Difference between revisions of "Security notes / Unsorted"

From Helpful
Jump to: navigation, search
m (Laptop hard drive encryption)
m (Laptop hard drive encryption)
Line 151: Line 151:
 
===See also===
 
===See also===
 
* http://en.wikipedia.org/wiki/Trusted_Platform_Module
 
* http://en.wikipedia.org/wiki/Trusted_Platform_Module
 
==Laptop hard drive encryption==
 
<!--
 
 
 
'''Practical security'''
 
 
This is about data-at-rest encryption, which means that while your running computer may have flaws, everything going to disk is encrypted.
 
 
Which means that the next time your laptop boots up it asks for a password, once, before ''anything'' happens.
 
 
Because the worst scenario to contend with is thieves at the coffee shop or leaving your laptop on the train, so such opportunistic thieves will probably consider a reformat before selling it on.
 
...even if the implementation is ''wildly'' flawed, which most are not.
 
 
In other words, anything halfway decent covers the wishes of ninety-something percent of people.
 
 
 
Business laptops are a step up for that, because it's the business that wants much the same peace of mind.
 
That means that admins in charge of securing all your business's laptops have more reading to do.
 
And then largely to lessen the likeliness they'll get fired.
 
 
 
 
However
 
* in both cases, keep in mind that you lose all your data.
 
: ...unless you've got it backed up, and backups tend to be an entirely separate system with its entirely its own security issues.
 
 
* compromise of your running system probably means your data is stealable
 
: again, more about targeted attacks,
 
 
 
 
 
If you have someone targetedly interested in the data on your laptop, consider that serious attacks and/or rubber-hose security
 
[https://xkcd.com/538/][https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis], [https://en.wikipedia.org/wiki/Black-bag_cryptanalysis black-bag cryptanalysis] and also a lot more boring methods means serious criminals and three letter agencies will probably get their way anyway.
 
 
 
 
 
 
 
'''Drive encryption and TPM'''
 
 
TPM supports encryption by storing part of the key (...which otherwise would have to go to the disk itself).
 
 
Can you use full drive encryption? Yes.
 
Is there a point? Yes, for many people, see above arguments.
 
 
 
TPM is convenient, and a great tool, but like any, if you trust a solution blindly because it involves TPM you aren't thinking.
 
 
 
TPM allows things like "You can't get at the encrypted part of the disk without the TPM, and you can't get at the TPM without a (e.g. your regular account) password"  (also making recovery key and/or backup of your TPM keys sort of crucial to ever recovering, or moving drive to another PC)
 
 
However, if you allow admin access, or physical access, there will always be exploits.
 
So it's a tool that ''easily'' gives you a sense of false security.
 
 
Reducing the possible threats to roughly that is ''great'' in that you can teach your users
 
what few things not to do.
 
But if you can't teach them, or they don't care, or that list turns out to be longer,
 
then you're screwed anyway.
 
 
 
 
'''Full drive encryption versus partial'''
 
 
 
 
 
'''On speed'''
 
 
If your CPU has the AES(-NI) instruction set, the overhead should be negligible as the CPU can encrypt and decrypt than all platter, and a good deal of SSDs (roughly: most SATA, little NVMe) can write/read -- though implementations vary on how well they deal with random
 
 
AES instruction sets have been introduced around 2011, and are now present in most CPUs (except for budget).{{verify}}
 
 
https://en.wikipedia.org/wiki/AES_instruction_set#x86_architecture_processors
 
 
https://handwiki.org/wiki/AES_instruction_set
 
 
 
If it doesn't use such an instruction set will use significant CPU (though if you've got an unused core you may not notice hugely), also affecting battery life, and also make storage noticeably slower (order of a few dozen percent?{{verify}}).
 
 
 
 
'''Choices'''
 
 
Windows:
 
 
* BitLocker - comes with
 
: does it offload to drive encryption if it says it supports it?
 
: Supported in windows...
 
:: Vista Ultimate, Vista Enterprise
 
:: Win7 Ultimate, Win7 Enterprise
 
:: Win8 pro, Win8 enterprise
 
:: Win10 pro, Win10 Enterprise, Win10 education
 
:: in other words, chances are decent you can't use it with your home PC without a purchase and reinstall?{{verify}}
 
: proprietary, so you don't really know all it does
 
 
* VeraCrypt
 
: fork of the discontinued TrueCrypt
 
: seems to be more robust than bitlocker
 
: open source
 
 
 
 
 
 
 
 
'''Hard drives doing their own encryption is not trustable'''
 
 
Practically it may not matter, see the previous point.
 
 
At a technical level, many have been seriously flawed.
 
 
Keep in mind that bitlocker may offload encryption to the drive if it says it supports it.
 
Meaning that if that encryption has any flaws, you have less security than you thought.
 
[https://www.computerworld.com/article/3319736/bitlocker-on-self-encrypted-ssds-blown-microsoft-advises-you-switch-to-software-protection.html]
 
 
 
 
 
 
-->
 
  
 
==Challenge/response==
 
==Challenge/response==

Revision as of 13:28, 7 January 2021

Security related stuff.

Practical


Theory


Unsorted


This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)


TPM

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

What?

Trusted Platform Module, TPM, is a hardware component, and part of the Trusted Computing design.

TPM can support public key operations and (temporary) key storage, make storage of keys a little more secure, and offload some encryption details.

It can be plugged into PC motherboards and laptops, and may be built into laptops (fairly common in business laptops).


As a platform, TC and TPM may (eventually) help avoid some boot based exploits, which is also necessary to resist some physical attacks, such as some defeating full-drive encryption. (verify)

"Can't detect TPM device"

Means the BIOS knows that you can plug in a TPM module, and is looking for it, and you don't have one.

Either plug one in, tell it not to look for one (if you can), or ignore this message. It's often under a header named something like 'Trusted Computing'

Some BIOSes will always look for it(verify), in which case you can just ignore the message.

More acronyms

Use and criticism

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

See also

Challenge/response

JSON Web Signature, Encryption, Tokens

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

JSON Web Signature (JWS)

Signing arbitrary data.

See also:


JSON Web Encryption (JWE)

Syntax for the exchange of encrypted data, and sending it in Base64 within JSON.

See also:


JSON Web Tokens (JWT)

JWT is aimed at sending verifiable claims, building on JWS or JWE

Signed using a shared secret, or a public/private key.

Typically used between identity provider and a service provider, in an SSO-like way.

See also:


-->