[ltp] Re: Encryption - security?
Danny Cautaert
linux-thinkpad@linux-thinkpad.org
Thu, 11 Aug 2005 12:16:40 +0000 (UTC)
On 2005-08-09, Richard Neill <rn214@hermes.cam.ac.uk> wrote:
> 1)Set HDD password on laptop - just for extra measure. [However, I
> believe that this password can be bypassed, albeit at some expense].
This is pretty secure. The protection is provided by the drive itself.
One needs to disassemble the drive, separate the drive platters from its
internal IDE controller and replace this controller to get to the data.
One important thing to know about Thinkpads is that if you also set a
poweron password in the bios, the harddrive password gets copied to an
EPROM on the motherboard. As a consequence, not setting a poweron
password and only a harddrive password decreases the risk of an
attacker to get to the data.
> 2)Put /home and /var on separate partitions, mounted as encrypted
> loopback. These are mounted at boot time, and protected by 256bit AES,
> with a 35 character passphrase (albeit all words).
Good idea, I suppose you use cryptoloop or dm-crypt. One possible
improvement is to use loopaes which allows for multiple random keys,
protected by your gpg-key, which you can store on a usb stick or
smartcard to further improve security. See example 2 in
http://loop-aes.sf.net/loop-AES.README
Also don't forget to encrypt swap, see example 1 in the same file.
> 3)Login password is 11 characters.
>
> As I see it:
>
> i)It is secure if stolen while powered off, since the encryption is
> unbreakable without the passphrase. There is nothing important outside
> /home and /var (nothing useful in /etc, or /root).
You forgot here that your /etc/passwd is not encrypted and a possible
target for dictionary attacks. A possible improvement is adapting your
pam configuration to replace the standard unix authentication
(pam_unix.so) with pam_ssh.so (use your ssh passphrase to log in) or
pam_usb.so (use a usb-stick to log in)
> ii)While powered on, and with /home mounted, but not logged in, it is
> protected by the login password. This also protects against a network
> attack via ssh.
Taken away any possible exploits, yes.
> iii)Once logged in, I am either
> * sitting at it (in which case, not likely to be stolen)
> * running xscreensaver, with the display locked
> * suspended (apm -s) with the display locked.
>
>
> Is this safe?
Nothing is guaranteed to be safe. Security means adding several layers
which makes it more difficult to attack. The more layers you add, the
more inconvenience you'll get until it actually stops you of getting any
work done. You have to find the right balance looking at how important
your data is, how much effort and resources your attacker will/can put
into getting at the data, and how much inconvenience you're comfortable
with in taking measures against a possible attack.
> In particular, is it safe if stolen while the machine is suspended, with
> /home mounted, but the screen locked?
> Is there any (likely) bug in the login program [assuming it's up to
> date?]. ?
Possible attack vectors when the machine is running are not limited to
the login program. Think about the network services you are running,
there might be an exploit. Also firewire is a popular way to get access
to all the memory the kernel has access too.
> Is there any way to crash X without logging me out? (running KDM).
Not that I know of.
HTH,
DaCa.
--
Greetings from Oostende (BE) -*- Danny Cautaert (DaCa)
Write me in Dutch, French or English * GnuPG preferred
Meet me at DebConf 5 * 10-17 July 2005 * Helsinki (FI)