Re: Encrypted Swap
Peter Wächtler (pwaechtler@loewe-komp.de)
Tue, 07 Aug 2001 11:01:51 +0200
Evgeny Polyakov wrote:
>
> Hello.
>
> On Mon, 6 Aug 2001 23:45:33 -0700 (PDT)
> Ryan Mack <rmack@mackman.net> wrote:
>
> >> Hmmm, let us suppose, that i copy your crypted partition per bit to my
> >> disk.
> >> After it I will disassemble your decrypt programm and will find a key....
> >>
> >> In any case, if anyone have crypted data, he MUST decrypt them.
> >> And for it he MUST have some key.
> >> If this is a software key, it MUST NOT be encrypted( it's obviously,
> >> becouse in other case, what will decrypt this key?) and anyone, who have
> >> PHYSICAL access to the machine, can get this key.
> >> Am I wrong?
>
> RM> I think the point you are missing is that encrypted swap only needs to be
> RM> accessible for one power cycle. Thus the computer can generate a key at
> No, computer can not do this.
> This will do some program,and this program is not crypted.
> Yes?
> We disassemle this program, get algorithm and regenerate a key in evil machine?
> Am i wrong?
>
> P.S. off-topic What algorithm do you want to use to regenerate a key for once crypted data?
> I don't know anyone, or i can't understand your point of view.
>
The key genaration relies on good random numbers from a strong random
generator.
You won't be able to produce the same key twice.
Of course you can argue, that you can still manipulate the machine -
perhaps
even disabling the encryption completely or turn the random numbers into
predictable ones. But then you have to "attack" the machine at least two
times:
a) to manipulate the machine and later
b) to try to retrieve the data that's not "encrypted" anymore (at least
you are
able to "decrypt" it).
So your effort grows significantly. You steal a notebook, shit: don't
have a key.
You have to manipulate it first, wait and then steal it. This is not so
simple -
but of course not completely impossible.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/