while you are away and take away your
> computer and when you arrive you notice something is wrong and have the
> time to destroy the USB key (I'm thinking of some physical way here like
> burning it on a barbeque, cooking it in solder, cutting the chips apart
> with a micro-drill...) and can then openly tell a court that you don't
> have any access to your data anymore.

Well, that was the old approach, until they found out they
could not break modern disk or file encryption. Now they will 
either break in silently and install a hardware keylogger and
a camera to find out what you are using, or they will break 
down your door while the machine is running and decrypted. 

You can buy forensic kits that let you separate a running PC 
from the power lines and transport it without shutting it off. 
This is in fact not difficult to do. Material is basically
an UPS, some mains-capable clamps, isolation-gloves and
a standard AC voltmeter. I have simulated doing this myself
(with 500V rated gloves, welding-goggles and an ground fault
proector in the line) and it is quite doable.

> Or you notice your harddrive has been stolen and then you can delete the
> key without any remaining worries about possible social engineering to
> get your passphrase. Or the police knock on your door at night and you
> flush the USB key down the toilet (matter of seconds) instead of booting
> up your PC and overwriting all key slots (matter of minutes, police
> kicking in your door in the meantime)

Well, I think these are borderline scenarios. Also remember than unless
you are in certain states like the UK or the US, the police cannot 
force you to give them your passphrase. But in certain situations, 
these might be valid approaches. I see your point.

> Might be I've been watching too many bad hacker movies to do good risk
> evaluation ;)

Possibly. The trick is to keep the whole risk-landscape in view
and palance your efforts.

> > Not wanting to be obstinate here (but I have a lot experience with
> > risk evaluation), the main risk I see is that the USB-key scheme is
> > more complex and exposes you to a higher risk of data loss as a
> > consequence. I still do not see any advantage to having a separetely
> > encrypted passphrase in a disk file.
> > 
> > I do see advantages to the kernel+initrd+cryptsetup on USB option.
> > That would indeed help against some attacks.
> It can also - to a very casual attacker - hide the encrypted area by
> booting a different OS from the harddrive when there is no USB key
> attached. Or if you are very, very, very sure never to forget to plug in
> the correct USB key, you could automatically wipe the LUKS key slots
> when the machine is booted without the USB key.

Oooooh, a solution for _real_ men! I like it ;-)

Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

More information about the dm-crypt mailing list