Security of Mac Keychain, File Vault
Greg Thompson
gregth at gmail.com
Sun Oct 25 21:30:05 EDT 2009
On Oct 24, 2009, at 5:31 PM, Jerry Leichter wrote:
> The article at http://www.net-security.org/article.php?id=1322
> claims that both are easily broken. I haven't been able to find any
> public analyses of Keychain, even though the software is open-source
> so it's relatively easy to check. I ran across an analysis of File
> Vault not long ago which pointed out some fairly minor nits, but
> basically claimed it did what it set out to do.
The white paper for Mac Marshal (http://macmarshal.atc-nycorp.com/mac/MacMarshal_WhitePaper_102.pdf
) leads me to believe that the so-called vulnerability in File Vault
is that the encryption is based on the user's chosen login password:
"So, FileVault is not as secure as simple 128-bit AES. Any means of
obtaining the user’s login password or the FileVault Master recovery
keychain will allow access to the FileVault image."
Does this surprise anyone?
-Greg
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list