Friday, December 15, 2006

some questions about disk encryption

On a mailing list some questions were asked about disk encryption, I decided to blog the answer for the benefit of others:

What type of encryption would be the strongest? the uncrackable if you will? im not interested in DES as this is a US govt recommendation - IDEA seems good but what kernel module implements this?


The US government (which incidentally employs some of the best cryptologists in the world) recommends encryption methods for data that is important to US interests (US military and banking operations for starters). Why wouldn't you want to follow those recommendations? Do you think that they are putting back-doors in their own systems?

If they were putting in back-doors do you think that they would use them (and potentially reveal their methods) for something as unimportant as your data?

I think that if the US military wanted to apply a serious effort to breaking the encryption on your data then you would have an assortment of other things to worry about, most of which would be more important to you than the integrity of your data.

I've read some good things about keeping a usb key for system boot so that anything on the computer itself is unreadable without the key - but thats simply just a physical object - I'd like both the system to ask for the passphrase for the key as well as needing the usb key

I believe that can be done with LUKS, however it seemed broken last time I experimented with it so I've stuck with the older operation of cryptsetup.

What kind of overheads does something like this entangle? - will my system crawl because of the constant IO load of the disk?

My laptop has a Pentium-M 1.7GHz and a typical laptop drive. The ratio of CPU power to hard drive speed is reasonable. For most operations I don't notice the overhead of encryption, the only problem is when performing CPU intensive IO operations (such as bzip compression of large files). When an application and the kernel both want to use a lot of CPU time then things can get slow.

More recent machines have a much higher ratio of CPU power to disk IO as CPU technology has been advancing much faster than disk technology. A high-end desktop system might have 2-3x the IO capacity
of my machine, but a single core would have 2-3x the computer power of the CPU in my laptop and for any system you might desire nowadays 2 cores is the minimum. Single-core machines are still on sale and still work well for many people - I am still deploying Pentium-3 machines in new installations, but for machines that make people drool it's all dual-core in laptops and one or two dual-core CPUs in desktop systems (with quad core CPUs on sale soon).

If you want to encrypt data on a P3 system with a RAID array (EG a P3 server) then you should expect some performance loss. But for a typical modern desktop system you shouldn't expect to notice any overhead.

3 comments:

Ken said...

He's right to be concerned about DES, and there certainly was academic concern that DES might have been backdoored, but AIUI, the academic community has decided it isn't.

DES uses a 56-bit key length which is insufficient to be secure in light of the power of today's computers. DES can be cracked in 24 hours. I believe 3-DES (which encrypts using DES 3 times with 3 different keys) is considered secure enough to be usable.

DES was designed by IBM, with the cooperation of the NSA. There was concern about DES's dependence on the values of the "s-boxes" (an important part of the algorithm), and various aspects of why the algorithm worked were classified, leading many to suspect that the NSA had backdoored the algorithm. As academic research discovered the technique of differential cryptanalysis, however, researchers discovered that the particular values of the s-boxes were chosen to make differential cryptanalysis much harder than it would have been for any other values of the s-boxes. Academic consensus seems to be that IBM (and/or the NSA) knew about differential cryptanalysis in the 1970s, and designed DES to be resistant to it, and that DES is not backdoored.

Nevertheless, given the key size and the power of today's computers, 3-DES should not be used.

Lamont Peterson said...

@etbe

IDEA is patented in some contries, which is what killed it's use in general back in the day, though, I think those patents may have expired (sorry, I don't have time to check that right now).

Flaws were also found in IDEA many years ago and it is considered unsafe though I'm having trouble finding anything with a quick google search to support that statement.

@Ken
There are two ways that 3DES works. One uses 3 keys and the other only 2.

@etbe
I would recommend using twofish or AES, both of which are already supported by the Linux kernel. FC6 added partial support for encrypted partitions (the section on "File Systems", but has no tools to set it up nor can they be created during install. SUSE has supported encrypted partitions out-of-the-box and in the installer for several years.

Anonymous said...

DES is not a US government recommendation any more: it was replaced with a recommendation for AES, which is now the US standard.

You need not trust the US government to consider the use of AES, as AES is just the Rijndael block cipher and was developed by Belgian crypographers.