From: Andy Lutomirski <luto@myrealbox.com>
To: Valdis.Kletnieks@vt.edu
Cc: David Lang <david.lang@digitalinsight.com>,
Nigel Cunningham <ncunningham@linuxmail.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Chris Wright <chrisw@osdl.org>, Jeff Garzik <jgarzik@pobox.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@osdl.org>
Subject: Re: mlock(1)
Date: Sat, 25 Sep 2004 10:15:53 -0700 [thread overview]
Message-ID: <4155A7C9.4040606@myrealbox.com> (raw)
In-Reply-To: <200409250329.i8P3TwJY002358@turing-police.cc.vt.edu>
Valdis.Kletnieks@vt.edu wrote:
> On Sat, 25 Sep 2004 04:58:48 +0200, Andrea Arcangeli said:
>
>
>>I don't even think "save their key securely" (I mean saving anything
>>related to the swapsuspend encryption key on disk) is needed. A mixture
>>of a on-disk key + passphrase would not be more secure than a simple
>>"passphrase" alone, because the on-disk key would be in cleartext and
>>readable from the attacker. the only usable key is the one in the user memory,
>>it cannot be saved in the computer anywhere. Peraphs for additional
>>security (and to avoid having to type and remember it) one could use an
>>usb pen to store and fetch the key... but then I leave the fun to the
>>usb folks since to do that usb should kick off before resume overwrites
>>the kernel image ;)
>
>
> Well, obviously saving the actual key on the disk is a losing idea, but saving
> "key hashed by passphrase" would work (similar to how PGP or SSH don't save the
> actual key, but rather the key hashed by something).
>
> I suspect that having the *entire* key be the passphrase remembered by the user
> is also a non-starter security-wise (unless we do something like Jari Ruusu's
> loop-AES stuff does and forces a minimim 20-char passphrase) - there's going to
> be all too many blocks in the swsusp area that are "known plaintext" and easily
> brute-forceable for most passphrases that users are likely to actually use.
>
> So in order to make it at all secure, we really need to save on the disk
> a key with O(128 bits) of entropy, perturbed by enough bits that are *not*
> to be found anywhere on the machine so that it isn't a slam-dunk for an attacker.
>
> Do any of the crypto experts lurking have ideas/opinions on just how many
> bits we need to store externally (be it in a USB dongle, a thumbprint, a
> passphrase, whatever)?
>
Not really a crypto expert, but... use a random session key, at least
128 bits. Encrypt _that_ with the passphrase or whatever, eliminating
any known plaintext. Since this decryption is only done once at bootup,
we don't care how slow it may be, so use an iterated scheme (like
Blowfish crypt). That way the user could dial it to take 500ms or so on
the local machine to try a passphrase, making weak passphrases a lot
harder to bruteforce. Or the kernel should iteratively encrypt it at
suspend for some fixed time, then store the iteration count.
So long as suspend/resume is supported, there's a risk that someone
captures a suspended system and steals a disk image. Later they force
the owner to reveal the passphrase. Now they can see not only the
useful contents of memory but any old stuff that's been sitting in swap
since the last reboot (like PGP keys). This could be avoided by making
the system somewhat forward-secret: generate a random key per vma and
zero it out of RAM when the vma goes away (assuming the vma is the right
unit for it). If the IVs are chosen based on position in the swap
device then there should be very little overhead.
--Andy
next prev parent reply other threads:[~2004-09-25 17:14 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-24 19:57 mlock(1) Jeff Garzik
2004-09-24 20:15 ` mlock(1) Neil Horman
2004-09-24 20:21 ` mlock(1) Neil Horman
2004-09-24 20:31 ` mlock(1) Lee Revell
2004-09-24 20:33 ` mlock(1) Jeff Garzik
2004-09-24 20:39 ` mlock(1) Lee Revell
2004-09-24 20:22 ` mlock(1) Chris Wright
2004-09-24 20:41 ` mlock(1) Chris Friesen
2004-09-24 20:46 ` mlock(1) Chris Wright
2004-09-24 20:54 ` mlock(1) Chris Friesen
2004-09-24 20:59 ` mlock(1) Chris Wright
2004-09-24 22:48 ` mlock(1) Ryan Cumming
2004-09-24 21:07 ` mlock(1) Alan Cox
2004-09-24 22:19 ` mlock(1) Chris Wright
2004-09-24 22:30 ` mlock(1) Jeff Garzik
2004-09-24 23:08 ` mlock(1) Chris Wright
2004-09-24 22:59 ` mlock(1) Andrea Arcangeli
2004-09-24 23:46 ` mlock(1) Nigel Cunningham
2004-09-25 1:07 ` mlock(1) Andrea Arcangeli
2004-09-25 1:21 ` mlock(1) David Lang
2004-09-25 1:30 ` mlock(1) Andrea Arcangeli
2004-09-25 1:46 ` mlock(1) Valdis.Kletnieks
2004-09-25 2:15 ` mlock(1) Andrea Arcangeli
2004-09-25 2:46 ` mlock(1) Valdis.Kletnieks
2004-09-25 2:58 ` mlock(1) Andrea Arcangeli
2004-09-25 3:29 ` mlock(1) Valdis.Kletnieks
2004-09-25 4:07 ` mlock(1) Andrea Arcangeli
2004-09-25 4:52 ` mlock(1) Valdis.Kletnieks
2004-09-25 17:15 ` Andy Lutomirski [this message]
2004-09-25 2:33 ` mlock(1) Bernd Eckenfels
2004-09-25 1:27 ` mlock(1) Andrea Arcangeli
2004-09-28 22:03 ` mlock(1) Robert White
2004-09-28 22:15 ` mlock(1) Andrea Arcangeli
2004-09-28 23:26 ` mlock(1) Robert White
2004-09-29 1:16 ` mlock(1) Jon Masters
2004-09-29 1:23 ` mlock(1) Alan Cox
2004-09-29 3:46 ` mlock(1) Robert White
2004-09-29 12:34 ` mlock(1) Jon Masters
2004-09-29 15:57 ` mlock(1) Lee Revell
2004-09-29 22:56 ` mlock(1) Paul Jackson
2004-09-25 12:21 ` mlock(1) Nigel Cunningham
2004-09-25 14:53 ` mlock(1) Andrea Arcangeli
2004-09-28 8:48 ` mlock(1) Pavel Machek
2004-09-30 17:42 ` mlock(1) Andrea Arcangeli
2004-09-30 18:54 ` mlock(1) Pavel Machek
2004-09-30 19:17 ` mlock(1) Andrea Arcangeli
2004-09-30 19:52 ` mlock(1) Pavel Machek
2004-10-04 12:21 ` mlock(1) Jack Lloyd
2004-09-24 23:59 ` mlock(1) Bernd Eckenfels
2004-09-25 0:25 ` mlock(1) Nigel Cunningham
2004-09-25 1:18 ` mlock(1) Andrea Arcangeli
2004-09-27 6:16 ` mlock(1) Stefan Seyfried
2004-09-27 10:32 ` mlock(1) Nigel Cunningham
2004-09-27 14:29 ` mlock(1) Andrea Arcangeli
2004-09-27 20:32 ` mlock(1) Wolfgang Walter
2004-09-27 14:16 ` mlock(1) Andrea Arcangeli
2004-09-27 13:31 ` mlock(1) Alan Cox
2004-09-29 1:48 ` mlock(1) Andrea Arcangeli
2004-09-27 14:34 ` mlock(1) Stefan Seyfried
2004-09-27 15:07 ` mlock(1) Andrea Arcangeli
2004-09-27 15:25 ` mlock(1) Stefan Seyfried
2004-09-27 15:38 ` mlock(1) Andrea Arcangeli
2004-09-30 13:04 ` mlock(1) Pavel Machek
2004-09-27 22:22 ` mlock(1) Nigel Cunningham
2004-09-27 22:43 ` mlock(1) Andrea Arcangeli
2004-09-28 22:03 ` mlock(1) Nigel Cunningham
2004-09-24 20:24 ` mlock(1) Chris Friesen
2004-09-24 21:17 ` mlock(1) Andrew Morton
2004-09-25 0:26 ` mlock(1) Chris Wright
2004-09-25 1:28 ` mlock(1) Andrew Morton
2004-09-25 1:33 ` mlock(1) Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4155A7C9.4040606@myrealbox.com \
--to=luto@myrealbox.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chrisw@osdl.org \
--cc=david.lang@digitalinsight.com \
--cc=jgarzik@pobox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ncunningham@linuxmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox