FileVault on other than home directories on MacOS?

Thu Sep 24 21:22:44 EDT 2009

On Sep 22, 2009, at 5:57 AM, Darren J Moffat wrote:

> Ivan Krsti  wrote:
>> TrueCrypt is a fine solution and indeed very helpful if you need  
>> cross-platform encrypted volumes; it lets you trivially make an  
>> encrypted USB key you can use on Linux, Windows and OS X. If you're  
>> *just* talking about OS X, I don't believe TrueCrypt offers any  
>> advantages over encrypted disk images unless you're big on  
>> conspiracy theories.
>
> Note my information may be out of date.  I believe that MacOS native  
> encrypted disk images (and thus FileVault) uses AES in CBC mode  
> without any integrity protection, the Wikipedia article seems to  
> confirm that is  (or at least was) the case http://en.wikipedia.org/wiki/FileVault

Unauthenticated CBC is indeed a problem
	http://tinyurl.com/ycoaruo

> There is also a sleep mode issue identified by the NSA:
> http://crypto.nsa.org/vilefault/23C3-VileFault.pdf

I don't think that Jacob Appelbaum or Ralf-Philipp Weinmann work for  
the NSA (but having "crypto.nsa.org" is cool :-)

> TrueCrypt on the other hand uses AES in XTS mode so you get  
> confidentiality and integrity.

Technically, you do not get integrity. With XTS (P1619, narrow block  
tweaked cipher) you are not notified of data integrity failures, but  
these data integrity failures have a much reduced usability than CBC.  
With XTS:

1) You can return 16 byte chunks to previous values (ciphertext  
replay) as long as it is to the same place (offset) as it was before.

2) If you change a bit, you will randomize a 16 byte chunk of  
information.

With the P1619.2 mode, I believe, is called TET (IEEE 1619.2, wide  
block tweaked cipher) there are different characteristics. Usually the  
wide block is a sector so it can be 512 or some other value. In this  
case, you do not get complete integrity either. In this case

1) You can return a sector to a previous value (sector reply) as long  
as it is to the same place (offset) as it was before.

2) If you change a bit, you will randomize a complete sector of  
information.

If you change this to ZFS Crypto
	http://opensolaris.org/os/project/zfs-crypto/
You get complete integrity detection with the only remaining  
vulnerability that

1) you can return the entire disk to a previous state.

While I may have put you all asleep, the basic premise holds... XTS is  
better than unauthenticated CBC.
	http://www.cpni.gov.uk/docs/re-20050509-00385.pdf
	http://jvn.jp/niscc/NISCC-004033/index.html
	http://www.kb.cert.org/vuls/id/302220

> -- 
> Darren J Moffat
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com