Security Basics mailing list archives
Re: Good design for a Algorithmically Derived Passphrase for FDE (?!)
From: ManInWhite <maninwhite () tpg com au>
Date: Tue, 20 Nov 2007 18:38:56 +1030
Hmmm interesting idea, but management stated that they did not want us to maintain a database of passwords/passphrases for each unit, hence the "algorithmically derived password". It is meant to as difficult as possible for a user to change (and forget) their passphrase. If the user loses their units password, there is a social and management structure in retrieving it, where it can be rederived and presented. Most of the laptops rarely ever connect to the network, so any kind of centralised key distribution would be difficult or impossible. Oh, I also have been given no money for commercial software for this project, so safeboot or any other commercial software is right out. Vista is also not an option. (Has been banned organisation wide, and so I am not using BitLocker). We were quoted by a few external groups for a FDE solution, and management passed, wanting a free software solution. I have developed a TrueCrypt/TCGina solution that encrypts all user profile and data partitions, and forces the user to authenticate pre- Windows authentication. Yes, this means the boot partition is not encrypted. (The user is prevented from writing to the boot partition, so no private data is ever stored on it). Anyway, my point is not to look into alternative software options. The underlying security of the TrueCrypt/TCGina solution is sound, open source and gratis. Cant really budge from this. What about the security of the algorithm derived passphrase? Remember, the list of code words and 'hashing' function never touch the laptop. They are calculated on a stand-alone workstation, and the derived phrase is entered into the laptop. Does anybody have any suggestions on the security of passphrases? (dictionary size, phrase length, etc)? MiW Geoffrey Gowey wrote:
If this is for the benefit of the end user then why not use some off the wall personal information from them? I have yet to hear of anyone mentioning using things like shoe size, their height, weight, and date of hire for portions of a password. Geoff On 11/19/07, Ali, Saqib <docbook.xml () gmail com> wrote:On Nov 17, 2007 8:51 PM, ManInWhite <maninwhite () tpg com au> wrote:It has been suggested that we use an algorithm derived passphrase based on some unique hardware number. [ HDD Serial# / Laptop Serial# ]So when the laptop is stolen, the thief will also have all these serial number, and if they get hold of their algorithm, they can re-construct passphrase for any laptop. this kind of scheme may work for equipment that doesn't leave the facility e.g. servers in datacenter. But definitely don't use this for laptops. I suspect you are trying to use BitLocker, which lack centralized key management. I would suggest you take a look at some other holistic solutions for encrypting your laptops. Saqib http://www.full-disk-encryption.net/
Current thread:
- Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ansgar -59cobalt- Wiechers (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 19)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) Arbogast, Paul (Citco) (Nov 20)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ansgar -59cobalt- Wiechers (Nov 20)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) David Gillett (Nov 20)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) Pranav Lal (Nov 21)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ansgar -59cobalt- Wiechers (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ali, Saqib (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Geoffrey Gowey (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 20)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) Eric White (Nov 20)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Geoffrey Gowey (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Muhammad Farooq-i-Azam (Nov 20)