user transparent encryption

user transparent encryption

[kayo]

[-- Attachment #1: Type: text/plain, Size: 449 bytes --]

I am wondering if any of you have heard of a file system encryption
service that is or close to transparent to users in which couldnt be
easily compramised even if root was. Or have any ideas on how this could
be done. I know using a loopback type scheam that once mounted or while
mounting root could steal the key or the data that should be private.
Has any one heard of a group that are brainstorming simular concepts?

Thank you,
Jason

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: user transparent encryption

[Brian May]

On Sun, Feb 16, 2003 at 08:18:16PM -0600, kayo wrote:
> I am wondering if any of you have heard of a file system encryption
> service that is or close to transparent to users in which couldnt be
> easily compramised even if root was. Or have any ideas on how this could
> be done. I know using a loopback type scheam that once mounted or while
> mounting root could steal the key or the data that should be private.
> Has any one heard of a group that are brainstorming simular concepts?

What type of attack are you trying to protect your data from?

If you don't trust the adminstrator, there is nothing you can do, root
needs to access the entire system for adminstration. He/she can commands
like run "su userid" for instance to become your UID. Even SE-Linux
policy won't help, and presumably it is the adminstrator who sets the
policy.

If on the otherhand, you are more concerned about a program running
as root which could be compromised and allow access to private files,
SE-Linux can help by limiting the prvileges that these programs have.
-- 
Brian May <bam@snoopy.apana.org.au>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user transparent encryption

[kayo]

[-- Attachment #1: Type: text/plain, Size: 842 bytes --]

What I mean in a way creating a situation in which the admin could
revolk an account or even delete the files but not be able to view the
encrypted data. Maybe the entire users home directory. Could something
like this be done at a kernel level. I am toying with the concept of
absolute privacy for the systems users.





On Sun, 2003-02-16 at 20:18, kayo wrote:
> I am wondering if any of you have heard of a file system encryption
> service that is or close to transparent to users in which couldnt be
> easily compramised even if root was. Or have any ideas on how this could
> be done. I know using a loopback type scheam that once mounted or while
> mounting root could steal the key or the data that should be private.
> Has any one heard of a group that are brainstorming simular concepts?
> 
> Thank you,
> Jason

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: user transparent encryption

[Carsten Grohmann]

Am Montag, 17. Februar 2003 06:43 schrieb kayo:
> What I mean in a way creating a situation in which the admin could
> revolk an account or even delete the files but not be able to view
> the encrypted data. Maybe the entire users home directory. Could
> something like this be done at a kernel level. I am toying with the
> concept of absolute privacy for the systems users.

A simple backup question: Want you make backups? Like Win2k with an 
master key, only used by the system resp. backup operaters?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user transparent encryption

[Tom]

On Sun, Feb 16, 2003 at 11:43:32PM -0600, kayo wrote:
> What I mean in a way creating a situation in which the admin could
> revolk an account or even delete the files but not be able to view the
> encrypted data. Maybe the entire users home directory. Could something
> like this be done at a kernel level. I am toying with the concept of
> absolute privacy for the systems users.

Obviously can't be done. If you do it at the kernel level, the sysadmin
can replace the kernel...

You can STORE data on a remote machine without the admin being able to
read it. Just encrypt it. But as soon as the key needs to be entered on
a machine where you can't trust the admin, it is potentially
compromised.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user transparent encryption

[Joshua Brindle]

I've pondered this myself, suppose you have a great selinux setup
very secure, no easy way to compromise it, but the machine itself
was in a hostile environment (not able to be protected from others
well). What is to stop someone from booting up a non-selinux kernel
and having at it with your filesystems? Nothing. I've often wondered
if there is a way to lock down the drive contents so it is not
accessible 
(at least easily) by a non-selinux kernel, or even the encrypted fs
where the key is compiled securely into a selinux-enabled kernel
so that with a new (possible non-selinux) kernel the filesystem would
not be readable. Do you guys think this is possible? granted it would
make system recovery next to impossible but maybe it would be a 
good option for folks with malicious or ignorant users/-co admins?

Joshua Brindle
UNIX Administrator
Southern Nazarene University

>>> Brian May <bam@snoopy.apana.org.au> 02/16/03 08:43PM >>>
On Sun, Feb 16, 2003 at 08:18:16PM -0600, kayo wrote:
> I am wondering if any of you have heard of a file system encryption
> service that is or close to transparent to users in which couldnt be
> easily compramised even if root was. Or have any ideas on how this
could
> be done. I know using a loopback type scheam that once mounted or
while
> mounting root could steal the key or the data that should be
private.
> Has any one heard of a group that are brainstorming simular
concepts?

What type of attack are you trying to protect your data from?

If you don't trust the adminstrator, there is nothing you can do, root
needs to access the entire system for adminstration. He/she can
commands
like run "su userid" for instance to become your UID. Even SE-Linux
policy won't help, and presumably it is the adminstrator who sets the
policy.

If on the otherhand, you are more concerned about a program running
as root which could be compromised and allow access to private files,
SE-Linux can help by limiting the prvileges that these programs have.
-- 
Brian May <bam@snoopy.apana.org.au>

--
This message was distributed to subscribers of the selinux mailing
list.
If you no longer wish to subscribe, send mail to
majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user transparent encryption

[Thomas Walcott]

Pardon the top posting.

Executive summary:

This is a topic I've given some thought to.  I think the problem is 
fundamentally intractible.  

Rationale:

Let us imagine that you produce such a system running on off-the-shelf 
hardware.  Your solution for absolute security is written in software.  
This software has to be interpreted; it can be taken apart by hand and 
turned into a key that would effectively open up the system.  I can't 
think of any way that is provably effective.

While you may be able to slow down an attacker, I don't think there's any 
perfect solution.  This has been a problem with a lot of security models.  
For example, if you look at the canonical systems, they all make a lot of 
(reasonable) assumptions that simply have to hold true for the system to 
be effective.  Consider the Bell-LaPadula model.  If person A doesn't 
bother trying to copy the file, but instead either prints it out and 
passes it around to unauthorized users, your game is over.  We have to 
consider a restricted environment and make some reasonable assumptions.

Now, to leap merrily back to my earlier comment about software.  This same 
process can be considered for hardware.  The ability to test pin-outs, 
etc., means that any 'solution' becomes extremely expensive.  You can't 
give your adversary infinite time to play with the system.  If you want to 
limit their time, you have to make the system such that it can cease 
operation -- i.e., it has to self-destruct.  This is a tough problem.

If you think of anything, please let me know; I'd be interested in 
hearing about it.  I'm also happy to bat around ideas, but it's probably 
best kept to private correspondence, since this commentary is apt to drift 
quite considerably off SE-Linux topic.

HTH,

Tom



On Sun, 16 Feb 2003, Joshua Brindle wrote:

> I've pondered this myself, suppose you have a great selinux setup very
> secure, no easy way to compromise it, but the machine itself was in a
> hostile environment (not able to be protected from others well). What is
> to stop someone from booting up a non-selinux kernel and having at it
> with your filesystems? Nothing. I've often wondered if there is a way to
> lock down the drive contents so it is not accessible (at least easily)
> by a non-selinux kernel, or even the encrypted fs where the key is
> compiled securely into a selinux-enabled kernel so that with a new
> (possible non-selinux) kernel the filesystem would not be readable. Do
> you guys think this is possible? granted it would make system recovery
> next to impossible but maybe it would be a good option for folks with
> malicious or ignorant users/-co admins?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user transparent encryption

[Russell Coker]

On Mon, 17 Feb 2003 06:40, Joshua Brindle wrote:
> I've pondered this myself, suppose you have a great selinux setup
> very secure, no easy way to compromise it, but the machine itself
> was in a hostile environment (not able to be protected from others
> well). What is to stop someone from booting up a non-selinux kernel
> and having at it with your filesystems? Nothing. I've often wondered
> if there is a way to lock down the drive contents so it is not
> accessible
> (at least easily) by a non-selinux kernel, or even the encrypted fs

The solution is to have a kernel and initrd on removable media and use that to 
setup an encrypted loopback device for root.

The encryption key has to be on removable media for obvious reasons, and the 
kernel and initrd have to be on removable media so that an attacker can't 
trojan them.

Of course a trojan in a flash BIOS could still get past this, but it would be 
a lot more difficult.  TCPA is supposed to address these issues (if you trust 
TCPA).  Also the LinuxBIOS people are working on similar schemes but their 
work in this regard was classified last time I checked their web site.


Now once the machine is running the administrator can ptrace all programs and 
get at all the user's data, I don't think that there is any way around this.

This discussion is probably getting off-topic for this list.  If we are to 
continue it I'll have to resurrect my SE Linux list for it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user transparent encryption

[w9ya]

One comment before this discussion goes "off-list" please.

The Knoppix linux distro is an example of at least part of the "solution" 
mentioned below.

Bob Finch

On Monday 17 February 2003 04:18 am, Russell Coker wrote:
> On Mon, 17 Feb 2003 06:40, Joshua Brindle wrote:
> > I've pondered this myself, suppose you have a great selinux setup
> > very secure, no easy way to compromise it, but the machine itself
> > was in a hostile environment (not able to be protected from others
> > well). What is to stop someone from booting up a non-selinux kernel
> > and having at it with your filesystems? Nothing. I've often wondered
> > if there is a way to lock down the drive contents so it is not
> > accessible
> > (at least easily) by a non-selinux kernel, or even the encrypted fs
>
> The solution is to have a kernel and initrd on removable media and use that
> to setup an encrypted loopback device for root.
>
> The encryption key has to be on removable media for obvious reasons, and
> the kernel and initrd have to be on removable media so that an attacker
> can't trojan them.
>
> Of course a trojan in a flash BIOS could still get past this, but it would
> be a lot more difficult.  TCPA is supposed to address these issues (if you
> trust TCPA).  Also the LinuxBIOS people are working on similar schemes but
> their work in this regard was classified last time I checked their web
> site.
>
>
> Now once the machine is running the administrator can ptrace all programs
> and get at all the user's data, I don't think that there is any way around
> this.
>
> This discussion is probably getting off-topic for this list.  If we are to
> continue it I'll have to resurrect my SE Linux list for it.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user transparent encryption

[Dale Amon]

On Sun, Feb 16, 2003 at 11:40:01PM -0600, Joshua Brindle wrote:
> I've pondered this myself, suppose you have a great selinux setup
> very secure, no easy way to compromise it, but the machine itself
> was in a hostile environment (not able to be protected from others
> well). What is to stop someone from booting up a non-selinux kernel
> and having at it with your filesystems? Nothing. I've often wondered
> if there is a way to lock down the drive contents so it is not
> accessible 
> (at least easily) by a non-selinux kernel, or even the encrypted fs
> where the key is compiled securely into a selinux-enabled kernel
> so that with a new (possible non-selinux) kernel the filesystem would
> not be readable. Do you guys think this is possible? granted it would
> make system recovery next to impossible but maybe it would be a 
> good option for folks with malicious or ignorant users/-co admins?
> 
> Joshua Brindle
> UNIX Administrator
> Southern Nazarene University

I don't have a full solution (other than what Russell
discusses later in this thread) but you should certainly
assume a well configured secure systems has:

	* a BIOS password
	* a lilo boot password
	* good root and role passwords

If you have reasonable password security, an attacker
now has no choice other than to disassemble the machine
and put the hard drive(s) in another machine. This is
not a full solution, but it stops the casual attacker
in the machine room cold unless they've got enough 
time to:

	* open up the machine
	* connect the IDE/SCSI cables to a preconfigured
	  attack machine
	* attack the disks
		* online: immediate entry and mod
		* offline: make copies of the disks
		  for study and later attack
	* load a log cleansing script
	* reconnect, close up and reboot
	* have the cleanup script run and remove
	  itself.

The online attack can be stopped cold by encrypted
root and user disks. Then, the attacker must

	* get an image of the disk
	* use social engineering, espionage or 
	  theft to get the password

And even then, to get the disk copy they might as
well not even try to hide their tracks because
without the passwords they can't put it back
as it was. They will have left a clear signature
they were there. Which means a serious attacker
might just torch the computer room to hide their
tracks. (hmmm... Twente???)

So if you go with Russell's approach, the machine
is secure against all but the admin with the key
and. If the admin is bent, or not careful with
the key, or his subverted (Mata Hari or missing 
fingers), then all is lost.

Ultimately comes down to internal security 
procedures and a sufficiently large and highly
trained staff to handle those issues.

That's why real security is *very* expensive.

-- 
------------------------------------------------------
       IN MY NAME:            Dale Amon, CEO/MD
  No Mushrooms clouds over    Islandone Society
    London and New York.      www.islandone.org
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.