On Sat, 25 Sep 2004 04:58:48 +0200, Andrea Arcangeli said:
I don't even think "save their key securely" (I mean saving anything
related to the swapsuspend encryption key on disk) is needed. A mixture
of a on-disk key + passphrase would not be more secure than a simple
"passphrase" alone, because the on-disk key would be in cleartext and
readable from the attacker. the only usable key is the one in the user memory,
it cannot be saved in the computer anywhere. Peraphs for additional
security (and to avoid having to type and remember it) one could use an
usb pen to store and fetch the key... but then I leave the fun to the
usb folks since to do that usb should kick off before resume overwrites
the kernel image ;)
Well, obviously saving the actual key on the disk is a losing idea, but saving
"key hashed by passphrase" would work (similar to how PGP or SSH don't save the
actual key, but rather the key hashed by something).
I suspect that having the *entire* key be the passphrase remembered by the user
is also a non-starter security-wise (unless we do something like Jari Ruusu's
loop-AES stuff does and forces a minimim 20-char passphrase) - there's going to
be all too many blocks in the swsusp area that are "known plaintext" and easily
brute-forceable for most passphrases that users are likely to actually use.
So in order to make it at all secure, we really need to save on the disk
a key with O(128 bits) of entropy, perturbed by enough bits that are *not*
to be found anywhere on the machine so that it isn't a slam-dunk for an attacker.
Do any of the crypto experts lurking have ideas/opinions on just how many
bits we need to store externally (be it in a USB dongle, a thumbprint, a
passphrase, whatever)?