[ltp] Re: Encryption - security?

Richard Neill linux-thinkpad@linux-thinkpad.org
Fri, 12 Aug 2005 00:23:56 +0100 

Thanks very much - that's really useful,

Danny Cautaert wrote:
> On 2005-08-09, Richard Neill <rn214@hermes.cam.ac.uk> wrote:
> 
>>1)Set HDD password on laptop - just for extra measure. [However, I 
>>believe that this password can be bypassed, albeit at some expense].
> > 
> This is pretty secure. The protection is provided by the drive itself.
> One needs to disassemble the drive, separate the drive platters from its
> internal IDE controller and replace this controller to get to the data.
> 
Yes.. but it can be done, eg http://www.nortek.on.ca/hdd_pw.html

> One important thing to know about Thinkpads is that if you also set a
> poweron password in the bios, the harddrive password gets copied to an
> EPROM on the motherboard. As a consequence, not setting a poweron
> password and only a harddrive password decreases the risk of an
> attacker to get to the data.
> 
I didn't know that. Thank you!

>>2)Put /home and /var on separate partitions, mounted as encrypted 
>>loopback. These are mounted at boot time, and protected by 256bit AES, 
>>with a  35 character passphrase (albeit all words).
> 
> 
> Good idea, I suppose you use cryptoloop or dm-crypt. One possible
> improvement is to use loopaes which allows for multiple random keys,
> protected by your gpg-key, which you can store on a usb stick or
> smartcard to further improve security. See example 2 in
> http://loop-aes.sf.net/loop-AES.README

I agree - that would be nice - but it is susceptible to losing the usb 
key! I assume that my ssh passphrase is sufficient as an encryption key?

I hadn't seen that partiuclar resource - thank you for the pointer. In 
particular, it's interesting that one should NOT suspend-to-disk.

> 
> Also don't forget to encrypt swap, see example 1 in the same file.

Done.

> 
> 
>>3)Login password is 11 characters.
>>
>>As I see it:
>>
>>i)It is secure if stolen while powered off, since the encryption is 
>>unbreakable without the passphrase. There is nothing important outside 
>>/home and /var  (nothing useful in /etc, or /root).
> 
> 
> You forgot here that your /etc/passwd is not encrypted and a possible
> target for dictionary attacks. A possible improvement is adapting your
> pam configuration to replace the standard unix authentication
> (pam_unix.so) with pam_ssh.so (use your ssh passphrase to log in) or
> pam_usb.so (use a usb-stick to log in)

Even if I use /etc/shadow?

> 
> 
>>ii)While powered on, and with /home mounted, but not logged in, it is 
>>protected by the login password. This also protects against a network 
>>attack via ssh.
> 
> 
> Taken away any possible exploits, yes.

I know...

> 
> 
>>iii)Once logged in, I am either
>>    * sitting at it (in which case, not likely to be stolen)
>>    * running xscreensaver, with the display locked
>>    * suspended (apm -s) with the display locked.
>>
>>
>>Is this safe?
> 
> 
> Nothing is guaranteed to be safe. Security means adding several layers
> which makes it more difficult to attack. The more layers you add, the
> more inconvenience you'll get until it actually stops you of getting any
> work done. You have to find the right balance looking at how important
> your data is, how much effort and resources your attacker will/can put
> into getting at the data, and how much inconvenience you're comfortable
> with in taking measures against a possible attack.

Yes - granted, it's a tradeoff. What I really meant was "Have I 
overlooked anything obvious?"

> 
> 
>>In particular, is it safe if stolen while the machine is suspended, with 
>>/home mounted, but the screen locked?
>>Is there any (likely) bug in the login program [assuming it's up to 
>>date?]. ?
> 
> 
> Possible attack vectors when the machine is running are not limited to
> the login program. Think about the network services you are running,
> there might be an exploit. Also firewire is a popular way to get access
> to all the memory the kernel has access too.
> 
> 

I'm runnning httpd (firewalled off), sshd (not firewalled). If someone 
were to insert a firewire PCMCIA card, and Mdk were to helpfully hotplug 
it, could this be dangerous? I'm not quite sure I understand your point 
about firewire.

>>Is there any way to crash X without logging me out? (running KDM).
> > 
> Not that I know of.
> 

Thanks again. This is proving to be quite complex!!

Richard