Full disk encryption with the crypto stick

Last week I finished the udacity applied cryptography course. I did not as well as in the other courses, nonetheless I learned a lot and it was (as always) really interesting. We learned about symmetric and asymmetric encryption, hashes as well as key exchange and management. Each week in addition to the regular homework, we got a challenge question. For most of them, I invested some time, but then had to surrender. Well, I still managed to complete some of the challenges. The most fun for me was a side channel attack on the diffie hellman key exchange protocol. We had information on how many multiplications were required for the fast exponentiation of the RSA key on one end. That was enough to decypher the secret message. It was a good illustration of what has to be taken into account when developing real world cryptographic algorithms. And it reminded me of how some smart cards were hacked by closely monitoring the power consumption.

Now, it was time to put my crypto stick to use. My netbook still ran Ubuntu Maverick due to the horrible graphics card (gma500). So I waited for the release of Linux Mint 13 LTS. In the 3.3 line of kernels there is a poulsbo driver already included.

First I prepared the crypto stick according to this tutorial. After initially generating the keys on the stick for maximum security, I let myself convince to generate them on the computer to be able to make backups. I could not regenerate the authentication key so far, and thus I can’t use it for ssh at the moment. I’m still looking for a solution on that.

Then I installed the operating system along with the full disk encryption according to this tutorial. At first it didn’t work, but then I discovered that there was a mount command missing in the tutorial and thus the generated ramdisk was not written to the correct boot partition.

Here is how it works (as I understand it):

  • grub loads the kernel along with the initial ramdisk which contains everything necessary to communicate with the card.
  • The ramdisk also contains the keyfile for the encrypted root partition. Upon entering the correct pin, the smart card decrypts the key file (asymmetrically).
  • The key file in turn is used to (symmetrically) on the fly decrypt (and encrypt) all accesses to the root partition.

It was new to me how to put stuff into the vmlinuz ramdisk. Apparently the script to ask for the key and decrypt the key file, as well as the keyfile itself and all the other required stuff can be added by installing a hook that is executed whenever a new ramdisk is created. For example when installing a new kernel.

Not that I would have something stored on the harddisk, that would require such a level of security. But it’s interesting to set up and see how it works in action. The crypto stick adds a fair bit of security. As it has a smart card built in, a trojan couldn’t get hold of the private key, and a 2048 bit key is way harder to crack than a password that one can remember and type in every time.

Leave a Reply

Your email address will not be published. Required fields are marked *