OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steven M. Bellovin (smbresearch.att.com)
Date: Mon Jun 04 2001 - 19:48:33 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    In message <200106042330.f54NUUZ17976euphoria.confusion.net>, "Michael K. Sand
    ers" writes:

    >The approach described in the paper divides swap into some number
    >of configurable size sections, with a random key generated on demand
    >for each section. Each key also has associated with it a reference
    >count and an expiration time.
    >

    What is the point? What is the threat model that supports such
    behavior? More precisely, why do you want to encrypt your swap
    partition? (Caution: the rest of this response probably belongs in
    tech-crypto instead.)

    To me, at least, the point of an encrypted swap area is to defeat
    "seized machine" attacks, not real-time attacks. Anyone who can read
    the swap area while the machine is running presumably has root
    privileges (well, /dev/wd0b is mode 640, which is probably a mistake --
    though anyone with operator privs can read any other private file on
    the system, though not modify it). In other words, the risk is to
    things like PGP private keys and the like.

    Given that, there's no issue of too much data encrypted with one key.
    The total amount of ciphertext available to the attacker is limited by
    the amount of swap space you have, and that's almost certainly small
    enough that you don't have to worry.

    If you're using cipher block chaining, you shouldn't use one key with
    more than sqrt(blocksize) blocks of data. Thus, for DES or 3DES,
    anything more than 2^32 8-byte blocks -- i.e., 32G -- of data would be
    a bad idea. Most of us don't have swap areas that are that large....
    If you use AES, which has 128-bit blocks, you're safe unless your swap
    area -- the swap area you've actually *used* -- is larger than 2^4 * 2^64
    bytes. That's not within my threat model...

    On the other hand, using a randomly generated key is a good idea *if*
    you have sufficiently-good random numbers available that early in the
    boot process.

    If you really want encrypted swap, and you want it with little effort,
    use CFS and swap to a file. I ported CFS to NetBSD; you can find it
    at your choice of

            http://www.crypto.com/software/cfs-1.4.1.tar
            http://www.crypto.com/software/cfs-1.4.1.tar.gz
            http://www.crypto.com/software/cfs-1.4.1.tgz

    Follow the instructions in README.netbsd and you should be on the air.

                    --Steve Bellovin, http://www.research.att.com/~smb