Eric Young (root@cryptsoft.com)
Sat, 18 Jul 1998 15:41:40 +1000 (EST)
On Fri, 17 Jul 1998, Jon Leonard wrote:
> > - How about making the ciphers loadable modules? Again, depending on
> > the cipher used on a disk, dynamically load the module.
> I don't think that a mechanism for automatically loading kernel modules off
> of removable media is a good idea.
>
> If you created the encrypted filesystem yourself, then you probably have the
> encryption modules around on fixed media.
>
> If you didn't create the media, what are you doing trusting someone else's
> object code in your kernel, especially when you're building a secure system?
Ok, I should explain the threat and usage model I am thinking about.
I have a linux box at work and at home. The ZIP drive is mountable by anyone.
I have root on both machines. I use the ZIP drive to hold information I want
to transfer between sites, and/or want to keep off the normal disks.
If I loose the ZIP disk, I don't want it readable. If a machine gets stolen
from work, I want the data unreadable.
The threat is from outside. If the govenment wants to get me, they will put a
camera in the ceiling and see my password/modify the kernel to leak the key
etc :-).
Now the main problem with having removable media is that when multiple
algorithms can be used, the machine you are taking your disk to may not have
the algorithm you want. If the kernel on that machine is compromised, you are
stuffed anyway. If it is an issue of only root being able to load the module,
then this is not a problem for the setup I'm talking about.
Thinking about it, I would agree that the 'object file' on loadable media is a
'Bad Thing (tm)' because you may never be able to unmount it again :-).
Still, when I go half way around the world to use a friends machine, it would
be nice to be able to load my own particular brand of paranoia onto his local
machine without a kernel rebuild. If the loopback interface can be used via
NFS, then the remote machine would need the correct cipher installed, again,
loadable module would be nice.
eric (who whould probably be thinking about implementing this project if he
had the time :-).
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:37 ADT