On Sun, 2013-10-20 at 03:27 +0200, Arno Wagner wrote: > On Sun, Oct 20, 2013 at 02:49:59AM +0200, Christoph Anton Mitterer wrote: > > > [...] > > Anyway... who should put they key in such a place? If you're already > > that far, that some evil application is running with enough rights on > > your system to do that,... you're screwed anyway, and nothing can help > > you with that. > > Indeed. And this app needs root-permissions as it is writing > data to raw partitions. Maybe I need to revise my own statement a tiny bit, that the whole thing seemed to be a non-issue to me. 1) If an attacker successfully attacks a system that is somehow connected to the internet, to an extent where he can read your master keys and write to raw devices.... you're screwed as I said. Whether or not the attacker wants to remain silent doesn't matter... if not he simply sends all data he wants over the wire or if he wants to remain silent (and remove his rootkit/whatever) after getting the masterkey,... he doesn't need to store it locally,... he will always find some way to send it via the internet, and be it via hidden channels. 2) If a system is absolutely offline, one can argue that an attacker indeed would want to store the plain master key at some place (locally) where he can recover it later on, to decrypt your data (e.g. after breaking in to your house)... But then again,... he already has to be in your system.... so in that case you'd already use compromised software and the attacker could just use no encryption and simply hide that from you... or use really a key that he already knows... And even if you forget about all that (which makes the thing IMHO again a non issue),... there are plenty of places left (not only the headers) where such information could be stored. EFI system partition, the BIOS CMOS or other firmware EEPROMs, perhaps in tricky ways in the MBR or the the MBR post gap. Or actually, at any place of the disk... it does not really matter whether there's a filesystem or not.... chances are good that the block is never used or rewritten,... or he simply replaces your fs driver and reserves some blocks (that he already knows) from being used and places the key there... I'm sure you'd never notice. So again,.. once you're system is compromised to such a level... you're simply screwed. Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
