securing hard disk stored key material
From: dave anonymous (i_have_a_few_questions@yahoo.com)
Date: 02/12/03
- Next message: Scott Contini: "Re: RSA and Number Theory"
- Previous message: lurker: "Re: OT: Value of Semiconductors Debug Mode Information"
- Next in thread: jetmarc: "Re: securing hard disk stored key material"
- Reply: jetmarc: "Re: securing hard disk stored key material"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "dave anonymous" <i_have_a_few_questions@yahoo.com> Date: Wed, 12 Feb 2003 14:59:28 -0800
Assume:
1. a crypto box has an embedded hard disk on which
is stored an encrypted database. The database includes
confidential user information including private keys.
2. PKCS #5 v2.0 is used:
PBKDF2 w/HMAC-SHA1 for PRF,
PBES2 w/DES-EDE3-CBC (or perhaps AES), and
PBMAC1 w/HMAC-SHA1
3. The box does not have an HSM or otherwise provide secure
storage of unencrypted keys.
4. No support for removable smart card/usb fob or
secure id/etc.
5. Salts generated using a TRNG and are at least 64 bits.
Phase 1:
The first time the box is booted the operator
logs in using factory default username/password,
and is prompted to change the password. Assume
password strength checking is performed.
The password is passed through PBKDF2 using
an "authentication" salt which includes an authentication
identifier. The salt and derived "key" is stored in plaintext
on the hard disk in a "password" file.
The raw password is passed through PBKDF2 again
this time using an "encryption" salt (contains an encryption
identifier). The salt only is stored in plaintext on the hard
disk. A MAC is generated on the plaintext data using
the derived key and PBMAC. PBES2 is used to
encrypt the confidential data and the MAC. The result is
written to the hard disk.
Phase 2:
To boot the box and decrypt the confidential data
the operator enters username/password.
The password is passed through PBKDF2 using
the "authentication" salt. The computed value is compared
against the previously stored value. If it matches,
the password and "encryption" salt are used to
generate the derived key and the confidential
data is decrypted. The decrypted data is
verified against the MAC. If it matches all is well,
if not the box doesn't boot.
Phase 3:
The box or just the hard disk is stolen by an attacker.
Questions/comments:
1. How secure is the data?
2. Is there any value to the "authentication" step?
It keeps the attacker from booting the box, but the
same result occurs if a bad password is used to
decrypt the data - the data is bad, the mac fails and the
box doesn't boot. The authentication step would
be faster than the decrypt step, so it is better to just
decrypt and make the timing good/bad the same.
3. If the drive is removed, the authentication does nothing.
The attacker has direct access to the encrypted data.
4. I know encrypt then mac is the recommended
practice. This does not insure an error doesn't
occur during decryption. Is it assumed this just
doesn't happen? Or is there the presumption of
multiple levels of MAC?
5. Is PKCS #12 the best way to encrypt keys?
Is there another more widely used method?
Comments, recommendations, pointers all welcome.
-Dave
- Next message: Scott Contini: "Re: RSA and Number Theory"
- Previous message: lurker: "Re: OT: Value of Semiconductors Debug Mode Information"
- Next in thread: jetmarc: "Re: securing hard disk stored key material"
- Reply: jetmarc: "Re: securing hard disk stored key material"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
