OpenBSD Journal

Misc. Crypto Stuff

Contributed by jose on from the random-crypto-notes dept.

Just a few random bits of crypto to throw at people, hopefully a little something for everyone this morning. First, Onlamp features an article which will be of interest to many of you, Cryptographic Terminology 101 . Dru covers the basics and helps you get started navigating cryptography. Feel free to check out an article I wrote early last year which serves as an intro to crypto as well, What Crypto is Good For . Hope that serves as good material for everyone.

Lastly, Ted Unangst has been working on a port of CGD , or Cryptographic Disk for OpenBSD. Have a look at it. It's still rather early, but for those of you who really want to see cryptodisk support in OpenBSD, this is one way to help make that a reality.

(Comments are closed)

  1. By Anonymous Of My Corrupt Government Coward () on

    The home of a friend of mine was recently raided by police and his PC was taken as "evidence", in Sydney Australia.

    I was quite taken back reading the opinions last time a crypto filesystem subject was posted here. Some unrealistic people seemed to think that the dangers of data loss were too great to make crypto filesystems worthwhile. Perhaps an opinion they would adjust slightly while doing lots of thinking in prison for a "crime" that is truely ridiculous.

    AES encrypted disk images work very well in Mac OSX. I doubt OpenBSD would have trouble making crypto filesystems work reliably.

    1. By Paranoid () on

      We don't need no stinking crypto!!! I have a perfect solution for this problem... I've wired small ammounts of C4 to my hard drive.

      I have a remote so I can detonate it at a moments notice, from anywhere. Additionally, if I am unable to press the button, or unaware of the tampering, there is nothing to be worried about... As soon as the tower experiences significant vibrations, the C4 will detonate.

      No muss, no fuss, no evidence.

      1. By Anonymous Coward () on

        I realize that the comment I am responding to was posted in jest, but I did want to add that "put some C4 on it", or "use some thermite", or "keep the machine in your bedroom and have a gun" are very poor solutions to what should be a 99.9% software problem. The ideal way to do this is to have the entire disk encrypted, with the key kept in RAM, and then have a PC case with a few little mods to detect intrusion, which kill the power when intrusion is detected. A very little bit of hardware working with the right software provides the solution.

        The level of intrusion detection depends on the level of the threat. A basic level could be those sensors that already come with Dell and other cases. More advanced stuff (which I have seen on some regular commercial PC hardware) includes light detectors. The imagination can go wild on this... shock detectors, temperature sensors, penetration detectors, pressure sensors, tilt sensors, radiation sensors, GPS units, on and on. Just a question of what is the threat and what is the budget.

        The other thing which needs to be done is that the bits that hold the key should probably be flipped once a second or so so they don't burn into RAM. Again, a software solution will do it.

    2. By RC () on

      It is a matter of priorities. Some people are not at all concerned about their privacy, and so an encrypted filesystem is not appealing to them in the least. e.g. They see only the disadvantages; the advantages are meaningless to them.

      Different people have different priorities.

      Personally, I would likely encrypt everything... My system partitions (so I know no tampering can take place), and my user-data directories (so I know my data is kept private, and that programs can't betray my privacy if they wanted to (ala Internet Explorer:

      Hey, when law enforcement can't prove you've done anything illegial, they like to resort to threating to exposes your secrets. So I don't feel my desire for privacy is overly paranoid.

      That... and I don't want my MASSIVE mp3 collection discovered. :-) Just kidding.

    3. By Anonymous Coward () on

      Every time I bring this up people say "It's not reliable, you're paranoid, etc." It's like, "We're not paranoid for wanting crypto everywhere except the disk, but you are paranoid for wanting crypto on disk." Huh? Different threats, different threat models, different security measures.

      The other very confused thing is that people for some reason think that SSL, SSH, etc are for defense against criminals, whereas the only reason people want FS crypto is to defend against legitimate law enforcement. This is incomprehensible. Criminals steal computers all the time. Thousands of computers are stolen every day. Mostly they are stolen just for the hardware, but sometimes they are stolen just for the files. I personally know of several cases of this happening, where computers (laptops) were stolen to get data from them, not for the hardware value.

      Let's see, Win XP has it. Mandrake and Redhat have it. OS X has it. And yet OpenBSD still doesn't have it...

      If I had the skills to write kernel code I would be working on this right now, and hopefully when I have the money to do it, I will be able to hire someone on the OpenBSD team to add it, if possible.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]