[ltp] Re: Encryption - security?

Vijay Garla linux-thinkpad@linux-thinkpad.org
Fri, 09 Sep 2005 11:07:36 +0200


This is a cryptographically signed message in MIME format.

--------------ms090507080407050105000105
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

One obvious thing to do is to set a hard-disk password.  The only way to 
get at the data without the hdd password is to
- run a password cracker (with a decent password, should not be possible)
- take the hard drive apart and put the platters on a new spindle and 
put it back together.

Cheers,

- vijay

Danny Cautaert wrote:

>On 2005-08-11, Richard Neill <rn214@hermes.cam.ac.uk> wrote:
>  
>
>>>You forgot here that your /etc/passwd is not encrypted and a possible
>>>target for dictionary attacks. A possible improvement is adapting your
>>>pam configuration to replace the standard unix authentication
>>>(pam_unix.so) with pam_ssh.so (use your ssh passphrase to log in) or
>>>pam_usb.so (use a usb-stick to log in)
>>>      
>>>
>>Even if I use /etc/shadow?
>>    
>>
>
>It might not seem too important but it all depends on your level of
>paranoia. Why are you encrypting your precious data in the first place?
>Because you want to add a layer to those who already got root on your
>box, right? So imagine this scenario: someone finds your laptop
>unattended and powered off. Lots of possibilities to get root on it. He
>wont get to your data as your data is on the encrypted partition which
>is not mounted, but he can steal your /etc/shadow, throw a dictionary
>attack on it and find a password that gives access to your regular user
>account. Now he only has to wait to find your laptop unattended and
>suspended to ram and he gets to your data because the same password is
>the one asked to unlock your screensaver/locker/whatever...
>
>  
>
>>Yes - granted, it's a tradeoff. What I really meant was "Have I 
>>overlooked anything obvious?"
>>    
>>
>
>Nothing obvious AFAICS.
>
>  
>
>>I'm runnning httpd (firewalled off), sshd (not firewalled). If someone 
>>were to insert a firewire PCMCIA card, and Mdk were to helpfully hotplug 
>>it, could this be dangerous?
>>    
>>
>
>I'd suggest don't compile the firewire support in, or if you use a
>prepackaged kernel, rm the module. I think its also possible to
>configure hotplug to not allow loading certain modules.  
>
>  
>
>>I'm not quite sure I understand your point about firewire.
>>    
>>
>
>Its just that firewire devices can have access to all memory. Kernel
>developers actually use this to debug the kernel. See also:
>
>http://pacsec.jp/advisories.html
>
>HTH,
>DaCa.
>
>  
>


--------------ms090507080407050105000105
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII7TCC
AtEwggI6oAMCAQICAw8YkDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwNzA3MjA1MDMzWhcNMDYwNzA3MjA1MDMz
WjBEMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSEwHwYJKoZIhvcNAQkBFhJ2
bmdhcmxhQHRpc2NhbGkuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWOmpE
m7n/iWZEOvNm+XF7YcQ1MkPBgUpn3Fqmz2k49ZyMorWfpdOCtbhsLcRAgXSihA94AyjMJiTk
ofj4QLFLO6OSHfwC3UyTxrcPLamJFM/0XPnICphwYhJutYBp9oiW3YGUcFL0Xvu168H+dAv/
4tJDO7YN9ew5Fix9QWWcmXcDCvEvw+RdknS0vpCrVEQD3OxYP9GYp263MnUtGKIH5vHMQVum
QfCb/KgEwU9QyyuCdhzXRjcbcbRLcsrGV18hGFpRq5DAF+uLCTS9trNHclnqEhR3XL/bSpsR
RcLkYZLTYpP7kswspBYollL+LUmuH2nCGGmxthfTErxnNJrvAgMBAAGjLzAtMB0GA1UdEQQW
MBSBEnZuZ2FybGFAdGlzY2FsaS5kZTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GB
AIa7ZHpdJXRhVmYKe2UMt2g1RMsOyOP5R0/7bozAG8KPy2R8nBotOa0/d5rexeRQ1e5UVxfI
wG6GuqIehCXPDTp+8mApAYLAti2eaeYK8AejIXifkL2TNnGlKK/Av7fTr0pLKQTfRaFfxU9U
KqbCsoBKC8IsvAt3uKA/vjS23lZIMIIC0TCCAjqgAwIBAgIDDxiQMA0GCSqGSIb3DQEBBAUA
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTA3
MDcyMDUwMzNaFw0wNjA3MDcyMDUwMzNaMEQxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBN
ZW1iZXIxITAfBgkqhkiG9w0BCQEWEnZuZ2FybGFAdGlzY2FsaS5kZTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAJY6akSbuf+JZkQ682b5cXthxDUyQ8GBSmfcWqbPaTj1nIyi
tZ+l04K1uGwtxECBdKKED3gDKMwmJOSh+PhAsUs7o5Id/ALdTJPGtw8tqYkUz/Rc+cgKmHBi
Em61gGn2iJbdgZRwUvRe+7Xrwf50C//i0kM7tg317DkWLH1BZZyZdwMK8S/D5F2SdLS+kKtU
RAPc7Fg/0ZinbrcydS0Yogfm8cxBW6ZB8Jv8qATBT1DLK4J2HNdGNxtxtEtyysZXXyEYWlGr
kMAX64sJNL22s0dyWeoSFHdcv9tKmxFFwuRhktNik/uSzCykFiiWUv4tSa4facIYabG2F9MS
vGc0mu8CAwEAAaMvMC0wHQYDVR0RBBYwFIESdm5nYXJsYUB0aXNjYWxpLmRlMAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAhrtkel0ldGFWZgp7ZQy3aDVEyw7I4/lHT/tujMAb
wo/LZHycGi05rT93mt7F5FDV7lRXF8jAboa6oh6EJc8NOn7yYCkBgsC2LZ5p5grwB6MheJ+Q
vZM2caUor8C/t9OvSkspBN9FoV/FT1QqpsKygEoLwiy8C3e4oD++NLbeVkgwggM/MIICqKAD
AgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n
MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZy
ZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQsw
CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG
A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHy
v1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsY
Pge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0T
AQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20v
VGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQe
MBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD
6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZ
GwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC
3CEZNd4ksdMdRv9dX2VPMYIDOzCCAzcCAQEwaTBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc
VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFs
IEZyZWVtYWlsIElzc3VpbmcgQ0ECAw8YkDAJBgUrDgMCGgUAoIIBpzAYBgkqhkiG9w0BCQMx
CwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNTA5MDkwOTA3MzZaMCMGCSqGSIb3DQEJ
BDEWBBSxzWdjbo9jhr8ZeyvnIpv18YjA5DBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMH
MA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIB
KDB4BgkrBgEEAYI3EAQxazBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29u
c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg
SXNzdWluZyBDQQIDDxiQMHoGCyqGSIb3DQEJEAILMWugaTBiMQswCQYDVQQGEwJaQTElMCMG
A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAw8YkDANBgkqhkiG9w0BAQEFAASCAQArgUnu
O6wH7nxrmvH8Vt4k757bExfFD/RvLzyRSMlvg4D/HiCuMsYhQ9121O6SjmDAcg5UvnE2k9Tl
8u+n1ofsVIFygtXOXI5E/JXEzLNf5ddDe/XXd3W7dyi7FR7EQGwrMb7Q3dEhxttIh9T2X6md
rElH4ACIi4yKXlEG0gn1A6D3LXY2YyWYUoVJLSip3TtSU4LQIv98H0pdD4ghD6OyerKAl/hQ
HDpb7b6KUYWKkq2FYMvdAZU5xO83h0SuCIgGzlypMhRTgFQqa8xo9GyWTVKqECOYNKSD/nW8
bZKp7SQvBQ8AY+nR1/m2FWSX2GCaRgC8jEJrMFzg8Q9ZvAGNAAAAAAAA
--------------ms090507080407050105000105--