Educause Security Discussion mailing list archives
Re: Product request - Enterprise whole disk encryption for laptops
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Sat, 15 Jul 2006 17:09:19 -0400
On Sat, 15 Jul 2006 13:09:16 CDT, Roger Safian said:
I always considered encryption an exercise in risk management. The risk I am trying to prevent is that the theft of a computer will expose the data to the casual criminal.
If you're lucky, the laptop gets stolen by somebody trying to support their crack habit. If you're unlucky, it's somebody trying to support their crystal meth habit: http://www.nytimes.com/2006/07/11/us/11meth.html?_r=1&oref=slogin
assume that someone serious about cracking the encrypted files will simply resort to other, and much more effective methods of ascertaining the correct passphrase. So my
There's other means, and there's other means. You can probably not worry about rubber-hose crypto (Thanks, Marcus ;) because that requires access to the liveware that has the key - probably not an issue with a stolen laptop. One problem that you'll have to deal with is that if our hypothetical crystal meth user has enough neurons left to turn the stolen laptop on to see what value he can get from the hard drive, and he encounters crypto, that's a BIG RED FLAG to him that he's found SOOPER SEEKRIT stuff that might be of value. So unless every crook and thief for 5 counties around just *knows* that "Every laptop with a 'property of Miskatonic U' sticker on it is crypted, don't bother trying", the presence of crypto is a sign of something important.
question is this, just how long could I expect a passphrase, of at least 16 characters, composed on ONLY alpha-numeric characters, to withstand the attack?
http://www.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/ Using a set of 100,000 PCs, distributed.net broke a DES key in some 22 hours. That key had (presumably) 56 bits of entropy. UPPER-lower 0-9 is a total of 62 possibilities, call that 64 and we have a *potential* 6 bits of entropy per character. English text/words has about 2.2 (for short phrases, probably closer to 3). So 16 characters will vary from 48 bits to 96 bits of entropy, depending how random they are. 'SleepyFuzzyABC12' probably only has 48 or so, 'WM6PoJF7fzVWXcO5' closer to 96. 48 bits of entropy will break 2**(56-48) or 256 times faster than the distributed.net challenge - so rent a botnet of 100K PCs for 10 minutes, or a net of 500 bots for a day, and you have the key. 96 bits of entropy will break 2**(96-56) or 109,9511,627,776 times slower than the DES key - or Not A Worry at current technology. Whether your users will let you force them to use that sort of password is another question :) As I said, it's all about the strength of the passphrase.
Attachment:
_bin
Description:
Current thread:
- Re: Product request - Enterprise whole disk encryption for laptops, (continued)
- Re: Product request - Enterprise whole disk encryption for laptops James H Moore (Jul 14)
- Re: Product request - Enterprise whole disk encryption for laptops Harold Winshel (Jul 15)
- Re: Product request - Enterprise whole disk encryption for laptops Cam Beasley (Jul 15)
- Re: Product request - Enterprise whole disk encryption for laptops Dave Koontz (Jul 15)
- Re: Product request - Enterprise whole disk encryption for laptops Valdis Kletnieks (Jul 15)
- Re: Product request - Enterprise whole disk encryption for laptops Roger Safian (Jul 15)
- Re: Product request - Enterprise whole disk encryption for laptops Harold Winshel (Jul 15)
- Re: Product request - Enterprise whole disk encryption for laptops Charlie Prothero (Jul 15)
- Re: Product request - Enterprise whole disk encryption for laptops Valdis Kletnieks (Jul 15)
- Re: Product request - Enterprise whole disk encryption for laptops Valdis Kletnieks (Jul 15)
- Re: Product request - Enterprise whole disk encryption for laptops Valdis Kletnieks (Jul 15)
- Re: Product request - Enterprise whole disk encryption for laptops Roger Safian (Jul 17)
- Re: Product request - Enterprise whole disk encryption for laptops Roger Safian (Jul 17)
- Re: Product request - Enterprise whole disk encryption for laptops Valdis Kletnieks (Jul 17)
- Re: Product request - Enterprise whole disk encryption for laptops Roger Safian (Jul 17)
- Re: Product request - Enterprise whole disk encryption for laptops Linda Pruss (Jul 17)
- Re: Product request - Enterprise whole disk encryption for laptops Jeff Kell (Jul 17)
- Re: Product request - Enterprise whole disk encryption for laptops Roger Safian (Jul 17)
- Re: Product request - Enterprise whole disk encryption for laptops Valdis Kletnieks (Jul 17)
- Re: Product request - Enterprise whole disk encryption for laptops Mark Newman (Jul 17)
- Re: Product request - Enterprise whole disk encryption for laptops Valdis Kletnieks (Jul 17)
(Thread continues...)