Security of Mac Keychain, Filevault

David-Sarah Hopwood david-sarah at jacaranda.org
Tue Nov 3 02:07:19 EST 2009 

Steven Bellovin wrote:
> On Oct 29, 2009, at 11:25 PM, Jerry Leichter wrote:
> 
>> A couple of days ago, I pointed to an article claiming that these were
>> easy to break, and asked if anyone knew of security analyses of these
>> facilities.

See below.

>> I must say, I'm very disappointed with the responses.  Almost everyone
>> attacked the person quoted in the article.  The attacks they assumed
>> he had in mind were unproven or unimportant or insignificant.  Gee ...
>> sounds *exactly* like the response you get from companies when someone
>> finds a vulnerability in their products:  It's not proven; who is this
>> person anyway; even if there is an attack, it isn't of any practical
>> importance.
> 
> Unfortunately, there's no better response here.
> 
> At time T, someone will assert that "X is insecure", and that products
> exist -- commercial and freeware -- to crack it.  This person supplies
> no evidence except for an incomplete list of products to support the
> assertion.  What do I now know that I didn't know before?
[...]

I agree, there was no useful evidence about the security of Filevault
or Keychain in the article.

> The article made no verifiable or falsifiable technical statements, so
> there's nothing to evaluate in that respect.  I've never heard of any
> freeeware to crack Filevault; given the familiarity of the readership of
> this list in the aggregate with the free software world, it seems
> unlikely that such software exists.  He did point to some commercial
> software to attack Filevault, but it works by password guessing.  For
> his business -- forensic analysis -- I suspect that that technique is
> extremely useful; I doubt that anyone on this list would disagree.  But
> that's not the same as a flaw in MacOS.

However, there are huge differences in the relative cost of password
guessing between different disk encryption protocols. There are also
significant differences in the help that crypto software gives users to
encourage them to use a high-entropy password/passphrase. For instance,
if some product just used a simple hash to generate a key from a password,
rather than using a technique like key strengthening or key stretching and a
random salt, then I would consider that a serious flaw, even if everything
else about the product's crypto usage were well-designed.

OTOH, according to <http://crypto.nsa.org/vilefault/23C3-VileFault.pdf>,
Filevault uses PBKDF2, which does employ key strengthening. However it
only uses 1000 hash iterations, which is a little on the low side.
The video of that talk is at
<http://video.google.com/videoplay?docid=2948370762304265773> (the
actual talk doesn't appear to start until a few minutes in).

Note that according to the slides,
"Cryptographic security depends on more than just AES-128, it's rather
3DES effective 112bit || AES-128 || RSA-1024".

Also, only the user's home directory is encrypted, "passwords are not
properly scrubbed", and swap file encryption is not enabled by default.

Worse, "If encrypted swap is on: contents of the sleep image will be
encrypted, but key will be written out in the header". Oops.

--
David-Sarah Hopwood     http://davidsarah.livejournal.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list