 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Thu, 18 Aug 2011 16:24:16 -0700, Darren New wrote:
> On 8/18/2011 14:49, Jim Henderson wrote:
>> What I wish they had for the Linux version was the option for a hidden
>> OS like they do with Windows.
>
> What does that even mean? That you can boot off the trucrypt partition?
Yep. They've got a special bootloader that's installed (can be made to
present something that looks like there's nothing installed, but you type
your password in), and then it boots the hidden OS. You can combine that
with a non-hidden OS (though hidden partitions with regular encrypted
partitions can be dangerous - unless you mount the outer volume so it
protects the inner volume, you risk overwriting data in the inner volume)
so the sensitive data is completely hidden from view.
It's an interesting concept.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 18/08/2011 07:39 PM, Darren New wrote:
> On 8/18/2011 10:57, Orchid XP v8 wrote:
>> Maybe if you sent certain requests, the timing of the responce varies
>> in a
>> way that tells you something about the encryption key or the password
>> hash
>> or the PRNG state. Maybe you can measure power consuption and find out
>> useful info. Heck, maybe the temperature varies, or it leaks RF signals.
>
> If it doesn't even respond to USB signals until you've unlocked it, it
> would seem to pretty much eliminate side-channel attacks.
Oh, well, if you're talking about the one with the combination lock
(which *isn't* FIPS certified) then yeah. The most you could worry about
is RF leakage, or maybe heat. (But you would need some damned sensitive
thermometers to measure that.) I would imagine RF output is both very
easy to check for and shield against.
I was thinking more about the ones where you insert the USB drive and it
asks for a password before it will let you see the encrypted partition.
>> To me, that seems like a very strange way to implement. However,
>> there's no
>> particular reason why you can't use the SHA-1 hash of the password to
>> AES-encrypt the main AES encryption key. And then changing the
>> password is
>> /still/ instant, without having to re-encrypt any data.
>
> Well, yes, that's true. In any case, by the time you've taken that
> apart, you can probably brute-force the thing pretty easily. You don't
> have to brute-force the entire 160 bit SHA-1 key if you can brute-force
> the possible hashes of 5^10 (9 million) possible combinations.
Oh, sure, the password or PIN or whatever is *clearly* the weakest point
in the system. (Assuming the RNG isn't broken...)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 8/19/2011 1:01, Invisible wrote:
> Oh, well, if you're talking about the one with the combination lock
Yeah. I wasn't interested in one I couldn't use on multiple OSes.
> I was thinking more about the ones where you insert the USB drive and it
> asks for a password before it will let you see the encrypted partition.
Yup, agreed.
> Oh, sure, the password or PIN or whatever is *clearly* the weakest point in
> the system. (Assuming the RNG isn't broken...)
I think I'm OK with storing things on there that can only be extraced by
someone willing to break it open, extract the actual flash chip, and insert
that chip into a new controller. :-)
--
Darren New, San Diego CA, USA (PST)
How come I never get only one kudo?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Oh, well, if you're talking about the one with the combination lock
>
> Yeah. I wasn't interested in one I couldn't use on multiple OSes.
I can see why that wouldn't appeal.
It's a pity there isn't a standard, portable way of doing this really.
>> Oh, sure, the password or PIN or whatever is *clearly* the weakest
>> point in
>> the system. (Assuming the RNG isn't broken...)
>
> I think I'm OK with storing things on there that can only be extraced by
> someone willing to break it open, extract the actual flash chip, and
> insert that chip into a new controller. :-)
It depends on the level of security you want, really.
If you're anything like me, you don't particularly need ultra-security.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 18/08/2011 4:03 PM, Invisible wrote:
> You want to password-protect your passwords? That's just crazy. (The
> idea of a password is that you're supposed to /remember/ it. Which makes
> it impossible to ever steal.)
Please tell me how to remember passwords for half a dozen systems each
with two or three clients that force you to change your password
regularly. Along with accounts for umpteen different company websites
and personal logons?
--
Regards
Stephen
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 20/08/2011 11:15 AM, Stephen wrote:
> On 18/08/2011 4:03 PM, Invisible wrote:
>> You want to password-protect your passwords? That's just crazy. (The
>> idea of a password is that you're supposed to /remember/ it. Which makes
>> it impossible to ever steal.)
>
> Please tell me how to remember passwords for half a dozen systems each
> with two or three clients that force you to change your password
> regularly. Along with accounts for umpteen different company websites
> and personal logons?
Damn. You have even more passwords than I do!
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 20/08/2011 11:28 AM, Orchid XP v8 wrote:
> On 20/08/2011 11:15 AM, Stephen wrote:
>> On 18/08/2011 4:03 PM, Invisible wrote:
>>> You want to password-protect your passwords? That's just crazy. (The
>>> idea of a password is that you're supposed to /remember/ it. Which makes
>>> it impossible to ever steal.)
>>
>> Please tell me how to remember passwords for half a dozen systems each
>> with two or three clients that force you to change your password
>> regularly. Along with accounts for umpteen different company websites
>> and personal logons?
>
> Damn. You have even more passwords than I do!
>
Then I move to the next job and start again.
--
Regards
Stephen
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Le 20/08/2011 12:15, Stephen nous fit lire :
> On 18/08/2011 4:03 PM, Invisible wrote:
>> You want to password-protect your passwords? That's just crazy. (The
>> idea of a password is that you're supposed to /remember/ it. Which makes
>> it impossible to ever steal.)
>
> Please tell me how to remember passwords for half a dozen systems each
> with two or three clients that force you to change your password
> regularly. Along with accounts for umpteen different company websites
> and personal logons?
>
Have a small black book with the passwords, one page per system.
For the changing systems, using a rotation of 3 entries should do it
(they are weak, badly managed... they usually check only against the
previous one; I only once encountered a really painful one which stored
the 10 lasts)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 20/08/2011 11:40 AM, Le_Forgeron wrote:
> Have a small black book with the passwords, one page per system.
> For the changing systems, using a rotation of 3 entries should do it
> (they are weak, badly managed... they usually check only against the
> previous one; I only once encountered a really painful one which stored
> the 10 lasts)
Our network stores the last 12 passwords. Stupidly, it enforces a
*minimum* password age of 1 day. So, like, if your password is
compromised the day you change it, you cannot change it until tomorrow. WTF?
The idea, of course, is that you can't enter 12 passwords and then go
back to your original password. As if *anybody* dumb enough to work here
would realise they could do that.
What it /does/ mean is that if I reset somebody's password, I can't
reset it, let them log back in, and then have them change it again. They
have to wait until tomorrow (by which time they WILL have forgotten). So
they end up with a weak password for a month. (Or I reset the password
to something strong, and they whine at me for a month.)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 <voi### [at] dev null> wrote:
> Our network stores the last 12 passwords. Stupidly, it enforces a
> *minimum* password age of 1 day. So, like, if your password is
> compromised the day you change it, you cannot change it until tomorrow. WTF?
> The idea, of course, is that you can't enter 12 passwords and then go
> back to your original password. As if *anybody* dumb enough to work here
> would realise they could do that.
The solution to both problems is really obvious: Make the waiting time
progressive rather than fixed. In other words, you can change your password
a second time immediately, but the third time requires something like a
minute before you can do it, the fourth time 5 minutes, and so on, until
the 12th time requires a few days or whatever.
This both prevents potential abuse *and* allows you to immediately change
your password again for whatever reason (eg. because it was reset or
because it was compromised or whatever).
Why do not developers understand trivial solutions like this?
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
