import cryptoloop-partial-security from nico.schotteli.us
Signed-off-by: Nico Schottelius <nico@bento.schottelius.org>
This commit is contained in:
parent
c19ee94f27
commit
8513ec15c0
1 changed files with 350 additions and 0 deletions
350
docs/cryptoloop-partial-security.mdwn
Normal file
350
docs/cryptoloop-partial-security.mdwn
Normal file
|
@ -0,0 +1,350 @@
|
||||||
|
[[!meta title="Cryptoloop - why they are only partial secure"]]
|
||||||
|
[[!meta date="2004-03-27"]]
|
||||||
|
[[!toc levels=2]]
|
||||||
|
|
||||||
|
## Introduction
|
||||||
|
|
||||||
|
Have a look at [-1] for the latest version. Copying is allowed, as long as the
|
||||||
|
document is unmodified. Please send corrections to me
|
||||||
|
(`myfirstname@mylastname.org').
|
||||||
|
|
||||||
|
|
||||||
|
### What is a cryptoloop?
|
||||||
|
|
||||||
|
It's a method to encrypt data written to a storage device:
|
||||||
|
|
||||||
|
|
||||||
|
_________________________
|
||||||
|
| applications like vim |
|
||||||
|
-------------------------
|
||||||
|
^
|
||||||
|
| i/o with files
|
||||||
|
|
|
||||||
|
v
|
||||||
|
_______________________
|
||||||
|
| filesystem like xfs |
|
||||||
|
-----------------------
|
||||||
|
^
|
||||||
|
| i/o with blocks
|
||||||
|
|
|
||||||
|
v
|
||||||
|
_____________
|
||||||
|
| cryptoloop | en/decrypts data
|
||||||
|
-------------
|
||||||
|
^
|
||||||
|
|
|
||||||
|
|
|
||||||
|
v
|
||||||
|
________________
|
||||||
|
| block device | writes physically
|
||||||
|
----------------
|
||||||
|
|
||||||
|
|
||||||
|
### What is it used for?
|
||||||
|
|
||||||
|
It's used to achieve higher security. For instance, if you lose your laptop or
|
||||||
|
it gets stolen, nobody will be able to read your (sensitive) data.
|
||||||
|
|
||||||
|
|
||||||
|
### Some buzzwords...
|
||||||
|
|
||||||
|
You may want to know what cryptoloop uses, how it works. I don't really want
|
||||||
|
to explain that here, but I'll give you some buzzwords you can lookup at [0]
|
||||||
|
and [1]:
|
||||||
|
|
||||||
|
- Linux Kernel v2.6
|
||||||
|
- Cryptographic API
|
||||||
|
- Blowfish,AES,MD5,SHA384 and SHA512, ...
|
||||||
|
|
||||||
|
|
||||||
|
## Conditions and use-cases
|
||||||
|
|
||||||
|
I'll now show you in which situations you can/may use cryptoloop.
|
||||||
|
|
||||||
|
|
||||||
|
### regular file
|
||||||
|
|
||||||
|
Howto do it:
|
||||||
|
|
||||||
|
Create a regular file:
|
||||||
|
|
||||||
|
scice% dd if=/dev/urandom of=testcrypt bs=1024 count=1024
|
||||||
|
1024+0 records in
|
||||||
|
1024+0 records out
|
||||||
|
1048576 bytes transferred in 0.059929 seconds (17496971 bytes/sec)
|
||||||
|
|
||||||
|
Setup the loop device and enter the password used for encryption:
|
||||||
|
|
||||||
|
scice# /sbin/losetup -e blowfish /dev/loop/1 testcrypt
|
||||||
|
Password:
|
||||||
|
|
||||||
|
And now access the loop like a standard block device:
|
||||||
|
|
||||||
|
scice# mkfs.xfs /dev/loop/1
|
||||||
|
meta-data=/dev/loop/1 isize=256 agcount=1, agsize=4096 blks
|
||||||
|
= sectsz=512
|
||||||
|
data = bsize=4096 blocks=4096, imaxpct=25
|
||||||
|
= sunit=0 swidth=0 blks, unwritten=1
|
||||||
|
naming =version 2 bsize=4096
|
||||||
|
log =internal log bsize=4096 blocks=1200, version=1
|
||||||
|
= sectsz=512 sunit=0 blks
|
||||||
|
realtime =none extsz=65536 blocks=0, rtextents=0
|
||||||
|
|
||||||
|
|
||||||
|
Look at the cryptoloop:
|
||||||
|
|
||||||
|
scice# file -s /dev/loop/1
|
||||||
|
/dev/loop/1: SGI XFS filesystem data (blksz 4096, inosz 256, v2 dirs)
|
||||||
|
|
||||||
|
And look at the file:
|
||||||
|
|
||||||
|
scice# file testcrypt
|
||||||
|
testcrypt: data
|
||||||
|
|
||||||
|
Remove the cryptoloop:
|
||||||
|
|
||||||
|
scice# losetup -d /dev/loop/1
|
||||||
|
|
||||||
|
When you mount your encrypted file, you need to specify the password:
|
||||||
|
|
||||||
|
scice# mount testcrypt /mnt/ -o loop,encryption=blowfish
|
||||||
|
Password:
|
||||||
|
|
||||||
|
|
||||||
|
So far, so good. You can have as many encrypted loops as loopback devices you
|
||||||
|
have (normally 8).
|
||||||
|
|
||||||
|
|
||||||
|
Benefits:
|
||||||
|
- you can hide your encrypted data within your home
|
||||||
|
(attention: security by obscurity!)
|
||||||
|
- you can create many encrypted files
|
||||||
|
|
||||||
|
Disadvantages:
|
||||||
|
- indirect access
|
||||||
|
- slower than partitions / raw devices
|
||||||
|
|
||||||
|
|
||||||
|
### optional partition
|
||||||
|
|
||||||
|
Having filesystems on files is ugly, as you enforce indirection
|
||||||
|
(application->filesystem->cryptoloop->file->filesystem->blockdevice instead of
|
||||||
|
application->filesystem->cryptoloop->blockdevice).
|
||||||
|
|
||||||
|
If you don't have much data which is seldom accessed, you may use
|
||||||
|
an unused partition for that case. Simply replace testcrypt from above
|
||||||
|
with the appropriate partition.
|
||||||
|
|
||||||
|
Benefits:
|
||||||
|
- if you don't name the partition in /etc/fstab, perhaps nobody will
|
||||||
|
ever guess you have an encrypted data partition
|
||||||
|
(attention: security by obscurity!)
|
||||||
|
- faster than regular files
|
||||||
|
|
||||||
|
Disadvantages:
|
||||||
|
- not very comfortable, as you cannot just type 'mount /mnt/data'
|
||||||
|
- you need to pay attention that you _only_ write to /mnt/data and
|
||||||
|
don't have a prior version on an unencrypted medium, as it is
|
||||||
|
generally possible to restore 'deleted' files
|
||||||
|
|
||||||
|
|
||||||
|
### home partition
|
||||||
|
|
||||||
|
You may want to generally keep all data on your home directories encrypted.
|
||||||
|
Use this entry in fstab to achieve it:
|
||||||
|
|
||||||
|
/dev/discs/disc0/part4 /home xfs loop,encryption=blowfish 0 0
|
||||||
|
|
||||||
|
Benefits:
|
||||||
|
- faster than regular files
|
||||||
|
- very comfortable
|
||||||
|
- transparent to your users
|
||||||
|
|
||||||
|
Disadvantages:
|
||||||
|
- your data is secured, but do you really know that 'vi' is still
|
||||||
|
vi and not a program calling `cp` and then vi?
|
||||||
|
|
||||||
|
|
||||||
|
### root partition
|
||||||
|
|
||||||
|
If you want to encrypt your root (/) partition, you need to pay attention!
|
||||||
|
|
||||||
|
To understand why, I give you a small explanation about how booting works:
|
||||||
|
|
||||||
|
___________________
|
||||||
|
| hardware checks | like BIOS on x86
|
||||||
|
-------------------
|
||||||
|
^
|
||||||
|
|
|
||||||
|
v
|
||||||
|
___________________
|
||||||
|
| bootloader | like grub,lilo,milo
|
||||||
|
-------------------
|
||||||
|
^
|
||||||
|
|
|
||||||
|
v
|
||||||
|
___________________
|
||||||
|
| kernel | Linux hopefully
|
||||||
|
-------------------
|
||||||
|
^
|
||||||
|
|
|
||||||
|
v
|
||||||
|
___________________
|
||||||
|
| (sysV) init | or minit [2] or runit [3],
|
||||||
|
------------------- which all are loaded from the root filesystem
|
||||||
|
|
||||||
|
|
||||||
|
First of all, the bootloader needs to be readable (== unencrypted) for the
|
||||||
|
basic i/o system.
|
||||||
|
This is normally no problem, as the bootloader is found in the MBR of
|
||||||
|
a harddisk (at least partially, enough to start).
|
||||||
|
|
||||||
|
Then the bootloader needs to find its data/configuration files and after
|
||||||
|
that it needs to find the kernel.
|
||||||
|
|
||||||
|
Normally this is achieved by using an unencrypted /boot partition, which
|
||||||
|
contains the other bootloader parts and the kernel.
|
||||||
|
|
||||||
|
When the kernel finished initalizing, it needs to find (a variant of) init.
|
||||||
|
Well, it cannot find init, because init is encrypted. To be able to
|
||||||
|
read the root (and init), we'll need a ramdisk containing losetup, which reads
|
||||||
|
a password and creates a loop device.
|
||||||
|
|
||||||
|
Ramdisks are checked before the kernel tries to load init, so this works
|
||||||
|
pretty good.
|
||||||
|
|
||||||
|
You can then check from your now decrypted root, that /boot didn't change
|
||||||
|
(with md5sum or tripwire for example). If it changed you can stop booting.
|
||||||
|
|
||||||
|
Benefits:
|
||||||
|
- most parts of the system are encrypted
|
||||||
|
|
||||||
|
Disadvantages:
|
||||||
|
- needs a ramdisk
|
||||||
|
- need to pay attention, when you make changes to /boot (when updating
|
||||||
|
the kernel for instance)
|
||||||
|
|
||||||
|
|
||||||
|
### whole system + unencrypted external device
|
||||||
|
|
||||||
|
You could put the /boot partition on a USB Stick, a r/o CDROM.
|
||||||
|
|
||||||
|
Benefits:
|
||||||
|
- you have no unencrypted data on your computer
|
||||||
|
|
||||||
|
Disadvantages:
|
||||||
|
- you always need to pay attention to carry the external medium with you
|
||||||
|
- same as above
|
||||||
|
|
||||||
|
|
||||||
|
## Problems / insecurity
|
||||||
|
### partial encryption
|
||||||
|
|
||||||
|
Well, you always have some unencrypted data. Especially the bootloader,
|
||||||
|
your kernel and your ramdisk cannot be encrypted (correct me when I'm wrong).
|
||||||
|
|
||||||
|
|
||||||
|
### fake system
|
||||||
|
|
||||||
|
If somebody gets access to your system, he may replace your unencrypted data
|
||||||
|
and place his faked versions. I've name faked version with a 'F' prefix.
|
||||||
|
|
||||||
|
|
||||||
|
### attack possibilities
|
||||||
|
#### points
|
||||||
|
|
||||||
|
I'll assume the attacker cannot decrypt our cryptoloop data. So he has
|
||||||
|
to attack
|
||||||
|
|
||||||
|
- the bootloader
|
||||||
|
- the kernel
|
||||||
|
- the ramdisk
|
||||||
|
|
||||||
|
|
||||||
|
#### replacements
|
||||||
|
|
||||||
|
First he could try to replace the bootloader. The Fbootloader
|
||||||
|
could possibly load a Fkernel which has a modified cryptoloop module.
|
||||||
|
|
||||||
|
Secondly he could try just to replace the kernel with Fkernel, again
|
||||||
|
having modified the cryptoloop module.
|
||||||
|
|
||||||
|
At last he could replace the contents of the ramdisk. This Framdisk
|
||||||
|
could contain a modified losetup.
|
||||||
|
|
||||||
|
|
||||||
|
#### sniff and copy
|
||||||
|
|
||||||
|
Let's assume the attacker modified the bootloader and the kernel.
|
||||||
|
You enter the password and the kernel boots up your standard init.
|
||||||
|
Your checksum checking program (like md5sum, see above) detects that
|
||||||
|
the kernel is modified.
|
||||||
|
|
||||||
|
If you've got luck the kernel module didn't configure your
|
||||||
|
network opened a connection to the net. If it did, you password is
|
||||||
|
gone and you'll need to recreate your cryptoloop
|
||||||
|
(this is not really difficult: losetup the raw device again, with the new
|
||||||
|
password. dd if=/dev/oldloop of=/dev/newloop).
|
||||||
|
|
||||||
|
Assume the attacker replaced your ramdisk, too.
|
||||||
|
Now the attacker modified LOSETUP! Doesn't really matter you think?
|
||||||
|
Well, let's see:
|
||||||
|
|
||||||
|
You enter the password for your root partition. Flosetup doesn't exit
|
||||||
|
normally, instead it mounts your root and replaces your system libs and unmounts
|
||||||
|
the root after that. Your checksum program loads the Flib and the md5sum
|
||||||
|
function returns always the same value. Your check-script then assumes
|
||||||
|
that the ramdisk, the kernel and the bootloader are unmodified and starts
|
||||||
|
the system.
|
||||||
|
As the libs are modified, the connect() call could try to connect to
|
||||||
|
a password collecting host and to the one specified.
|
||||||
|
|
||||||
|
Flosetup could even have modified _anything_. This includes your check-script,
|
||||||
|
/etc/shadow, /sbin/init and so on.
|
||||||
|
|
||||||
|
You cannot trust the integrity of your system anymore.
|
||||||
|
|
||||||
|
|
||||||
|
#### change encrypted checksums
|
||||||
|
|
||||||
|
Oh, and it would be much easier just to replace the cached checksums on the
|
||||||
|
encrypted root.
|
||||||
|
|
||||||
|
|
||||||
|
## Solutions
|
||||||
|
### Secure unencrypted data
|
||||||
|
|
||||||
|
|
||||||
|
A way to have secure cryptoloops is to do what's described in 2.5.
|
||||||
|
You must keep your unencrypted data secure. This means that you got
|
||||||
|
to wear at _always_.
|
||||||
|
|
||||||
|
### Get a real system [tm]
|
||||||
|
|
||||||
|
The other choice would be to have a 'trusted' system, which is able to
|
||||||
|
read encrypted MBRs/bootloader.
|
||||||
|
|
||||||
|
On x86 you could possibly replace your BIOS with a Linux kernel,
|
||||||
|
which is able to boot from cryptoloop, in the ROM,
|
||||||
|
|
||||||
|
This does _not_ mean you should use TCPA[4]! With TCPA you give
|
||||||
|
away the right to modify your computer to companies like Intel.
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
You have a protection against someone reading your data, as long as
|
||||||
|
your laptop/computer is 'trusted'. This means, whenever someone is
|
||||||
|
able to modify the unencrypted part(s), your cryptoloop data could be
|
||||||
|
modified.
|
||||||
|
|
||||||
|
|
||||||
|
## Sources
|
||||||
|
|
||||||
|
[-1]: source: http://nico.schotteli.us/papers/linux/cryptoloop-partial-security
|
||||||
|
[0]: google: http://www.google.org/linux
|
||||||
|
[1]: TLDP: http://www.tldp.org
|
||||||
|
[2]: minit: http://www.fefe.de/minit/
|
||||||
|
[3]: runit: http://smarden.org/runit/
|
||||||
|
[4]: tcpa: http://www.notcpa.de/
|
||||||
|
http://www.againsttcpa.com/
|
||||||
|
http://www.trustedcomputing.org
|
Loading…
Reference in a new issue