On Fri, Feb 01, 2008 at 04:27:50PM +0100, Raimo Niskanen wrote:
> On Fri, Feb 01, 2008 at 03:16:47PM +0100, Michael wrote:
> > Hi,
> >
> > thanks for your fast answer.
> >
> > Raimo Niskanen schrieb:
> > > Interesting idea, but I wonder if it is necessary...
> >
> > Maybe not necessary, but still something I'd like to try. So, any ideas?
> >
> > > Again, if I remember correctly; if your salt is random enough,
> > > it need not be secret. It is just used to randomize your password.
> > >
> > > Attackers come with pre-calculated dictionaries and try
> > > to crack your password, and if the salt is unknow to the
> > > attacker until he/she gets into the system he/she will
> > > have to re-calculate the whole dictionary with the
> > > now known salt and rounds. And if the rounds is high
> > > enough re-calculating a dictionary will not be feasible.
> >
> > Well, since I want to have the partition to be automagically mounted
> > when I insert the USB stick (with the saltfile), having the HDD (with
> > the modified mount_vnd on it) and the USB stick would be enough to
> > decrypt it.
>
> Aha, automagically as in not supplying a password. Then the password
> also has to be with the saltfile, or in cleartext in the mount
> script (hotplugd I guess). So the password is known if
> you have the HDD and the USB stick. In effect, the saltfile
> is the password.
>
> Have I finally got it?
>
> So therefore you need an unique and constant signature
> of your hardware... to become the salt and password.
>
> Sounds a bit like what M$ does to see when you install XP on
> too many hardwares. Find as many serial numbers and
> product IDs of things on your motherboard through
> existing hardware monitors, and run them through MD5 or SHA.
>
> Better or more specific ideas, anyone? Especially
> on which interesting hardware info utilities there are.
Finding a MAC address is easy, and using hw.serialno if available is
even easier. It would not be hard to, say, use the MAC of all devices in
alphabetical order concatenated with hw.serialno, run through your
favourite hash function, as the key to your vnd.
However, I'm not convinced this is even remotely a good idea. It makes
it even easier to lose all your data if something goes wrong, and I
don't really see how an attacker could get at your disk and USB key
without also gaining access to the hardware. Just boot OpenBSD and
insert the USB key? (And no, there's not really much you can do about
the 'just boot OpenBSD' part.)
Ultimately, removing the inconvenience of having to type a password also
removes some of the security that comes with it.
Joachim
