Subject: Re: encrypted swap?
To: Michael K. Sanders <msanders@confusion.net>
From: Steven M. Bellovin <smb@research.att.com>
List: tech-security
Date: 06/04/2001 20:48:33
In message <200106042330.f54NUUZ17976@euphoria.confusion.net>, "Michael K. Sand
ers" writes:

>The approach described in the paper divides swap into some number 
>of configurable size sections, with a random key generated on demand
>for each section.  Each key also has associated with it a reference
>count and an expiration time.
>

What is the point?  What is the threat model that supports such 
behavior?  More precisely, why do you want to encrypt your swap 
partition?  (Caution:  the rest of this response probably belongs in 
tech-crypto instead.)

To me, at least, the point of an encrypted swap area is to defeat 
"seized machine" attacks, not real-time attacks.  Anyone who can read 
the swap area while the machine is running presumably has root 
privileges (well, /dev/wd0b is mode 640, which is probably a mistake -- 
though anyone with operator privs can read any other private file on 
the system, though not modify it).  In other words, the risk is to 
things like PGP private keys and the like.

Given that, there's no issue of too much data encrypted with one key.  
The total amount of ciphertext available to the attacker is limited by 
the amount of swap space you have, and that's almost certainly small 
enough that you don't have to worry.

If you're using cipher block chaining, you shouldn't use one key with 
more than sqrt(blocksize) blocks of data.  Thus, for DES or 3DES, 
anything more than 2^32 8-byte blocks -- i.e., 32G -- of data would be 
a bad idea.  Most of us don't have swap areas that are that large....  
If you use AES, which has 128-bit blocks, you're safe unless your swap 
area -- the swap area you've actually *used* -- is larger than 2^4 * 2^64
bytes.  That's not within my threat model...

On the other hand, using a randomly generated key is a good idea *if* 
you have sufficiently-good random numbers available that early in the 
boot process.  

If you really want encrypted swap, and you want it with little effort, 
use CFS and swap to a file.  I ported CFS to NetBSD; you can find it
at your choice of

        http://www.crypto.com/software/cfs-1.4.1.tar
        http://www.crypto.com/software/cfs-1.4.1.tar.gz
        http://www.crypto.com/software/cfs-1.4.1.tgz

Follow the instructions in README.netbsd and you should be on the air.


		--Steve Bellovin, http://www.research.att.com/~smb