[Dataloss] fringe: Researchers: Disk Encryption Not Secure

Friedlander, Gary S GFRIEDL at transunion.com
Fri Feb 22 14:25:32 UTC 2008 

Maybe the software can be patched to wipe the key from memory after so
many minutes of inactivity - requiring re-entering the passphrase to
re-mount the drive or re-enter the folder.

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Evan Francen
Sent: Friday, February 22, 2008 8:14 AM
To: Roy M. Silvernail
Cc: security curmudgeon; dataloss at attrition.org
Subject: Re: [Dataloss] fringe: Researchers: Disk Encryption Not Secure

Do you think it would be possible to patch encryption products with
routines to wipe the memory address(es) where the key is stored at
specific times (i.e. on lock, hibernate, sleep, and shutdown)?


On 2/21/08, Roy M. Silvernail <roy at rant-central.com> wrote:
> On Thu, Feb 21, 2008 at 04:34:09PM -0500, Rory Wasserman wrote:
>  > Roy,
>  >
>  > I agree with what you are saying, however if a portable hardware
device is
>  > used for multifactor authentication and the key is stored in a
secure place
>  > on the device, off of the hard drive, then this type of attack
would be
>  > futile.
>
>
> I think you still misunderstand the threat model.  The threat is not
>  against authentication.  That has already been done and the
>  target machine is in a running state (though perhaps waiting at a
>  screensaver password).  In this state, the fully-encrypted disc is
>  mounted and decrypting for its proper user.  That means the FDE key
>  *must* be in core somewhere, so that the disc drivers can use it to
>  encrypt and decrypt the data as it is used.
>
>  And once Mallory has the FDE key, he don' need no steenkin'
>  authentication.  He grabs an image of the disc and trots off to
decrypt
>  at leisure.
>
> --
>  Roy M. Silvernail is roy at rant-central.com, and you're not
>    "A desperate disease requires a dangerous remedy."
>                    - Guy Fawkes
>             http://www.rant-central.com
>
>  _______________________________________________
>  Dataloss Mailing List (dataloss at attrition.org)
>  http://attrition.org/dataloss
>
>  Tenable Network Security offers data leakage and compliance
monitoring
>  solutions for large and small networks. Scan your network and monitor
your
>  traffic to find the data needing protection before it leaks out!
>  http://www.tenablesecurity.com/products/compliance.shtml
>


-- 
Evan Francen, CISSP CCNP MCSE
email: evan.francen at gmail.com
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

More information about the Dataloss mailing list