D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Hardware Encrypted SD


With regards to key disclosure, and this is the wrong side of a research project from being reality, but if the means to decrypt data doesn't lie in a simple key, what then?

For example, if you have a simple 80s style game (say a Tetris-alike) and the nuances of you play allow a modelled dynamical system to settle on some pattern that is used to construct a key, or there is a simple 90s style adventure game where you have to follow through a certain procedure in gameplay to unlock something (so that the actions each trigger certain unlock steps whose parameters are derived from your gameplay).

Basically, the simple

cleartext = f(g(cleartext))


cyphertext = g(cleartext)

model isn't the only way to do serious encryption, though it's the only model used for the most part. There are two basic problems with encryption: one is rearranging the data, the other is knowing you've got the right answer. Remove the one-way-to-rearrange and one-correct-answer criteria somehow and things can become a nightmare for an attacker.

(For something to consider, look at the effect that the less-well-defined measure of success in Go compares to the certainty of checkmate in chess when it comes to developing computer players.)


On 29/11/2013 19:47, bad apple wrote:
On 29/11/13 19:32, Daniel Robinson wrote:
The aim is to only leek data by having a gun held to my head. What is the
best method of nailing all data to a disk and only leeking under duress

I like your thinking - but ultimately, it's not the dreaded rubber hose
you need to worry about, it's this:


Refusal leads to a maximum sentence of 2 years, rising to 5 if the
"terrorists" keyword is used. 3 people (that we know of) have been
prosecuted and sentenced for refusing to disclose since this extremely
dubious part of the RIPA was written in.

The answer, specifically in the case of a Pi running as a mailserver
under Linux, is LUKS. As I said before, cursory research implies that it
is possible to encrypt the SD boot volume on the Pi but not owning one,
I can't test this.

Just remember that full disk encryption will only protect your data at
rest: when the system is up and running, the volumes are unlocked and
mounted as normal so you're just as vulnerable to good old fashioned
remote and local exploits as usual.

Let us know how you get on.


The Mailing List for the Devon & Cornwall LUG
FAQ: http://www.dcglug.org.uk/listfaq