[dm-crypt] Detecting the use of a keyfile
sector9 at ftml.net
sector9 at ftml.net
Thu May 23 19:13:03 CEST 2013
Understood. The problematic nature of claiming plausible deniability
with regard to a lost non-existent keyfile comes down to extralegal
practices and testimony on behalf of the user.
On the technical side, if done properly, one could place the boot
partition on a separate USB and claim it is lost along with the keyfile.
This setup would allow one to perfectly conceal whether or not one is
using a keyfile and therefore provide plausible deniability about access
to an encrypted system.
The good old xkcd depiction of the reality of rubberhose cryptanalysis
is so eloquent in its simplicity. Yet we explore sidechannel attacks,
social engineering, etc to bolster the use of the strong crypto ciphers.
This variety of defense that I was inquiring about is another
possibility to explore.
I appreciate your answers very much.
On Thu, May 23, 2013, at 17:40, Arno Wagner wrote:
> On Thu, May 23, 2013 at 05:21:44PM +0200, sector9 at ftml.net wrote:
> > Appreciate the response. Yes that is correct. I am asking about the
> > plausibility of denying one's access to an encrypted volume because the
> > keyfile is lost when there is no keyfile in actuality.
> > Legal factors aside (i.e. burden of proof of security level and absence
> > of backups) why is this a losing strategy?
> I think it is just too implausible, also because not using a keyfile is
> the standard mode. Unless you have scripts in place that make interactive
> passphrase entry impossible or very hard, the explanation just does
> not hold water. If, on the other hand, you need to change something
> actively to make the secnario plausible, just wipe th LUKS header and
> keyslot-area instead.
> > Could a forensic analysis or otherwise prove the false claim one is
> > making about the absence of a non-existent keyfile?
> As soon as you make any mistake in your explanation, yes. You may also
> remember that directory entries are only marked invalid, not overwritten
> on most causes that could cause loss of a keyfile. The blocks may not be
> referenced anymore, but the filename should be present somewhere.
> Also, mounting of partition goes into system logs and may be recorded
> in some fashion in other places. If you claim to have lost access, but
> your logs show you do not, that would be pretty bad.
> > You seemed to have
> > answered this by indicating the initrd or init-script giving away the
> > presence or non-presence of a keyfile.
> They give away a call to cryptsetup using or not using a keyfile.
> > To mitigate this one could place the boot partition on a USB and
> > claim that it is lost.
> That claim must then stand up to a search, and depending on your
> justisdiction, possibly to significant intimidation.
> > Now, without
> > access to the initrd or init-scripts what does that mean for attempts to
> > detecting the use of a keyfile?
> In that case showing the use of a keyfile is impossible. However your
> boot-process is broken as well. You could maybe come up with something
> like claiming to have this alternate boot process on stick that also
> miounts the encrypted partition, wehile the normal one does not.
> However leaving traces that indicate this is untrue is very easy.
> Also don't place to much faith in your ability to explain things to
> people that can demand encryption keys. They just may demand them
> anyways, ignore (or not understand) your explanations and just do
> bad things to you. http://xkcd.com/538/ very much applies. It is a
> also easy to place you in a situation where suddently you have
> give evidence to defend yourself and some bad thing about you
> is otherwise sufficiently shown to do bad things to you.
> > On Thu, May 23, 2013, at 16:55, Arno Wagner wrote:
> > > On Thu, May 23, 2013 at 03:27:25PM +0200, sector9 at ftml.net wrote:
> > > > During the boot stage is it possible for an attacker with physical
> > > > access to detect if a keyfile is used to unlock an encrypted volume?
> > >
> > > Yes, very easily. Just look at the initrd or init-script that does it.
> > > Booting with a USB/CD Linux (e.g. Knoppix) makes this easy, including
> > > the test whether the keyfile is valid.
> > >
> > > > Does it yield to protest that the keyfile is lost/unknown/destroyed when
> > > > in reality there is no keyfile but instead a regular non-keyfile
> > > > passphrase?
> > >
> > > Aehm, what are you asking? Whether you could lie about the former
> > > presence of a keyfile and claim the data is now inacessible due
> > > to its absence? That depends very much so how much technological
> > > knowledge those have that should believe it and what mechnism for
> > > its loss or destruction you propose. Also, keyfiles are not
> > > secure, so you would have to justify the low securuity level and
> > > the absebce of backups as well.
> > >
> > > Generally, I would call it a losing strategy.
> > >
> > > Arno
> > > --
> > > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email:
> > > arno at wagner.name
> > > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D
> > > 9718
> > > ----
> > > There are two ways of constructing a software design: One way is to make
> > > it
> > > so simple that there are obviously no deficiencies, and the other way is
> > > to
> > > make it so complicated that there are no obvious deficiencies. The first
> > > method is far more difficult. --Tony Hoare
> > > _______________________________________________
> > > dm-crypt mailing list
> > > dm-crypt at saout.de
> > > http://www.saout.de/mailman/listinfo/dm-crypt
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt at saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> Arno Wagner, Dr. sc. techn., Dipl. Inform., Email:
> arno at wagner.name
> GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D
> There are two ways of constructing a software design: One way is to make
> so simple that there are obviously no deficiencies, and the other way is
> make it so complicated that there are no obvious deficiencies. The first
> method is far more difficult. --Tony Hoare
> dm-crypt mailing list
> dm-crypt at saout.de
More information about the dm-crypt