At the 23rd Chaos Communication Congress (23C3) in Berlin, Ralf-Philipp Weinmann and Jacob Appelbaum gave a talk on the innards of FileVault. Since Knox uses the same underlying encryption technology, this information is very interesting to all users of Knox as well.
The talk just ended a few minutes ago, but to summarize the findings presented, here are the key points (as I see them):
- In addition to the AES-128 algorithm, the system relies on the 3DES and, if you use a master password, the RSA-1024 algorithms. Triple-DES is effectively 112 bit, and the RSA-1024 is a rough equivalent to a 72-bit symmetric encryption (according to Lenstra-Verheul heuristics).
- So, from a vulnerability point of view, RSA-1024 seems to be the weakest link of the algoritms used. Note that current Knox versions don’t offer master key support, so this potential weakness applies to FileVault only.
- Safe Sleep needs to be disabled and virtual memory needs to be encrypted.
- A brute-force attack with an array of 15 FPGA chips could try 30 000 passphrases per second. You need to use very strong passphrases to mitigate the risk of a brute force attack.
- The Mac OS X’s pseudo-random number generator suffers from a weak source of entropy at boot time (when securityd hasn’t been started yet). Additionally, even non-root users can write to /dev/random to supply the system with non-random entropy data. This doesn’t present a practical attack vector, however — a testament to the quality of the Yarrow PRNG used.
- “Apple doesn’t have much to be ashamed of, cryptographically”
Additionally, the presenters talked about a Firewire DMA vulnerability that allows any Firewire device to read and write to any memory address. They also demonstrated a free implementation for decrypting a disk image (given the correct passphrase). The slides and source code are available for download.
Leave a comment