Subject: Re: FUD about CGD and GBDE
To: ALeine <aleine@austrosearch.net>
From: Charles M. Hannum <abuse@spamalicious.com>
List: tech-security
Date: 03/05/2005 21:06:04
On Friday 04 March 2005 18:55, ALeine wrote:
> > 1) If you're doing analysis of a cold disk, it is ~trivial to tell
> > the difference between a sector that has been written only once and
> > a sector that has been rewritten.
>
> This is hardly trivial, you are basing your statement on the false
> assumption that one cannot or will not do anything to protect the
> encrypted image after the initialization. One can do a lot.

I'm basing my statement on the assumption that people will use GBDE.  I see 
nothing in GBDE to prevent such analysis.

> > 2) When used in a SAN environment, or an environment where
> > multiple accesses to the drive can be done over time, it is
> > possible to determine this fairly quickly using traffic analysis.
> > The GBDE paper even touches on this in section 10.3.  Have you
> > read it?
>
> First of all, protection against traffic analysis on a SAN is in
> the territory of hot disk protection and GBDE, as you must have
> surely read, is designed for cold disk protection.

No, actually, it's not.  "Hot disk" protection as defined in the GBDE paper 
refers to breaking the GBDE partition *on the machine that's using it*, where 
you have the keys in memory.  That's not even vaguely what I'm talking about.  
Furthermore, people *have* discussed using GBDE in a SAN environment.

Also, I'm not talking about necessarily using the SAN as direct storage for 
the GBDE partition.  It could, for example, be used to back it up.  In either 
case, traffic analysis will find a lot of information -- e.g. I propose that 
just by looking at which sectors tend to be modified together, that the 
sector "rotation" and zone size can be discovered with usually no more than 
two snapshots (it depends on how much has been modified), and is therefore 
pretty much useless cryptographically.

> SANs are by 
> definition high availability environments and as such have high
> volume traffic, so if you have someone who has access to be able
> to monitor that traffic and can also analyze such high volumes
> of traffic and can also clone your entire SAN storage devices
> unnoticed without causing a service disruption then you have
> much bigger problems, so worrying about GBDE should be the
> least of your concerns. :-)

I am not talking about "cloning your entire SAN storage device".  In reality, 
cloning a user's GBDE partition stored on a SAN would generally be trivial, 
as it would only be a small fraction of the SAN.

> Second of all, the cleaning lady copy attack (described in section
> 10.3), where someone can regularly make bit-wise copies of the
> entire disk containing the encrypted image and determine the
> location of sensitive structures by means of differential analysis
> is not very practical.

Actually, it's quite practical.  It requires no hardware modification that 
might be noticed, and it only requires intermittent access to the machine.  
And as I said above, traffic analysis will yield considerable results toward 
breaking the encryption.  Do you keep *your* laptop next to you 24/7?  Very 
few people do.  Some laptop manufacturers (e.g. Dell) even make it 
particularly easy to remove the disk.

While you might claim that the dedication to study the user's behavior and 
mount such an attack is fanciful, I claim that it is not.  Under observation, 
GBDE's additional techniques do not stand up to the claim of being "spook 
strength".