Re: Hard Drive Destruct System?

From: Casper H.S. Dik (Casper.Dik_at_Sun.COM)
Date: 11/29/04 

Date: 29 Nov 2004 14:16:45 GMT

roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) writes:

>How would you know the proper nonce and counter to use for
>any particular disk block? You have distinguished between the
>nonce and the key, so either "nonce + counter" is calculated by
>a constant formula for any given disk block, or else the user
>would have to enter two "keys", one of which is really the nonce.

The "nonce" is part of the key but used differently in the
algorithm, just like the initial IV is a part of the
key in some algorithms; the counter would be derived from the
address which presumably is always the same for the same
block of the disk.

>Recall that this isn't a message transmission stream where a nonce
>can be generated and security interchanged during the authentication
>phase.

No, it's indeed part of the key.

>If "nonce + counter" is calculated by a constant formula for any
>particular disk sector, then if the attacker can get access to
>the system while it is operational with the valid key, they can
>read the encrypted contents of a disk block and then have the system
>write the block with known contents (e.g., all blanks.) They would
>then read off the encrypted result and xor it with the contents
>they knew they wrote there, and that would give them
>the Encrypt(Key, Nonce + Counter) that was valid for that disk block.
>They would take that value and xor it with the previously recorded
>encrypted contents, and the result they would get back would be
>the original unencrypted content of the block.

I would assume that an attacker who get access to a system which is
operating and keyed with proper key+nonce can always read the
disk content be accessing it through the proper (decrypting) way.

If you can get the system to write an encrypted block, surely you
can get them to read it too?

>Further to this: if the attackers can gain read access to the encrypted
>drive even when it is not writing under the aegis of the appropriate
>key, they can image the disk and withdraw. At a later time when
>some interesting information has been written to the disk, they can
>come back and re-image it. If they then xor the two recorded images,
>the Encrypt(Key, Nonce + Counter) for each disk block will cancel
>out, leaving them with the xor of the changes to the drive contents.
>In any block in which the original plaintext content was NULLs
>[e.g. because nothing had been written there yet], the new disk
>block content after the series of xor's will be the plaintext of the
>new disk block contents; similarily, in any block in which the
>original plaintext content was not null but was overwritten with NULLs
>[e.g., because the block was released from use], the new disk block
>content after the series of xor's will be the plaintext of the
>original block contents.

If you can observe the encrypted contents of a system, it is likely
that you can also observe much more, such as key material used and so on.

There is protection offered against disks or computeres stolen.

Casper 

-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
Quantcast