FileVault on other than home directories on MacOS?
james hughes
hughejp at mac.com
Thu Sep 24 21:22:44 EDT 2009
On Sep 22, 2009, at 5:57 AM, Darren J Moffat wrote:
> Ivan Krsti wrote:
>> TrueCrypt is a fine solution and indeed very helpful if you need
>> cross-platform encrypted volumes; it lets you trivially make an
>> encrypted USB key you can use on Linux, Windows and OS X. If you're
>> *just* talking about OS X, I don't believe TrueCrypt offers any
>> advantages over encrypted disk images unless you're big on
>> conspiracy theories.
>
> Note my information may be out of date. I believe that MacOS native
> encrypted disk images (and thus FileVault) uses AES in CBC mode
> without any integrity protection, the Wikipedia article seems to
> confirm that is (or at least was) the case http://en.wikipedia.org/wiki/FileVault
Unauthenticated CBC is indeed a problem
http://tinyurl.com/ycoaruo
> There is also a sleep mode issue identified by the NSA:
> http://crypto.nsa.org/vilefault/23C3-VileFault.pdf
I don't think that Jacob Appelbaum or Ralf-Philipp Weinmann work for
the NSA (but having "crypto.nsa.org" is cool :-)
> TrueCrypt on the other hand uses AES in XTS mode so you get
> confidentiality and integrity.
Technically, you do not get integrity. With XTS (P1619, narrow block
tweaked cipher) you are not notified of data integrity failures, but
these data integrity failures have a much reduced usability than CBC.
With XTS:
1) You can return 16 byte chunks to previous values (ciphertext
replay) as long as it is to the same place (offset) as it was before.
2) If you change a bit, you will randomize a 16 byte chunk of
information.
With the P1619.2 mode, I believe, is called TET (IEEE 1619.2, wide
block tweaked cipher) there are different characteristics. Usually the
wide block is a sector so it can be 512 or some other value. In this
case, you do not get complete integrity either. In this case
1) You can return a sector to a previous value (sector reply) as long
as it is to the same place (offset) as it was before.
2) If you change a bit, you will randomize a complete sector of
information.
If you change this to ZFS Crypto
http://opensolaris.org/os/project/zfs-crypto/
You get complete integrity detection with the only remaining
vulnerability that
1) you can return the entire disk to a previous state.
While I may have put you all asleep, the basic premise holds... XTS is
better than unauthenticated CBC.
http://www.cpni.gov.uk/docs/re-20050509-00385.pdf
http://jvn.jp/niscc/NISCC-004033/index.html
http://www.kb.cert.org/vuls/id/302220
> --
> Darren J Moffat
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list