Security Basics mailing list archives
Re[2]: Storing an encryption key in CMOS
From: Alexander Lukyanenko <sashman () ua fm>
Date: Tue, 9 Mar 2004 01:09:31 +0200
Hello Vladimir, VBK> If you can BACKUP key - that mean than you can read that KEY (You can dump VBK> your BIOS) <=> GET KEY => you must encrypt that key in NVRAM chip => you VBK> MUST have external key that will be used to decrypt KEY in NVRAM => You VBK> needn't store key in NVRAM cos you already have external key. The external key is meant to be kept at a some kind of offsite storage (i.e. burnt to a CD, sealed in an envelope and locked in a safety deposit box). VBK> Software that running is running under OS <=> OS can manage that software VBK> <=> If you interact like part of OS you can get anything you want including VBK> passwords and unencrypted sensetive data. Not in case of MS EFS, where the data is stored encrypted, and the encryption key is itself encrypted with a user's password. No password - no data, no matter how deep you are, even if you're in ring 0. VBK> Drivers and even fonts implemented Console fonts, you mean. VBK> in priveleged mode and every first of these can potentially do it. BUT, the systems still exist, never mind the fact they are not 100% secure. The boot sequence must be locked with a password to prevent the cracker from booting _any_ OS. VBK> I think you can find 16 bytes = 128 bit for your key..... THe solution is up for the vendors, I suppose. VBK> If you really wanna use strong filesystem encryption, you must use some VBK> kind of hardware addon that implement that encryption instead implement that VBK> encryption using software. And in any case KEYS and DATA must be separated. The hardware addon must be perishable (i.e. it's storage's contents must be destroyed should the system get compromised). * * * * * * * * * * * * * * * * Alexander V. Lukyanenko * * ma1lt0: sashman ua fm * * ICQ# : 86195208 * * Phone : +380 44 458 07 23 * * OpenPGP key ID: 75EC057C * * NIC : SASH4-UANIC * * * * * * * * * * * * * * * *
Attachment:
_bin
Description:
Current thread:
- Storing an encryption key in CMOS Alexander Lukyanenko (Mar 04)
- Re: Storing an encryption key in CMOS Vladimir B. Kropotov (Mar 08)
- Re[2]: Storing an encryption key in CMOS Alexander Lukyanenko (Mar 09)
- Crypto implementation for public use (was: RE[2]: Storing an encryption key in CMOS) Vladimir B. Kropotov (Mar 17)
- Re[2]: Storing an encryption key in CMOS Alexander Lukyanenko (Mar 09)
- Re: Storing an encryption key in CMOS Vladimir B. Kropotov (Mar 08)