Re[2]: Storing an encryption key in CMOS

[Alexander Lukyanenko <sashman () ua fm>]

Hello Vladimir,

VBK> If you can BACKUP key - that mean than you can read that KEY (You can dump
VBK> your BIOS) <=> GET KEY => you must encrypt that key in NVRAM chip => you
VBK> MUST have external key that will be used to decrypt KEY in NVRAM => You
VBK> needn't store key in NVRAM cos you already have external key.
The external key is meant to be kept at a some kind of offsite storage
(i.e. burnt to a CD, sealed in an envelope and locked in a safety
deposit box).

VBK> Software that running is running under OS <=> OS can manage that software
VBK> <=> If you interact like part of OS you can get anything you want including
VBK> passwords and unencrypted sensetive data.
Not in case of MS EFS, where the data is stored encrypted, and the
encryption key is itself encrypted with a user's password. No password
- no data, no matter how deep you are, even if you're in ring 0.

VBK> Drivers and even fonts implemented
 Console fonts, you mean.
VBK> in priveleged mode and every first of these can potentially do it.
BUT, the systems still exist, never mind the fact they are not 100%
secure.
The boot sequence must be locked with a password to prevent the
cracker from booting _any_ OS.

VBK> I think you can find 16 bytes = 128 bit for your key.....
THe solution is up for the vendors, I suppose.

VBK> If you really wanna use strong  filesystem encryption, you must use some
VBK> kind of hardware addon that implement that encryption instead implement that
VBK> encryption using software. And in any case KEYS and DATA must be separated.
The hardware addon must be perishable (i.e. it's storage's contents
must be destroyed should the system get compromised).
* * * * * * * * * * * * * * *
* Alexander V. Lukyanenko   *
* ma1lt0: sashman ua fm     *
* ICQ#  : 86195208          *
* Phone : +380 44 458 07 23 *
* OpenPGP key ID: 75EC057C  *
* NIC   : SASH4-UANIC       *
* * * * * * * * * * * * * * *

Attachment: _bin
Description: