PDA

View Full Version : Filevault 2 encyrption - not very good.




Tonsko
Jul 11, 2012, 03:22 PM
Just a heads up.

So, 3 forensic guys have found that FV2 doesn't do encryption 'properly'. By that, they mean that it is possible to read an encrypted volume knowing only the user password (it is possible to derive the master key of the encryption from the password). They have developed a set of libraries that can mount and read a FV2 encrypted disk without having physical access to the machine in question, even without running OSX.

From the conclusion: "Our work allows any forensic investigator to use ar- bitrary tools to decrypt any data from a FileVault 2 encrypted volume, when the user password or a recovery token of the system are known. Further more, we have implemented an open source library and tooling to analyze and mount volumes encrypted with FileVault 2.
We have also made an informal security analysis of the system and found, among others, that the entropy of the recovery password can be improved and that part of the user data is available in the clear."

http://eprint.iacr.org/2012/374.pdf

While this means that the average user has nothing to worry about (unless you're relying on it for privacy), it shouldn't really be used for company machines where IP is potentially held, as FV2 isn't an adequate protection.

Thought some people might be interested.



Mal
Jul 11, 2012, 03:35 PM
If you know the password, you can just boot the computer and access all the data. Doesn't seem like a security flaw to me.

jW

Bear
Jul 11, 2012, 04:59 PM
If you know the password, you can just boot the computer and access all the data. Doesn't seem like a security flaw to me.

jWThis. Having the password or the recovery token is are the keys to the drive.

After all how do you unlock the drive to use in the first place? With your password.


...
While this means that the average user has nothing to worry about (unless you're relying on it for privacy), it shouldn't really be used for company machines where IP is potentially held, as FV2 isn't an adequate protection.

Thought some people might be interested.If the password is known, nothing is adequate protection. Those forensic guys are blowing a lot of smoke. Nothing to see here.

Tonsko
Jul 11, 2012, 05:20 PM
Jeez, d'ya thunk?

I think the point, clever clogs, was that they could extract the password from the disk itself. They didn't have to know the password before they started.

Mal
Jul 11, 2012, 07:31 PM
Jeez, d'ya thunk?

I think the point, clever clogs, was that they could extract the password from the disk itself. They didn't have to know the password before they started.

No, they didn't have to have the recovery key. They had to have the user password before they started anything. At that point, it doesn't matter what you've done, there's no security. But they didn't get that password from the disk, or by any security flaw. They knew that password, and used it to access the recovery key for the drive. This is a complete non-issue.

jW

Tonsko
Jul 12, 2012, 01:16 AM
That's fair enough mate. You've clearly read down to line ~20 or whatever, and thought, "they're talking balls." and closed it in disgust.

I mean, Apple must have thought they were talking balls, otherwise they wouldn't have released 2 FV2 patches as a result of this paper revealing flaws in its operation.

But that's ok, I'm not going to force it down ya. I just posted it, thinking it might be of interest to someone who uses FV2, assuming that their data is protected as much as it might be if you were using PGP, or Checkpoint FDE. And now I've got into a typical internet slanging match. Awesome. I love it, me. Makes you wonder why you ****ing bother, really. Turnip.

Mal
Jul 12, 2012, 08:36 AM
No, I read the whole thing. Thanks for assuming I'm an idiot. From the conclusion of the article:

Our work allows any forensic investigator to use arbitrary tools to decrypt any data from a FileVault 2 encrypted volume, when the user password or a recovery token of the system are known.

Next time, get over yourself.

jW

Tonsko
Jul 12, 2012, 10:54 AM
That's not the only discussion in the paper though is it? It discusses numerous other weaknesses in the encryption, from the way it's implemented, to storing the salt in an trivially encrypted file.

Filevault 2 is not very good.

Mal
Jul 12, 2012, 11:07 AM
Their assessment wasn't nearly as derogatory as your posts are implying. Their basic conclusion was that if the user sets a trivially easy password, then it could be brute-forced, but as long as the password is non-trivial, it was still sufficient to keep the data from being accessed for approximately 34 years, if I remember their example correctly. So yes, perhaps it's not as robust as PGP or the other options, but it's certainly more than enough for anything less than CIA purposes.

jW

Tonsko
Jul 12, 2012, 11:21 AM
Weeeelll. 34 years max. But if you take a 6 char password (which we know from various password dumps of eharmony, linkedin and a few other breaches that have occurred recently, 6 character passwords are pretty much in the middle of the SD curve), time to crack: 5.6 hours.

Personally, I think they've made some design decisions that have compromised the confidence that people can have in this solution, can companies should certainly not be using it to protect machines that have IP on them. The average user, well I think that was covered in the OP.

charlieroberts
Jul 12, 2012, 11:37 AM
It may be an issue, since when you "erase" a file vault volume, the only thing OSX does is delete the key from the system, so that it is no longer accessible.
If you can access an encrypted volume without having this key, then you can recover information from a "deleted" file vault?

It is also possible that I have no idea what I'm talking about.

iVoid
Jul 12, 2012, 11:54 AM
Weeeelll. 34 years max. But if you take a 6 char password (which we know from various password dumps of eharmony, linkedin and a few other breaches that have occurred recently, 6 character passwords are pretty much in the middle of the SD curve), time to crack: 5.6 hours.


Well, if someone has a 6 letter password protecting a filevault2 volume, then they shouldn't expect it to be secure.

To be secure, you need much longer passwords, especially if you're using it to protect encrypted data that you want to keep encrypted.

Alameda
Jul 13, 2012, 09:04 AM
So, 3 forensic guys have found that FV2 doesn't do encryption 'properly'.

They have developed a set of libraries that can mount and read a FV2 encrypted disk without having physical access to the machine in question, even without running OSX.

We have also made an informal security analysis of the system and found, among others, that the entropy of the recovery password can be improved and that part of the user data is available in the clear."

While this means that the average user has nothing to worry about (unless you're relying on it for privacy), it shouldn't really be used for company machines where IP is potentially held, as FV2 isn't an adequate protection.Your sensationalist summary of their work is completely wrong.

Their first goal was to produce software that will let you read a FileVault 2 drive if you remove it from the computer, and you have the password. They did that, which is a terrific and useful accomplishment. But there's no security risk in the fact that you can now read a FV2 drive in another computer, if you have the password.

Their other findings were not significant. They found some unencrypted data that was probably left over from the previous disk format. They told Apple about this, and Apple released a patch to correct it.

What it boils down to is that they found no significant problem with FV2. If anything, their work will instill more confidence in FV2 among security experts.

Bear
Jul 13, 2012, 09:39 AM
Your sensationalist summary of their work is completely wrong.
...
What it boils down to is that they found no significant problem with FV2. If anything, their work will instill more confidence in FV2 among security experts.This just about sums it up. FV2 is about as secure as any other full disk encryption option.

And it's a a whole lot better than not using it.

Alameda
Jul 13, 2012, 11:56 AM
This just about sums it up. FV2 is about as secure as any other full disk encryption option.

And it's a a whole lot better than not using it.Yes, they analyzed the daylights out of it and they could not describe a way to defeat it. They did not claim that they defeated it, either.

I believe that any knowledgeable people who read this paper will come away with higher confidence in FileVault 2.

Tonsko
Jul 13, 2012, 10:12 PM
Disagree. To me, that paper suggests that FV2 would match other FDE software is wrong because of choices made in the cryptographic process. Perhaps I was a little gung-ho, but that doesn't change the fact that for governmental/company use, the software it is not suitable. Which is why I posted it originally.

Puevlo
Jul 14, 2012, 09:08 AM
Disagree. To me, that paper suggests that FV2 would match other FDE software is wrong because of choices made in the cryptographic process. Perhaps I was a little gung-ho, but that doesn't change the fact that for governmental/company use, the software it is not suitable. Which is why I posted it originally.

Apple never claimed it was.

Alameda
Jul 14, 2012, 10:02 AM
Perhaps I was a little gung-ho, but that doesn't change the fact that for governmental/company use, the software it is not suitable.What aspect of the report leads you to that conclusion? What is the flaw? I don't see it.

Tonsko
Aug 8, 2012, 10:52 AM
Here's another issue with it, particularly after poor old Matt Honan's digital life-trashing.

http://mjtsai.com/blog/2012/08/07/filevault-2s-apple-id-backdoor/

I, like a number of other security-minded Mac users, turned on FileVault 2 before my new MacBook Air was even out of the box. Whole-drive encryption? Damn skippy! Turns out however that, as of Mountain Lion, FileVault 2 has a 50/50 chance of being completely broken on your system. There’s a backdoor that appears to have been accidentally built in by Apple, and it can be used by an attacker to gain root access on your system.

Mac OS X v10.7 Lion and later include a feature intended to help users with oddly spotty memory. If you’ve forgotten your login password, but remember your Apple ID password, you can reset your login password based off that. (If alarm bells are going off in your head right now, they might be because of Mat Honan’s recent bad luck involving his iCloud account, which doubles as an Apple ID.)

This is not a criticism, just letting folk know about it so that they can work around it.

miles01110
Aug 8, 2012, 10:56 AM
Just one more example of a non-technical person getting into a technical argument. Ho hum.

Alameda
Aug 13, 2012, 08:09 AM
Here's another issue with it, particularly after poor old Matt Honan's digital life-trashing.

This is not a criticism, just letting folk know about it so that they can work around it.Again, not a security issue. When you encrypt a drive with FV2, you are given the option to let Apple store a recovery key on their servers. This is strictly optional, and under your full control.

maflynn
Aug 13, 2012, 08:12 AM
Just about every security method has this flaw - know the log in credentials and you're in.

The only way to tighten this up is to use a secure-id card

belvdr
Aug 14, 2012, 12:33 PM
Just about every security method has this flaw - know the log in credentials and you're in.

I can hear the tech call now:

"We found a flaw in your authentication mechanism. When supplied with the correct credentials, it authenticates us."

Alameda
Aug 15, 2012, 12:54 PM
FWIW, I've been running FileVault 2 on my MacBook Air without any difficulty. It was simple to do, and the result is completely transparent to me.

maflynn
Aug 15, 2012, 12:56 PM
FWIW, I've been running FileVault 2 on my MacBook Air without any difficulty. It was simple to do, and the result is completely transparent to me.

Apple has really improved FV from 1 to 2. So much so, I opted to enable it. I was no fan of the earlier version of FileVault but apple has done a great job with this