Subject: Re: encrypted swap?
To: Michael K. Sanders <msanders@confusion.net>
From: Steven M. Bellovin <smb@research.att.com>
List: tech-kern
Date: 06/04/2001 20:48:33
In message <200106042330.f54NUUZ17976@euphoria.confusion.net>, "Michael K. Sand
ers" writes:
>The approach described in the paper divides swap into some number
>of configurable size sections, with a random key generated on demand
>for each section. Each key also has associated with it a reference
>count and an expiration time.
>
What is the point? What is the threat model that supports such
behavior? More precisely, why do you want to encrypt your swap
partition? (Caution: the rest of this response probably belongs in
tech-crypto instead.)
To me, at least, the point of an encrypted swap area is to defeat
"seized machine" attacks, not real-time attacks. Anyone who can read
the swap area while the machine is running presumably has root
privileges (well, /dev/wd0b is mode 640, which is probably a mistake --
though anyone with operator privs can read any other private file on
the system, though not modify it). In other words, the risk is to
things like PGP private keys and the like.
Given that, there's no issue of too much data encrypted with one key.
The total amount of ciphertext available to the attacker is limited by
the amount of swap space you have, and that's almost certainly small
enough that you don't have to worry.
If you're using cipher block chaining, you shouldn't use one key with
more than sqrt(blocksize) blocks of data. Thus, for DES or 3DES,
anything more than 2^32 8-byte blocks -- i.e., 32G -- of data would be
a bad idea. Most of us don't have swap areas that are that large....
If you use AES, which has 128-bit blocks, you're safe unless your swap
area -- the swap area you've actually *used* -- is larger than 2^4 * 2^64
bytes. That's not within my threat model...
On the other hand, using a randomly generated key is a good idea *if*
you have sufficiently-good random numbers available that early in the
boot process.
If you really want encrypted swap, and you want it with little effort,
use CFS and swap to a file. I ported CFS to NetBSD; you can find it
at your choice of
http://www.crypto.com/software/cfs-1.4.1.tar
http://www.crypto.com/software/cfs-1.4.1.tar.gz
http://www.crypto.com/software/cfs-1.4.1.tgz
Follow the instructions in README.netbsd and you should be on the air.
--Steve Bellovin, http://www.research.att.com/~smb