Security of Linux crypt files compared to PGPdisk? - Security

This is a discussion on Security of Linux crypt files compared to PGPdisk? - Security ; Hello, Does anyone - preferably a cryptology expert - know whether the cryptologic security of Linux crypt files is better, equal or worse than the one of a PGPdisk? In particular, I'd like to know this from a system point ...

+ Reply to Thread
Results 1 to 16 of 16

Thread: Security of Linux crypt files compared to PGPdisk?

  1. Security of Linux crypt files compared to PGPdisk?

    Hello,

    Does anyone - preferably a cryptology expert - know whether the
    cryptologic security of Linux crypt files is better, equal or worse
    than the one of a PGPdisk? In particular, I'd like to know this from a
    system point of view (for instance, when using Linux crypt files, are
    there traces of passphrases, keys or original files left uncyphered on
    the system) and from the pure ciphertext point of view (for instance,
    would there be a difference between the two, if someone got hold of a
    CD-ROM with the ciphertext). With respect to the latter question, I'm
    for instance thinking about the handling of unused space on the
    encrypted volume, which, if not filled with random data, might
    facilitate cryptanalysis.

    The reason I'm asking this is, that I have a license for PGPdisk, but
    recently migrated to a Linux platform.

    Thanks in advance for any answer!

    Ciao,
    Mario


  2. Re: Security of Linux crypt files compared to PGPdisk?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Mario wrote:
    > Hello,
    >
    > Does anyone - preferably a cryptology expert - know whether the
    > cryptologic security of Linux crypt files is better, equal or worse
    > than the one of a PGPdisk? In particular, I'd like to know this from a
    > system point of view (for instance, when using Linux crypt files, are
    > there traces of passphrases, keys or original files left uncyphered on
    > the system) and from the pure ciphertext point of view (for instance,
    > would there be a difference between the two, if someone got hold of a
    > CD-ROM with the ciphertext). With respect to the latter question, I'm
    > for instance thinking about the handling of unused space on the
    > encrypted volume, which, if not filled with random data, might
    > facilitate cryptanalysis.
    >
    > The reason I'm asking this is, that I have a license for PGPdisk, but
    > recently migrated to a Linux platform.


    I am no expert by any means, and have no answers for you. I am, however,
    interested in the answer to this question and have some others of my own
    for you, as I also own a PGPDisk license and contemplating a move to Linux.

    Are you planning on using an encrypted partition with loop-aes? Truecrypt?

    >From my poking around the net, I think that what will be the best fit

    for my needs would be encfs coupled with PAM authorization, as described
    here:

    http://tinyurl.com/z5f8c

    I will be interested to know of other people's ideas on the subject.

    - --
    Ylan

    "The universe is not required to be in
    perfect harmony with human ambition"
    ~ Carl Sagan


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFEY31DrG0/NdVQ/fsRAqYnAKCf6yGrUzE/O43foj/Jvxs4nsdZyACdHt8G
    Iqfd92OOxm5u9gBIXYx9xNc=
    =scy7
    -----END PGP SIGNATURE-----

  3. Re: Security of Linux crypt files compared to PGPdisk?

    Hi Ylan,

    I was planning to use a loop device with Triple-DES, as Triple-DES is -
    to my knowledge - still considered to be a very good cipher, and I
    don't care much about speed. I'm amongst others using Suse, and Suse
    allows the creation of crypt files in the partitioner.

    Ciao,
    Mario


  4. Re: Security of Linux crypt files compared to PGPdisk?

    I've contributed to the crypto API in Linux.

    File system encryption in Linux (IMHO) is not as advaced (cryptographically)
    as TrueCrypt. The main reason has to do with the mode of operation used.

    As of today, the way you'd create an encrypted file system in Linux is to:
    a) Create a fiel of size S
    b) link it to /dev/loopN (where N is 0-9)
    c) Create a map using Device Mapper Crypto (dm-crypt)
    using dmsetup. This hasa options for encryption.
    The options include which cipher and what IV mode.
    The best mode is essiv (encrypted salt - sequence number IV)
    You have to specify a hash for this, sha-256 say.
    d) Then you use /dev/mapper/yourmap as if it were a hard disk.
    Format it, mount it, use it, unmount it, unmap it, shutdown.

    There exists scripts to make all this very nice and tidy.

    Problem with dmcrypt today is the best mode for file systems is currently
    essiv. Ideally it would use LRW - but I got tired to fighting fights
    with maintainers in the Kernel.

    LRW vs ESSIV mode:
    - LRW has a few nice features which protect you when your laptop/desktop
    get stolen twice (think about what might change on the disk between writes
    to the encrypted volume)

    Hope this helps.

    JLC

    In sci.crypt Mario wrote:
    > Hi Ylan,


    > I was planning to use a loop device with Triple-DES, as Triple-DES is -
    > to my knowledge - still considered to be a very good cipher, and I
    > don't care much about speed. I'm amongst others using Suse, and Suse
    > allows the creation of crypt files in the partitioner.


    > Ciao,
    > Mario



    --

  5. Re: Security of Linux crypt files compared to PGPdisk?

    Ylan Segal writes:

    >-----BEGIN PGP SIGNED MESSAGE-----
    >Hash: SHA1


    >Mario wrote:
    >> Hello,
    >>
    >> Does anyone - preferably a cryptology expert - know whether the
    >> cryptologic security of Linux crypt files is better, equal or worse


    What linux crypt files? crypt(1) on Linux is a totally insecure
    cryptography primative. It was broken in the 2nd world war.

    having thrown that one out, what exactly are you talking about?


    >> than the one of a PGPdisk? In particular, I'd like to know this from a
    >> system point of view (for instance, when using Linux crypt files, are
    >> there traces of passphrases, keys or original files left uncyphered on
    >> the system) and from the pure ciphertext point of view (for instance,
    >> would there be a difference between the two, if someone got hold of a
    >> CD-ROM with the ciphertext). With respect to the latter question, I'm
    >> for instance thinking about the handling of unused space on the
    >> encrypted volume, which, if not filled with random data, might
    >> facilitate cryptanalysis.
    >>
    >> The reason I'm asking this is, that I have a license for PGPdisk, but
    >> recently migrated to a Linux platform.


    >I am no expert by any means, and have no answers for you. I am, however,
    >interested in the answer to this question and have some others of my own
    >for you, as I also own a PGPDisk license and contemplating a move to Linux.


    >Are you planning on using an encrypted partition with loop-aes? Truecrypt?


    >>From my poking around the net, I think that what will be the best fit

    >for my needs would be encfs coupled with PAM authorization, as described
    > here:


    >http://tinyurl.com/z5f8c


    >I will be interested to know of other people's ideas on the subject.


  6. Re: Security of Linux crypt files compared to PGPdisk?

    "Mario" writes:

    >Hi Ylan,


    >I was planning to use a loop device with Triple-DES, as Triple-DES is -
    >to my knowledge - still considered to be a very good cipher, and I
    >don't care much about speed. I'm amongst others using Suse, and Suse
    >allows the creation of crypt files in the partitioner.


    Yes, you do care about the speed. a file system is a critial part of your
    system and its speed impacts everything. If it is too slow, you will not
    use it.


  7. Re: Security of Linux crypt files compared to PGPdisk?

    Bonsoir Jean-Luc,

    Thanks for your answer. I apparently gave the impression to be enough
    of an expert in the cryptology domain that you thought I'd understand
    everything you wrote .... which unfortunately is not the case ;o).

    Being a relative Linux newbie as well, let me describe the process I
    understood I should go through to create what Suse calls a crypt file,
    however without using the YaST partitioner:

    1. Create an empty container file;
    2. Link it to /dev/loopN with losetup, thereby also specifying the
    appropriate encryption and password hash options (I will need to do
    some more research on the hash stuff, but will probably use Triple-DES
    as the cypher);
    3. Format the so created loop device with a file system;
    4. Mount the loop device to a mount point of choice;
    5. Use the mounted device;
    6. Unmount it; and
    7. Detach the container file from the loop device with losetup.

    For archives, I'd then simply burn them to CD or DVD.

    If I would create crypt files this way, would I run security risks
    (compared to the ones I'd run using PGPdisk under Window$), and if so,
    when and where?

    Thanks for any further help (and please don't forget I'm just a poor
    user of cryptography ... ;o) ).

    Ciao,
    Mario


  8. Re: Security of Linux crypt files compared to PGPdisk?

    Hi Unruh,

    Responding to your two points:

    |> What linux crypt files? crypt(1) on Linux is a totally insecure
    cryptography
    |> primative. It was broken in the 2nd world war.

    I was not referring to crypt(1), but to what are called "Crypt Files"
    in the YaST Partioner under at least OpenSUSE 10.0. The Partitioner
    uses TwoFish 256 by default, but as I described in my response to
    Jean-Luc, by going through the same process manually you can specify
    several other cyphers.

    |> Yes, you do care about the speed. a file system is a critial part of
    your
    |> system and its speed impacts everything. If it is too slow, you will
    not
    |> use it.

    I understand that *you* care about the speed and would not use it if it
    would be too slow for *you*, but *I* don't care about it as I would use
    encrypted file systems only for certain specific purposes ;o).
    Furhermore, my machine is fast enough to keep up with me ...

    Ciao,
    Mario


  9. Re: Security of Linux crypt files compared to PGPdisk?

    "Mario" writes:

    >Hi Unruh,


    >Responding to your two points:


    >|> What linux crypt files? crypt(1) on Linux is a totally insecure
    >cryptography
    >|> primative. It was broken in the 2nd world war.


    >I was not referring to crypt(1), but to what are called "Crypt Files"
    >in the YaST Partioner under at least OpenSUSE 10.0. The Partitioner
    >uses TwoFish 256 by default, but as I described in my response to
    >Jean-Luc, by going through the same process manually you can specify
    >several other cyphers.


    OK, I did not know SUSE talks about crypt files in this context. Sorry for
    the noise.


    >|> Yes, you do care about the speed. a file system is a critial part of
    >your
    >|> system and its speed impacts everything. If it is too slow, you will
    >not
    >|> use it.


    >I understand that *you* care about the speed and would not use it if it
    >would be too slow for *you*, but *I* don't care about it as I would use
    >encrypted file systems only for certain specific purposes ;o).
    >Furhermore, my machine is fast enough to keep up with me ...


    No my point was a human engineering one. Clearly encryption is important to
    you for at least some things. At present you feel that speed is not
    important. But, if things take time ( even a few sec longer) the tendency is to
    say "forget about it this time, I do not really need this encryptied.".
    Ie, security is not simply about the strength of the cypher, it is about
    the strength of the whole chain, and that includes the likelihood of your
    using it. Now you may be right that the difference is trivial ( less than a
    sec on any file you are ever likely to use). In that case my worry is
    irrelevant. But it is something you should test, not assume.





  10. Re: Security of Linux crypt files compared to PGPdisk?

    Sorry I'm no crypto expert, but I have some experience in setting up some of these.

    Loop-aes offers performance only a slightly less than that of an unencrypted
    system, although I've had occasional crashes due to heavy I/O. Loop-aes is very
    "transparent", so in day-to-day use one can almost forget its running (except
    for booting the system). Loop-aes required a fair amount of time and effort to
    set up including patching and compiling quite a few programs and modules,
    recompiling the kernel (a few times in my case...), repartitioning the drive if
    you don't have a boot partition, and reconfiguring the boot manager (I use grub).

    I also use true-crypt, which is a container approach, meaning you have to
    mount/unmount a "virtual" drive when you are done with your sensitive work. The
    newest version, 4.2, works well in linux and you can do all the things you can
    in the windows one, like create, modify and configure your virtual drives. I
    haven't really tested performance, but because it can use multiple algorithms
    and does not work at the block level, I believe it to be a little slower than
    loop-aes.

    In terms of "strong security" loop-aes is great, while true-crypt is almost
    bullet-proof (and maybe even NSA-proof?). Loop-aes uses a type of CBC encoding
    which MAY have weaknesses, but none that are proven or reliable. I suggest
    using AES-256 with SHA-512 hash and key scrubbing, and a long password. Great
    security, somewhat hard setup but the docs are great.

    Truecrypt uses LRW encoding which is supposed to be top of the line, and lets
    you pick one an array of ciphers, allowing you to string up to 3 together, and a
    variety of hashes. With 3 strong 256-bit ciphers (AES, twofish, and serpent),
    the whirlpool hash, and LRW to encode it, a true-crypt container is probably the
    safest digital protection this side of the NSA. Not to difficult to set up in
    my experience.

    ~David~

    Mario wrote:
    > Hello,
    >
    > Does anyone - preferably a cryptology expert - know whether the
    > cryptologic security of Linux crypt files is better, equal or worse
    > than the one of a PGPdisk? In particular, I'd like to know this from a
    > system point of view (for instance, when using Linux crypt files, are
    > there traces of passphrases, keys or original files left uncyphered on
    > the system) and from the pure ciphertext point of view (for instance,
    > would there be a difference between the two, if someone got hold of a
    > CD-ROM with the ciphertext). With respect to the latter question, I'm
    > for instance thinking about the handling of unused space on the
    > encrypted volume, which, if not filled with random data, might
    > facilitate cryptanalysis.
    >
    > The reason I'm asking this is, that I have a license for PGPdisk, but
    > recently migrated to a Linux platform.
    >
    > Thanks in advance for any answer!
    >
    > Ciao,
    > Mario
    >


  11. Re: Security of Linux crypt files compared to PGPdisk?

    Hi Unruh,

    No need to say sorry. As for the speed issue, I agree that it will
    probably be an important point for most people and that it should be
    tested, not assumed, but from my experience and intended use I already
    know that speed won't be an issue.

    Ciao,
    Mario


  12. Re: Security of Linux crypt files compared to PGPdisk?

    Hi David,

    Thanks for your reply. What I'm looking for though is a straightforward
    software solution like PGP offers, and not one that requires patching
    and compiling, so loop-aes is definitely not a solution for me. As for
    True-crypt I will look into it. Does anyone know whether True-crypt has
    been the subject of code reviews, like PGP has been?

    That being said, I intended to use the Crypt File solution that is
    offered with losetup, so, coming back to my original questions:

    I'd like to know whether the cryptologic security of the aforementioned
    Linux Crypt Files is better, equal or worse than the one of PGPdisks
    under Window$:
    - from a system point of view (for instance, when using Linux crypt
    files, are there traces of passphrases, keys or original files left
    uncyphered on the system); and
    - from a pure ciphertext point of view (for instance, would there be a
    difference between the safety of Crypt Files and PGPdisks, if someone
    got hold of a CD-ROM with the ciphertext). I'm for instance thinking
    about the handling of unused space on the encrypted volume, which, if
    not filled with random data, might facilitate cryptanalysis.

    Still hoping for a cryptology expert's answer to those questions ;o)
    ;o). Perhaps someone could trigger Bruce Schneier ;o) ?

    Ciao,
    Mario


  13. Re: Security of Linux crypt files compared to PGPdisk?

    Mario wrote:
    > Bonsoir Jean-Luc,
    >
    > Thanks for your answer. I apparently gave the impression to be enough
    > of an expert in the cryptology domain that you thought I'd understand
    > everything you wrote .... which unfortunately is not the case ;o).
    >
    > Being a relative Linux newbie as well, let me describe the process I
    > understood I should go through to create what Suse calls a crypt file,
    > however without using the YaST partitioner:
    >
    > 1. Create an empty container file;
    > 2. Link it to /dev/loopN with losetup, thereby also specifying the
    > appropriate encryption and password hash options (I will need to do
    > some more research on the hash stuff, but will probably use Triple-DES
    > as the cypher);
    > 3. Format the so created loop device with a file system;
    > 4. Mount the loop device to a mount point of choice;
    > 5. Use the mounted device;
    > 6. Unmount it; and
    > 7. Detach the container file from the loop device with losetup.
    >
    > For archives, I'd then simply burn them to CD or DVD.
    >
    > If I would create crypt files this way, would I run security risks
    > (compared to the ones I'd run using PGPdisk under Window$), and if so,
    > when and where?


    It sounds as if you are proposing to use the cryptoloop feature. I use
    this myself, but you must understand that it is proof only against the
    casual attack. Since I'm mainly concerned with the casual laptop thief
    rather than the industrial spy or three letter agency (TLA) this is
    adequate, and any data which has high value is then kept in file
    protected by gpg encryption. The value of cryptoloop is that once
    created it can be mounted with the default mount command, and if you
    create an image the size of a CD or DVD you can burn to a media which
    can be loop mounted.

    There are a number of ways to do encryption in Linux, I'll just note
    them so you can Google them, and I suspect others will tell you why they
    think one is good and another bad...

    cryptoloop is built into the kernel, and is easy to use after setup. It
    can be run off media or over network filesystems like NFS, and the data
    are encrypted until used (data over the network is protected).

    dm-crypt is the latest "next big thing" which allows you to use stronger
    encryption but there is discussion now about failures when used with
    software raid, see the linux-kernel or linux-raid lists to get opinions
    on whether raid over dm-crypt is evil or dm-crypt over raid. Or whether
    there isn't a problem at all. I don't pretend to have the answer, but I
    wouldn't use them together until there is an answer.

    loop-aes is a patch to the standard kernel. If you can't build a kernel,
    and don't have it in you vendor kernel, stop here. If you have access to
    it, look at some of the neutral reviews, as it appears to be strong,
    fast, and stable. I have seen it used, haven't used it.

    Finally there are several encrypting filesystem which do encryption on a
    per-file basis. I'm not qualified to discuss them even a little bit, but
    a search will turn up several variants which may suit your needs.

    Your question would have a nice determinant answer if there were a
    single "crypt files" to evaluate, but you have choices. I will say that
    some of the encryption options use a LOT of CPU and unless your data
    requires that level of protection it's best to pick something which is
    appropriate but faster. I don't want to recommend the answer, but do
    recommend that you evaluate before taking advice.

    --
    -bill davidsen (davidsen@tmr.com)
    "The secret to procrastination is to put things off until the
    last possible moment - but no longer" -me

  14. Re: Security of Linux crypt files compared to PGPdisk?

    On Thu, 11 May 2006 17:16:26 -0400, Mario wrote:

    > Thanks for your answer. I apparently gave the impression to be enough
    > of an expert in the cryptology domain that you thought I'd understand
    > everything you wrote .... which unfortunately is not the case ;o).


    Just fyi. Here's my current setup. In /etc/fstab my swap entry is ...

    /dev/hda9 swap swap defaults,encrypted 1 0

    I'm using Mandriva 2006. The above results in the following extract
    from /var/log/boot.log ...
    mkswap: Setting up swapspace version 1, size = 2146754 kB
    mkswap: no label, UUID=6f394ee0-b1ed-42d8-83d6-9f17a89eba7d
    rc.sysinit: Creating encrypted swap on /dev/hda9 using /dev/loop0: succeeded
    rc.sysinit: Activating encrypted swap on /dev/hda9 using /dev/loop0: succeeded
    rc.sysinit: Enabling swap space: succeeded

    By default, it uses AES256.

    For my /home/dave filesystem, it has one single file, /home/dave/.bash_profile,
    copy appended. I'm using Logical Volumes to contain the file system. You can
    just as easily use a partition, or file on an existing partition. With this
    setup, my home directory is only available when I'm logged on. At logon, I
    just enter my loginid/password, followed by my encryption passphrase, and then
    run startx. You must boot into run level 3 (i.e. no graphical logon), or you
    will not see the request for the encryption passphrase, and the logon will fail.
    I expect the script could be modified to detect if X11 is running, and use xdialog
    to get the passphrase, but that would add extra risks of having the passphrase
    become visbile via ps, or be stored temporarily in a non encrypted file.

    There is no entry for /home/dave in /etc/fstab. The fsck is required after a crash,
    but cannot be run until the encrypted file system is connected to the loopback.
    It cannot be run safely on a mounted filesystem. Hence I'm using losetup with
    a seperate mount, instead of using the option of specifying the encryption in
    the mount command, and having it auto setup the loopback device.

    Regards, Dave Hodgins

    # .bash_profile

    # User specific aliases and functions

    sudo /sbin/losetup -e AES2048 /dev/loop7 /dev/LV2/enc
    sudo /sbin/fsck -a /dev/loop7
    rc=$?

    if [ $rc -gt 3 ]; then
    rc_splash verbose
    gprintf "Failed to check filesystem. Switch to another console, andrun\n"
    gprintf "fsck with appropriate options. (beware, you can lose data)\n"
    read answer
    KEYS=`gprintf "yY"`
    fi

    # Source global definitions
    if [ -f /etc/bashrc ]; then
    . /etc/bashrc
    sudo mount -v -t reiserfs -o defaults,notail,exec /dev/loop/7 /home/dave
    su -l dave
    sudo fuser -km /dev/loop7
    sleep 4
    sudo fuser -km /dev/loop7
    ## Following lines are for debugging only. Remove once logoffs are normally ok
    # sudo lsof|grep dave>fred
    # cat fred
    ## Previous lines are for debugging only. Remove once logoffs are normally ok
    echo "umount /home/dave"
    sudo umount /home/dave
    echo "sudo /sbin/losetup -d /dev/loop7"
    sudo /sbin/losetup -d /dev/loop7
    sudo /sbin/losetup -a
    echo done
    exit
    fi


    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

  15. Re: Security of Linux crypt files compared to PGPdisk?


    David W. Hodgins wrote:
    > On Thu, 11 May 2006 17:16:26 -0400, Mario wrote:
    >
    > > Thanks for your answer. I apparently gave the impression to be enough
    > > of an expert in the cryptology domain that you thought I'd understand
    > > everything you wrote .... which unfortunately is not the case ;o).

    >
    > Just fyi. Here's my current setup. In /etc/fstab my swap entry is ...
    >
    > /dev/hda9 swap swap defaults,encrypted 1 0


    Unlike windows Linux doesn't need swap space to be fully functional.

    Memory cost about 150$ [CDN] per GB stick (of DDR1). If you're really
    paranoid about security you'd just install more ram and turn off swap.

    No?

    Tom


  16. Re: Security of Linux crypt files compared to PGPdisk?

    On Sat, 13 May 2006 06:32:18 -0400, wrote:

    > Unlike windows Linux doesn't need swap space to be fully functional.
    > Memory cost about 150$ [CDN] per GB stick (of DDR1). If you're really
    > paranoid about security you'd just install more ram and turn off swap.
    > No?


    Depends on the programs you're running. I'm running with 512mb of ram,
    and rarely see any swap usage, at all.

    Like with windows, if a program asks the kernel for 1 gb of virtual
    memory, just in case it needs it, not having a swap will require that
    much ram to be available. With a swap, the program will get some now,
    with the rest being assigned to the swap.

    In most cases, you can turn off the swap, but not all.

    Again, it depends on who you're protecting against. I encrypt the swap,
    just to be on the safe side, regarding my encryption pass phrase, possibly
    showing up there.

    I'm satisfied that a thief, would not be able to access my home directory,
    and then find online banking info, that may be in my browsers cache (yes,
    I have https cached, as I'm on dialup, and find the speed difference worth
    the risk).

    The only time I see a performance hit from using file system encryption,
    is when copying large files, such as dvd iso images. Even then, the hit
    is minor, from my point of view.

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

+ Reply to Thread