Security Basics mailing list archives
Re: Good design for a Algorithmically Derived Passphrase for FDE (?!)
From: ManInWhite <maninwhite () tpg com au>
Date: Tue, 20 Nov 2007 07:41:29 +1030
You have both misunderstood me. Firstly: BitLocker is out of the question. Vista. Ewwwww Secondly: The algorithm used to derive the passphrase not stored with the laptop at all. The CODEwords which are used to derive the passphrase are not stored with the laptop. They both never leave the key generation PC. Thirdly: The security of the system is not in keeping the algorithm secret. Ultimately all it is doing is generating offsets for lookup in a secret codebook. The Codebook is not stored with the laptop, and protected. The security is keeping this codebook secure. If the attacker was to somehow derive the numbers the algorithm produces it would be useless without the codebook. The laptop has no idea (45, 254, 12) means "alice walked with bob to town". Possession of the serial number or key generation algorithm would be effectively useless. MiW Ansgar -59cobalt- Wiechers wrote:
On 2007-11-18 ManInWhite wrote:I have been tasked with deploying partition based encryption for our fleet of laptops. It has been suggested that we use an algorithm derived passphrase based on some unique hardware number. [ HDD Serial# / Laptop Serial# ]Then your security would depend on the attacker not knowing the algorithm for deriving the passphrase from the serial numbers (which will be known to him once he has access to the hardware). Bad idea. Don't do that. The only good design for algorithmically derived passphrases is not to have algorithmically derived passphrases. Regards Ansgar Wiechers
On Nov 17, 2007 8:51 PM, ManInWhite <maninwhite () tpg com au> wrote:
It has been suggested that we use an algorithm derived passphrase based on some unique hardware number. [ HDD Serial# / Laptop Serial# ]
So when the laptop is stolen, the thief will also have all these serial number, and if they get hold of their algorithm, they can re-construct passphrase for any laptop. this kind of scheme may work for equipment that doesn't leave the facility e.g. servers in datacenter. But definitely don't use this for laptops. I suspect you are trying to use BitLocker, which lack centralized key management. I would suggest you take a look at some other holistic solutions for encrypting your laptops. Saqib http://www.full-disk-encryption.net/
Current thread:
- Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ansgar -59cobalt- Wiechers (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 19)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) Arbogast, Paul (Citco) (Nov 20)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ansgar -59cobalt- Wiechers (Nov 20)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) David Gillett (Nov 20)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) Pranav Lal (Nov 21)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ansgar -59cobalt- Wiechers (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ali, Saqib (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Geoffrey Gowey (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 20)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) Eric White (Nov 20)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Geoffrey Gowey (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Muhammad Farooq-i-Azam (Nov 20)