Why encrypt if I can't prevent physical access to the system?

[JohnMatrix]

Truecrypt developers and other encryption experts argue that you can't really trust a system once an attacker has had physical access to a machine. That basically means that if I ever leave my desktop at home I can no longer trust it. For example, when I come home from work someone could have installed an evil maid attack, making my fully encrypted system vulnerable. An adversary could also modify the bios to log all my keypresses. This brings me to a general question:

What is a good strategy to employ, and maintain trust, in an encrypted desktop in a public place. Is it possible?

[PaulyDefran]

You can install the boot loader to an external device and keep it with you. As far as the BIOS...no idea. Physical security of your home in the form of cameras is another avenue, as are dogs, etc... Unless you only have one machine, and that's all you can afford, get a laptop for anything 'sensitive' and always keep it with you. Let 'them' look all they want at your YouTube history and 'ilovecatsforum.com' log ons. That threat model is pretty severe...but it does exist depending on where you live and what you do.

PD

[Palancar]

No software can provide solid protection from a physical attack. TC (or any other piece of encryption protection) cannot guard against a physical keylogger getting attached to a desktop.

TC guards against them grabbing that desktop and trying to examine it without any further input from you. For that its great. If an examiner ever held a machine and gave it back I would never trust it again. Sell it and go get a different one.

[mirimir]

Quote:

Originally Posted by Palancar

No software can provide solid protection from a physical attack. TC (or any other piece of encryption protection) cannot guard against a physical keylogger getting attached to a desktop.

If there's substantial risk of clasdestine physical attacks, it's necessary to both hinder and detect them. Ross Anderson's Security Engineering at -http://www.cl.cam.ac.uk/~rja14/book.html is a good place to start.

Quote:

Originally Posted by Palancar

TC guards against them grabbing that desktop and trying to examine it without any further input from you. For that its great. If an examiner ever held a machine and gave it back I would never trust it again. Sell it and go get a different one.

Right. More than that, once you detect unauthorized access, the machine is suspect.

[PaulyDefran]

If that threat model is applicable to you, you may want to go with Linux running an encrypted LVM with /boot on an external device. Then implement some of int0x80's anti-forensics Bash scripts from GitHub:

https://github.com/int0x80/anti-forensics

-https://www.youtube.com/watch?gl=US&v=-HK1JHR7LIM-

You can still use Hidden TC Volumes. The only downside is that Linux advertises encryption with the LUKS Header.

mirimir, thanks for the link!

PD

[EncryptedBytes]

Quote:

Originally Posted by JohnMatrix

Truecrypt developers and other encryption experts argue that you can't really trust a system once an attacker has had physical access to a machine. That basically means that if I ever leave my desktop at home I can no longer trust it. For example, when I come home from work someone could have installed an evil maid attack, making my fully encrypted system vulnerable. An adversary could also modify the bios to log all my keypresses. This brings me to a general question:

What is a good strategy to employ, and maintain trust, in an encrypted desktop in a public place. Is it possible?

The purpose of full disk encryption is to protect data at rest, it is not a, ‘be all end all’ method, more of another layer in your overall security framework. With encryption you have reasonable assurance (depending on how it was implimented) that in the event of theft or damage to the equipment the sensitive information on those devices will be safe.

You will have to invest in physical layers as well. You also have to apply reason. For a non-governmental/corporate entity such as a personal homeowner, much of physical security is just common sense (Rooms locked when unoccupied, alarm system, 2 factor equipment kept separated, etc), but yes there is always a risk of lock-picking and other forms of covert entry. This is where you will have to define your scope of who you are trying to protect yourself from, do you guard against:

The junkie looking for an easy mark to steal electronics and sell for his next fix?
The teenage neighbor practicing his wireless cracking techniques into your networks and system?
The governmental raid on your place of residence for your violation of country’s law XYZ?
Or the ongoing monitoring of you from hostile government intelligence agencies?

I’ll leave it up to you the reader to define your own risk matrix of what the likelihood of these scenarios occurring is. I would estimate most if not all members of this board are going to mainly be protecting the PII on their hard drives from the top 2 mentioned. In that case encryption will protect your devices. The only difference is in case of wireless cracking that is a whole other topic, but I threw it in here for completeness.

Now let us go the real extreme, JohnMatrix you are a foreign diplomat, a businessman overseas on business for a well-known technological or military contracting company, perhaps a well-known criminal mastermind, etc... You may find yourself trying to protect against the last scenario mentioned. This is when all the fancy toys will be used against you and yes in this case TC is correct if you leave your device alone in a hotel room or in a public place you should consider it compromised. The same if you use it over untrusted networks.

Though there are some steps you can try to help mitigate software attacks against FDE such as keeping a clean copy of your BIOS and boot records on a separate medium and flashing them both before attaching and booting up a sensitive hard drive. (complex and with risk factors of their own) Keyboard scramblers are also an avenue to explore. Hardware attacks will be harder to detect, you would have to perhaps deploy tamper proof seals around your device though I wouldn’t trust any device after it was taken away by an adversary and returned.

In conclusion encryption will protect you against most of your potential adversaries when your desktop is powered down. In an extreme case no it would not though that is when you must deploy other security layers and controls such as physical security to mitigate those risks. Hope this helps.

Remember in this world there is no absolute security, there will always be risk.

[chronomatic]

Quote:

Originally Posted by JohnMatrix

Truecrypt developers and other encryption experts argue that you can't really trust a system once an attacker has had physical access to a machine. That basically means that if I ever leave my desktop at home I can no longer trust it. For example, when I come home from work someone could have installed an evil maid attack, making my fully encrypted system vulnerable. An adversary could also modify the bios to log all my keypresses. This brings me to a general question:

What is a good strategy to employ, and maintain trust, in an encrypted desktop in a public place. Is it possible?

TPM is really the only way. While not foolproof, it would stop Evil Maid and other such bootloader attacks. Of course, TPM chips themselves are likely "hackable" but it would be much much harder to pull off.

[JohnMatrix]

Thanks for all the suggestions. I think it will be viable to create a program that runs at boot and checks the boot sector contents and bios checksums to see if anything has been modified. While an attacker would still be able to do some nasty stuff you would always know if that happens.

[syncmaster913n]

You might find this thread interesting:

http://www.wilderssecurity.com/showthread.php?t=322041

start at post #28 and up to post #39.

[mirimir]

Quote:

Originally Posted by JohnMatrix

Thanks for all the suggestions. I think it will be viable to create a program that runs at boot and checks the boot sector contents and bios checksums to see if anything has been modified. While an attacker would still be able to do some nasty stuff you would always know if that happens.

See -http://www.tripwire.org/