Subject: Re: encrypted swap?
To: None <tech-security@netbsd.org, tech-kern@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-security
Date: 06/04/2001 22:11:08
> To me, at least, the point of an encrypted swap area is to defeat
> "seized machine" attacks, not real-time attacks.
I would agree.
There's another point, which just now occurred to me.
Stuff remaining on swap can be good as well as bad. I was at the
Venema/Farmer talk at IBM, and one of their rich sources of information
was swap partitions - it can be valuable for forensics after a breakin
as well as being valuable to an attacker.
> In other words, the risk is to things like PGP private keys and the
> like.
Agreed again.
> Given that, there's no issue of too much data encrypted with one key.
Now, smb is one of those people of whom I say "if you disagree, it's
probably you that's wrong".
But here I feel I must - it may not turn out to be a _practical_
matter, but it is at least important an issue enough to consider.
There's no issue of too much data _we care about_ encrypted with one
key, perhaps. But - to pick on the PGP private key example - a lot
more than just the private key is encrypted with a given swap key. At
the very least, the rest of the affected page is; in the scheme of the
paper, anything else encrypting-swapped to the same (big) chunk of swap
is. Even with per-process (or per-VM-object) keys, anything else
swapped from that VM object is.
And as I trust we all know that the more data you encrypt with a key,
the easier cryptanalysis is. And in a seized-machine attack, the
attacker can deduce exactly what the layout of the attacked process's
memory space is, providing a good deal of known plaintext and a bunch
more low-entropy plaintext.
And if we do the encrypted-block-device form, then the whole device,
including a whole lot of known or low-entropy plaintext, is.
(Depending of course on exactly how the encryption layer manages its
keys.)
> The total amount of ciphertext available to the attacker is limited
> by the amount of swap space you have, and that's almost certainly
> small enough that you don't have to worry.
There is that, though: even if you have a whole processful of encrypted
swap, it's probably not enough - even with known-plaintext help
factored in - to mount a successful attack.
I suppose it depends on how paranoid you are.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B