Re: Hi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Feb 18, 2003 at 11:07:29PM +0000, David Woodhouse wrote:
> > I already explained you that for security reasons this functionality
> > should be in the block layer, not in the filesystem layer.
> 
> Why?

Quoting from email:
Date: Sun, 2 Feb 2003 13:26:56 +0100
From: Erik Mouw <J.A.K.Mouw@its.tudelft.nl>
To: Rajaram Suresh Gaunker <rajarams1@rediffmail.com>
Cc: rubini@gnu.org, kernelnewbies <kernelnewbies@nl.linux.org>
Subject: Re: Adding new fs
Message-ID: <20030202122656.GA30830@arthur.ubicom.tudelft.nl>

<erikm>
Anyway, to return to your issue:

Encrypting individual files is a bad idea, because it still gives an
eavesdropper information. Suppose I want to know if you're subscribed
to the kernelnewbies list. I would somehow get hold of your harddisk
and find a file named /home/rajaram/Mail/kernelnewbies. I can't read it
because it's encrypted, but it gives me enough information to figure
out you're subscribed. Even worse: because you and I are subscribed to
the same mailing list, I *know* the contents of the file so it enables
me to do a known-plaintext attack on your cryptosystem. There might
even be more files the same on our systems, which makes attacking the
cypher even easier. Not good.

The right way to encrypt a filesystem is to encrypt the block device
below the filesystem. In this way all information about the filesystem
is encrypted and if I get hold of your disk, I can't make head or tails
from it because I can't even figure out if and where individual files
are located on the disk. This kind of encryption is already available
for linux, it can be done with the loop devices. Get the encryption
patches from http://www.kerneli.org/ , install them in your kernel, and
you can use the losetup command to setup and access an encrypted
blockdevice.

Interesting to note is that Microsoft's NTFS has the capability to
encrypt individual files, but nobody uses it. Instead of that, people
who need their information to be encrypted, use third party software
that encrypts the filesystem at the block layer, just like Linux
encrypted loop devices.
</erikm>


-- 
You too can spend five years in prison; just distribute this program
once US Senator Hollings's CBDTPA bill is passed into law:
perl -e 'while(<>) { print;}'

Attachment: pgp00321.pgp
Description: PGP signature

[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux