Why does BitLocker not use RSA? Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30 pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?Is semantic security important in a hybrid cryptosystem?What security authorities and standards reject $e=3$ in RSA, when, and with what rationale?Should new applications still use RSA? Is it worth going down the ECDH route for protocols?Can I use asymmetric encryption for more powerful write-protection?AES256-GCM - can someone explain how to use it securely (ruby)Can RSA be securely used for “blind decryption”?When/why is RSA (hybrid) encryption used rather than alternatives?What's wrong with RSA and OpenSSL?Secure and efficient encryption of a continuous data stream on behalf of a third party using asymmetric cryptographyCan I apply “encrypt with public key and decrypt with private key concept” using ECC certificate?
Why is water being consumed when my shutoff valve is closed?
Is a self contained air-bullet cartridge feasible?
Israeli soda type drink
Arriving in Atlanta (after US Preclearance in Dublin). Will I go through TSA security in Atlanta to transfer to a connecting flight?
What do you call an IPA symbol that lacks a name (e.g. ɲ)?
What helicopter has the most rotor blades?
Simulate round-robin tournament draw
Why isn't everyone flabbergasted about Bran's "gift"?
What is the purpose of the side handle on a hand ("eggbeater") drill?
Is it accepted to use working hours to read general interest books?
Protagonist's race is hidden - should I reveal it?
Why I cannot instantiate a class whose constructor is private in a friend class?
What was Apollo 13's "Little Jolt" after MECO?
Coin Game with infinite paradox
What is /etc/mtab in Linux?
Marquee sign letters
What *exactly* is electrical current, voltage, and resistance?
"Working on a knee"
In search of the origins of term censor, I hit a dead end stuck with the greek term, to censor, λογοκρίνω
Where to find documentation for `whois` command options?
How long can a nation maintain a technological edge over the rest of the world?
When I export an AI 300x60 art board it saves with bigger dimensions
What is a 'Key' in computer science?
How was Lagrange appointed professor of mathematics so early?
Why does BitLocker not use RSA?
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30 pm US/Eastern)
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?Is semantic security important in a hybrid cryptosystem?What security authorities and standards reject $e=3$ in RSA, when, and with what rationale?Should new applications still use RSA? Is it worth going down the ECDH route for protocols?Can I use asymmetric encryption for more powerful write-protection?AES256-GCM - can someone explain how to use it securely (ruby)Can RSA be securely used for “blind decryption”?When/why is RSA (hybrid) encryption used rather than alternatives?What's wrong with RSA and OpenSSL?Secure and efficient encryption of a continuous data stream on behalf of a third party using asymmetric cryptographyCan I apply “encrypt with public key and decrypt with private key concept” using ECC certificate?
$begingroup$
If understand correctly from this post and the Wikipedia page for BitLocker and TPM, by default, BitLocker uses symmetric cryptography like AES. However, TPM is capable of performing RSA encryption.
Given that the RSA key is stored in the TPM, why does BitLocker not use asymmetric encryption (i.e., RSA)? By using such an encryption technique, we might be able to defend against the cold boot attack or sniffing on the LPC bus.
aes rsa
$endgroup$
migrated from security.stackexchange.com 4 hours ago
This question came from our site for information security professionals.
add a comment |
$begingroup$
If understand correctly from this post and the Wikipedia page for BitLocker and TPM, by default, BitLocker uses symmetric cryptography like AES. However, TPM is capable of performing RSA encryption.
Given that the RSA key is stored in the TPM, why does BitLocker not use asymmetric encryption (i.e., RSA)? By using such an encryption technique, we might be able to defend against the cold boot attack or sniffing on the LPC bus.
aes rsa
$endgroup$
migrated from security.stackexchange.com 4 hours ago
This question came from our site for information security professionals.
17
$begingroup$
How would using asymmetric encryption even help? Unless you never intend to write any data to the disk, you would need to have both sides of the key in memory in order to use the disk anyway. (I suppose there are special cases where you'd want a disk anyone can read but with strong authentication of its content -- but even there encrypting each block separately with an asymmetric primitive would not be the solution of choice).
$endgroup$
– Henning Makholm
2 days ago
1
$begingroup$
BTW, you might be interested to know that there are ways to mitigate cold boot attacks against FDE, such as TRESOR or using a new CPU with TME (Total Memory Encryption). Neither of those require a TPM.
$endgroup$
– forest
17 hours ago
$begingroup$
@forest, there is an attack on TRESOR, TRESOR Hunt
$endgroup$
– kelalaka
16 hours ago
1
$begingroup$
@kelalaka I've always found that paper a bit silly. It's a DMA attack, which naturally needs to be mitigated separately (with a properly-configured IOMMU). It isn't specific to TRESOR at all. It's no more an "attack on TRESOR" than using JTAG to debug the CPU and extract the keys is an "attack on TRESOR". Same with attaching a logic probe to the DRAM modules and triggering an NMI and reading the registers as they are pushed to the stack. Or a browser 0day combined with a kernel exploit to read the keys. Anyway, just boot withintel_iommu=onand you should be safe from that particular attack.
$endgroup$
– forest
16 hours ago
add a comment |
$begingroup$
If understand correctly from this post and the Wikipedia page for BitLocker and TPM, by default, BitLocker uses symmetric cryptography like AES. However, TPM is capable of performing RSA encryption.
Given that the RSA key is stored in the TPM, why does BitLocker not use asymmetric encryption (i.e., RSA)? By using such an encryption technique, we might be able to defend against the cold boot attack or sniffing on the LPC bus.
aes rsa
$endgroup$
If understand correctly from this post and the Wikipedia page for BitLocker and TPM, by default, BitLocker uses symmetric cryptography like AES. However, TPM is capable of performing RSA encryption.
Given that the RSA key is stored in the TPM, why does BitLocker not use asymmetric encryption (i.e., RSA)? By using such an encryption technique, we might be able to defend against the cold boot attack or sniffing on the LPC bus.
aes rsa
aes rsa
asked Apr 21 at 2:09
user3862410
migrated from security.stackexchange.com 4 hours ago
This question came from our site for information security professionals.
migrated from security.stackexchange.com 4 hours ago
This question came from our site for information security professionals.
17
$begingroup$
How would using asymmetric encryption even help? Unless you never intend to write any data to the disk, you would need to have both sides of the key in memory in order to use the disk anyway. (I suppose there are special cases where you'd want a disk anyone can read but with strong authentication of its content -- but even there encrypting each block separately with an asymmetric primitive would not be the solution of choice).
$endgroup$
– Henning Makholm
2 days ago
1
$begingroup$
BTW, you might be interested to know that there are ways to mitigate cold boot attacks against FDE, such as TRESOR or using a new CPU with TME (Total Memory Encryption). Neither of those require a TPM.
$endgroup$
– forest
17 hours ago
$begingroup$
@forest, there is an attack on TRESOR, TRESOR Hunt
$endgroup$
– kelalaka
16 hours ago
1
$begingroup$
@kelalaka I've always found that paper a bit silly. It's a DMA attack, which naturally needs to be mitigated separately (with a properly-configured IOMMU). It isn't specific to TRESOR at all. It's no more an "attack on TRESOR" than using JTAG to debug the CPU and extract the keys is an "attack on TRESOR". Same with attaching a logic probe to the DRAM modules and triggering an NMI and reading the registers as they are pushed to the stack. Or a browser 0day combined with a kernel exploit to read the keys. Anyway, just boot withintel_iommu=onand you should be safe from that particular attack.
$endgroup$
– forest
16 hours ago
add a comment |
17
$begingroup$
How would using asymmetric encryption even help? Unless you never intend to write any data to the disk, you would need to have both sides of the key in memory in order to use the disk anyway. (I suppose there are special cases where you'd want a disk anyone can read but with strong authentication of its content -- but even there encrypting each block separately with an asymmetric primitive would not be the solution of choice).
$endgroup$
– Henning Makholm
2 days ago
1
$begingroup$
BTW, you might be interested to know that there are ways to mitigate cold boot attacks against FDE, such as TRESOR or using a new CPU with TME (Total Memory Encryption). Neither of those require a TPM.
$endgroup$
– forest
17 hours ago
$begingroup$
@forest, there is an attack on TRESOR, TRESOR Hunt
$endgroup$
– kelalaka
16 hours ago
1
$begingroup$
@kelalaka I've always found that paper a bit silly. It's a DMA attack, which naturally needs to be mitigated separately (with a properly-configured IOMMU). It isn't specific to TRESOR at all. It's no more an "attack on TRESOR" than using JTAG to debug the CPU and extract the keys is an "attack on TRESOR". Same with attaching a logic probe to the DRAM modules and triggering an NMI and reading the registers as they are pushed to the stack. Or a browser 0day combined with a kernel exploit to read the keys. Anyway, just boot withintel_iommu=onand you should be safe from that particular attack.
$endgroup$
– forest
16 hours ago
17
17
$begingroup$
How would using asymmetric encryption even help? Unless you never intend to write any data to the disk, you would need to have both sides of the key in memory in order to use the disk anyway. (I suppose there are special cases where you'd want a disk anyone can read but with strong authentication of its content -- but even there encrypting each block separately with an asymmetric primitive would not be the solution of choice).
$endgroup$
– Henning Makholm
2 days ago
$begingroup$
How would using asymmetric encryption even help? Unless you never intend to write any data to the disk, you would need to have both sides of the key in memory in order to use the disk anyway. (I suppose there are special cases where you'd want a disk anyone can read but with strong authentication of its content -- but even there encrypting each block separately with an asymmetric primitive would not be the solution of choice).
$endgroup$
– Henning Makholm
2 days ago
1
1
$begingroup$
BTW, you might be interested to know that there are ways to mitigate cold boot attacks against FDE, such as TRESOR or using a new CPU with TME (Total Memory Encryption). Neither of those require a TPM.
$endgroup$
– forest
17 hours ago
$begingroup$
BTW, you might be interested to know that there are ways to mitigate cold boot attacks against FDE, such as TRESOR or using a new CPU with TME (Total Memory Encryption). Neither of those require a TPM.
$endgroup$
– forest
17 hours ago
$begingroup$
@forest, there is an attack on TRESOR, TRESOR Hunt
$endgroup$
– kelalaka
16 hours ago
$begingroup$
@forest, there is an attack on TRESOR, TRESOR Hunt
$endgroup$
– kelalaka
16 hours ago
1
1
$begingroup$
@kelalaka I've always found that paper a bit silly. It's a DMA attack, which naturally needs to be mitigated separately (with a properly-configured IOMMU). It isn't specific to TRESOR at all. It's no more an "attack on TRESOR" than using JTAG to debug the CPU and extract the keys is an "attack on TRESOR". Same with attaching a logic probe to the DRAM modules and triggering an NMI and reading the registers as they are pushed to the stack. Or a browser 0day combined with a kernel exploit to read the keys. Anyway, just boot with
intel_iommu=on and you should be safe from that particular attack.$endgroup$
– forest
16 hours ago
$begingroup$
@kelalaka I've always found that paper a bit silly. It's a DMA attack, which naturally needs to be mitigated separately (with a properly-configured IOMMU). It isn't specific to TRESOR at all. It's no more an "attack on TRESOR" than using JTAG to debug the CPU and extract the keys is an "attack on TRESOR". Same with attaching a logic probe to the DRAM modules and triggering an NMI and reading the registers as they are pushed to the stack. Or a browser 0day combined with a kernel exploit to read the keys. Anyway, just boot with
intel_iommu=on and you should be safe from that particular attack.$endgroup$
– forest
16 hours ago
add a comment |
3 Answers
3
active
oldest
votes
$begingroup$
Asymmetric encryption is vastly inferior to symmetric encryption. That is, in all respects, except one -- being asymmetric. When that property is needed, there's no way around it, obviously.
Asymmetric encryption is much slower. It is much more susceptible to showing recognizable patterns of some kind given non-random input. You need much larger key sizes to provide an adequate level of protection, and the system is much more vulnerable in general with current and future technology (reasonably-sized quantum computers will basically mean instant death for RSA, but AES is pretty much "yeah, so what" in that respect).
That's the reason why asymmetric encryption is almost never used to encrypt bulk data.
Nothing prevents you from encrypting a terabyte of data with RSA using 2048 bit chunks, much like you encrypt a terabyte with AES in 128 bit chunks. Only just, it doesn't make sense to do that because it is several thousand times slower, and at the same time is much more insecure.
answered 2 days ago
DamonDamon
69464
$endgroup$
19
$begingroup$
@kelalaka For communication.
$endgroup$
– wizzwizz4
2 days ago
2
$begingroup$
There is something preventing you from safely encrypting bulk data with RSA, though -- RSA is vulnerable to a number of different attacks involving plaintexts with known, unusual values (for example, small values of m).
$endgroup$
– duskwuff
23 hours ago
3
$begingroup$
@kelalaka Asymmetric cryptography is almost exclusively used to exchange key information for symmetric cryptography. As Damon says, you still use symmetric algorithms for encrypting bulk data.
$endgroup$
– Luaan
21 hours ago
2
$begingroup$
RSA is not more susceptible to showing recognizable patterns given a non-random input, unless you are very specifically using the horribly insecure textbook RSA. If you use RSA with proper padding (such as OAEP), it provides IND-CCA2 security. The real reason it would be a bad idea to encrypt something using just RSA is because it would be stupid slow and because the message would expand during encryption.
$endgroup$
– forest
19 hours ago
6
$begingroup$
This answer is clearly wrong with regards to the susceptible to showing recognizable patterns based on the input, and it misses out on the fact that RSA encryption would expand the ciphertext and can therefore not be used for block encryption (even for textbook RSA, as the modulus size needs to be bigger than the block size).
$endgroup$
– Maarten Bodewes♦
16 hours ago
|
show 7 more comments
$begingroup$
The cold boot attack can be performed on any encryption scheme as long as the keys reside in memory. For full-disk encryption (FDE) with symmetric algorithms like AES, you will need to take the key out from the TPM, where you will be susceptible to a cold boot attack.
Though the TPM is capable of RSA encryption and decryption, for FDE RSA has problems, in short the speed:
- RSA must use the OAEP scheme to be secure which reduces the message size.
- To speed up public key encryption the public key is selected as 3, 5, ... However, the decryption to access one block will be much slower even if you use CRT to gain 4x speed.
- Even though the TPM can perform RSA encryption on the chip, it will be much slower for Full Disk Encryption (FDE).
Therefore, TPM-based FDEs use TPM for key storage.
answered 2 days ago
kelalakakelalaka
9,00832352
$endgroup$
$begingroup$
This is the correct answer, and the only one which does not perpetuate the myth that a TPM device itself performs disk encryption or that it somehow mitigates cold boot attacks.
$endgroup$
– forest
19 hours ago
add a comment |
$begingroup$
TPMs do not perform the actual encryption used for full disk encryption. All they do is encrypt the key while the system is powered off or in a suspended state. The key is decrypted and passed once to the operating system over the LPC bus, which then keeps it in memory while encryption is performed. The reason a TPM would be a poor choice for securely accelerating full disk encryption is threefold:
The TPM communicates over the extremely slow LPC bus (4 bit width at 33 MHz).
The TPM hardware is generally very slow, being designed for security, not speed.
TPMs are not general-purpose encryption coprocessors that take arbitrary keys.
If you really wanted to use it to perform the actual encryption in a way that would mitigate cold boot attacks, you would need to pass the plaintext (or ciphertext) from the disk to the TPM over the LPC bus to encrypt (or decrypt) it, then pass the ciphertext (or plaintext) back over the LPC bus to the computer. This process would be an extremely slow way to avoid cold boot attacks, and would likely be easy to bypass given the ability to tamper with signals on the LPC bus (the TPM would be a decryption oracle!).
Although you could in theory use RSA for bulk encryption, provided you used proper padding like PKCS#1v1.5 or OAEP, it would expand the message (ciphertext would be larger than plaintext), and it would be extremely slow and inefficient. Despite what some other answers have claimed, it would not be insecure when a proper padding scheme is used, but it would be a silly and inefficient use of RSA.
answered 18 hours ago
forestforest
5,16611744
$endgroup$
1
$begingroup$
I'd say that the frequent use of RSA with a static private key (for decryption) would probably be more susceptible to side channel attacks than AES. It would of course be dependent on the implementation specifics, but I'd rather put my cards on AES...
$endgroup$
– Maarten Bodewes♦
16 hours ago
$begingroup$
@MaartenBodewes Yes, with one of my half work, I could easily extract keys from OpenSSL. The library implementation, as you noted, really determines the attacks success ratio.
$endgroup$
– kelalaka
14 hours ago
$begingroup$
Not merely inefficient, but it would be difficult to make it resemble the block characteristics of the underlying device. Any ciphertext expansion, which is a necessary feature of any RSA-shoehorned encryption, would violate OS and application assumptions about atomic or linear writes, requiring another layer in the middle. Avoiding this requires qualitatively changing the premises, from sector-by-sector disk encryption (which is essentially transparent) to what is essentially a file system in its own right.
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
@SqueamishOssifrage Indeed. It could not be used as a drop-in replacement for a block cipher. Although the implementation would not be elegant in the slightest, it would be possible and could be made secure.
$endgroup$
– forest
7 hours ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68988%2fwhy-does-bitlocker-not-use-rsa%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Asymmetric encryption is vastly inferior to symmetric encryption. That is, in all respects, except one -- being asymmetric. When that property is needed, there's no way around it, obviously.
Asymmetric encryption is much slower. It is much more susceptible to showing recognizable patterns of some kind given non-random input. You need much larger key sizes to provide an adequate level of protection, and the system is much more vulnerable in general with current and future technology (reasonably-sized quantum computers will basically mean instant death for RSA, but AES is pretty much "yeah, so what" in that respect).
That's the reason why asymmetric encryption is almost never used to encrypt bulk data.
Nothing prevents you from encrypting a terabyte of data with RSA using 2048 bit chunks, much like you encrypt a terabyte with AES in 128 bit chunks. Only just, it doesn't make sense to do that because it is several thousand times slower, and at the same time is much more insecure.
answered 2 days ago
DamonDamon
69464
$endgroup$
19
$begingroup$
@kelalaka For communication.
$endgroup$
– wizzwizz4
2 days ago
2
$begingroup$
There is something preventing you from safely encrypting bulk data with RSA, though -- RSA is vulnerable to a number of different attacks involving plaintexts with known, unusual values (for example, small values of m).
$endgroup$
– duskwuff
23 hours ago
3
$begingroup$
@kelalaka Asymmetric cryptography is almost exclusively used to exchange key information for symmetric cryptography. As Damon says, you still use symmetric algorithms for encrypting bulk data.
$endgroup$
– Luaan
21 hours ago
2
$begingroup$
RSA is not more susceptible to showing recognizable patterns given a non-random input, unless you are very specifically using the horribly insecure textbook RSA. If you use RSA with proper padding (such as OAEP), it provides IND-CCA2 security. The real reason it would be a bad idea to encrypt something using just RSA is because it would be stupid slow and because the message would expand during encryption.
$endgroup$
– forest
19 hours ago
6
$begingroup$
This answer is clearly wrong with regards to the susceptible to showing recognizable patterns based on the input, and it misses out on the fact that RSA encryption would expand the ciphertext and can therefore not be used for block encryption (even for textbook RSA, as the modulus size needs to be bigger than the block size).
$endgroup$
– Maarten Bodewes♦
16 hours ago
|
show 7 more comments
$begingroup$
Asymmetric encryption is vastly inferior to symmetric encryption. That is, in all respects, except one -- being asymmetric. When that property is needed, there's no way around it, obviously.
Asymmetric encryption is much slower. It is much more susceptible to showing recognizable patterns of some kind given non-random input. You need much larger key sizes to provide an adequate level of protection, and the system is much more vulnerable in general with current and future technology (reasonably-sized quantum computers will basically mean instant death for RSA, but AES is pretty much "yeah, so what" in that respect).
That's the reason why asymmetric encryption is almost never used to encrypt bulk data.
Nothing prevents you from encrypting a terabyte of data with RSA using 2048 bit chunks, much like you encrypt a terabyte with AES in 128 bit chunks. Only just, it doesn't make sense to do that because it is several thousand times slower, and at the same time is much more insecure.
answered 2 days ago
DamonDamon
69464
$endgroup$
19
$begingroup$
@kelalaka For communication.
$endgroup$
– wizzwizz4
2 days ago
2
$begingroup$
There is something preventing you from safely encrypting bulk data with RSA, though -- RSA is vulnerable to a number of different attacks involving plaintexts with known, unusual values (for example, small values of m).
$endgroup$
– duskwuff
23 hours ago
3
$begingroup$
@kelalaka Asymmetric cryptography is almost exclusively used to exchange key information for symmetric cryptography. As Damon says, you still use symmetric algorithms for encrypting bulk data.
$endgroup$
– Luaan
21 hours ago
2
$begingroup$
RSA is not more susceptible to showing recognizable patterns given a non-random input, unless you are very specifically using the horribly insecure textbook RSA. If you use RSA with proper padding (such as OAEP), it provides IND-CCA2 security. The real reason it would be a bad idea to encrypt something using just RSA is because it would be stupid slow and because the message would expand during encryption.
$endgroup$
– forest
19 hours ago
6
$begingroup$
This answer is clearly wrong with regards to the susceptible to showing recognizable patterns based on the input, and it misses out on the fact that RSA encryption would expand the ciphertext and can therefore not be used for block encryption (even for textbook RSA, as the modulus size needs to be bigger than the block size).
$endgroup$
– Maarten Bodewes♦
16 hours ago
|
show 7 more comments
$begingroup$
Asymmetric encryption is vastly inferior to symmetric encryption. That is, in all respects, except one -- being asymmetric. When that property is needed, there's no way around it, obviously.
Asymmetric encryption is much slower. It is much more susceptible to showing recognizable patterns of some kind given non-random input. You need much larger key sizes to provide an adequate level of protection, and the system is much more vulnerable in general with current and future technology (reasonably-sized quantum computers will basically mean instant death for RSA, but AES is pretty much "yeah, so what" in that respect).
That's the reason why asymmetric encryption is almost never used to encrypt bulk data.
Nothing prevents you from encrypting a terabyte of data with RSA using 2048 bit chunks, much like you encrypt a terabyte with AES in 128 bit chunks. Only just, it doesn't make sense to do that because it is several thousand times slower, and at the same time is much more insecure.
answered 2 days ago
DamonDamon
69464
$endgroup$
Asymmetric encryption is vastly inferior to symmetric encryption. That is, in all respects, except one -- being asymmetric. When that property is needed, there's no way around it, obviously.
Asymmetric encryption is much slower. It is much more susceptible to showing recognizable patterns of some kind given non-random input. You need much larger key sizes to provide an adequate level of protection, and the system is much more vulnerable in general with current and future technology (reasonably-sized quantum computers will basically mean instant death for RSA, but AES is pretty much "yeah, so what" in that respect).
That's the reason why asymmetric encryption is almost never used to encrypt bulk data.
Nothing prevents you from encrypting a terabyte of data with RSA using 2048 bit chunks, much like you encrypt a terabyte with AES in 128 bit chunks. Only just, it doesn't make sense to do that because it is several thousand times slower, and at the same time is much more insecure.
answered 2 days ago
DamonDamon
69464
answered 2 days ago
DamonDamon
69464
answered 2 days ago
DamonDamon
69464
answered 2 days ago
DamonDamon
69464
69464
19
$begingroup$
@kelalaka For communication.
$endgroup$
– wizzwizz4
2 days ago
2
$begingroup$
There is something preventing you from safely encrypting bulk data with RSA, though -- RSA is vulnerable to a number of different attacks involving plaintexts with known, unusual values (for example, small values of m).
$endgroup$
– duskwuff
23 hours ago
3
$begingroup$
@kelalaka Asymmetric cryptography is almost exclusively used to exchange key information for symmetric cryptography. As Damon says, you still use symmetric algorithms for encrypting bulk data.
$endgroup$
– Luaan
21 hours ago
2
$begingroup$
RSA is not more susceptible to showing recognizable patterns given a non-random input, unless you are very specifically using the horribly insecure textbook RSA. If you use RSA with proper padding (such as OAEP), it provides IND-CCA2 security. The real reason it would be a bad idea to encrypt something using just RSA is because it would be stupid slow and because the message would expand during encryption.
$endgroup$
– forest
19 hours ago
6
$begingroup$
This answer is clearly wrong with regards to the susceptible to showing recognizable patterns based on the input, and it misses out on the fact that RSA encryption would expand the ciphertext and can therefore not be used for block encryption (even for textbook RSA, as the modulus size needs to be bigger than the block size).
$endgroup$
– Maarten Bodewes♦
16 hours ago
|
show 7 more comments
19
$begingroup$
@kelalaka For communication.
$endgroup$
– wizzwizz4
2 days ago
2
$begingroup$
There is something preventing you from safely encrypting bulk data with RSA, though -- RSA is vulnerable to a number of different attacks involving plaintexts with known, unusual values (for example, small values of m).
$endgroup$
– duskwuff
23 hours ago
3
$begingroup$
@kelalaka Asymmetric cryptography is almost exclusively used to exchange key information for symmetric cryptography. As Damon says, you still use symmetric algorithms for encrypting bulk data.
$endgroup$
– Luaan
21 hours ago
2
$begingroup$
RSA is not more susceptible to showing recognizable patterns given a non-random input, unless you are very specifically using the horribly insecure textbook RSA. If you use RSA with proper padding (such as OAEP), it provides IND-CCA2 security. The real reason it would be a bad idea to encrypt something using just RSA is because it would be stupid slow and because the message would expand during encryption.
$endgroup$
– forest
19 hours ago
6
$begingroup$
This answer is clearly wrong with regards to the susceptible to showing recognizable patterns based on the input, and it misses out on the fact that RSA encryption would expand the ciphertext and can therefore not be used for block encryption (even for textbook RSA, as the modulus size needs to be bigger than the block size).
$endgroup$
– Maarten Bodewes♦
16 hours ago
19
19
$begingroup$
@kelalaka For communication.
$endgroup$
– wizzwizz4
2 days ago
$begingroup$
@kelalaka For communication.
$endgroup$
– wizzwizz4
2 days ago
2
2
$begingroup$
There is something preventing you from safely encrypting bulk data with RSA, though -- RSA is vulnerable to a number of different attacks involving plaintexts with known, unusual values (for example, small values of m).
$endgroup$
– duskwuff
23 hours ago
$begingroup$
There is something preventing you from safely encrypting bulk data with RSA, though -- RSA is vulnerable to a number of different attacks involving plaintexts with known, unusual values (for example, small values of m).
$endgroup$
– duskwuff
23 hours ago
3
3
$begingroup$
@kelalaka Asymmetric cryptography is almost exclusively used to exchange key information for symmetric cryptography. As Damon says, you still use symmetric algorithms for encrypting bulk data.
$endgroup$
– Luaan
21 hours ago
$begingroup$
@kelalaka Asymmetric cryptography is almost exclusively used to exchange key information for symmetric cryptography. As Damon says, you still use symmetric algorithms for encrypting bulk data.
$endgroup$
– Luaan
21 hours ago
2
2
$begingroup$
RSA is not more susceptible to showing recognizable patterns given a non-random input, unless you are very specifically using the horribly insecure textbook RSA. If you use RSA with proper padding (such as OAEP), it provides IND-CCA2 security. The real reason it would be a bad idea to encrypt something using just RSA is because it would be stupid slow and because the message would expand during encryption.
$endgroup$
– forest
19 hours ago
$begingroup$
RSA is not more susceptible to showing recognizable patterns given a non-random input, unless you are very specifically using the horribly insecure textbook RSA. If you use RSA with proper padding (such as OAEP), it provides IND-CCA2 security. The real reason it would be a bad idea to encrypt something using just RSA is because it would be stupid slow and because the message would expand during encryption.
$endgroup$
– forest
19 hours ago
6
6
$begingroup$
This answer is clearly wrong with regards to the susceptible to showing recognizable patterns based on the input, and it misses out on the fact that RSA encryption would expand the ciphertext and can therefore not be used for block encryption (even for textbook RSA, as the modulus size needs to be bigger than the block size).
$endgroup$
– Maarten Bodewes♦
16 hours ago
$begingroup$
This answer is clearly wrong with regards to the susceptible to showing recognizable patterns based on the input, and it misses out on the fact that RSA encryption would expand the ciphertext and can therefore not be used for block encryption (even for textbook RSA, as the modulus size needs to be bigger than the block size).
$endgroup$
– Maarten Bodewes♦
16 hours ago
|
show 7 more comments
$begingroup$
The cold boot attack can be performed on any encryption scheme as long as the keys reside in memory. For full-disk encryption (FDE) with symmetric algorithms like AES, you will need to take the key out from the TPM, where you will be susceptible to a cold boot attack.
Though the TPM is capable of RSA encryption and decryption, for FDE RSA has problems, in short the speed:
- RSA must use the OAEP scheme to be secure which reduces the message size.
- To speed up public key encryption the public key is selected as 3, 5, ... However, the decryption to access one block will be much slower even if you use CRT to gain 4x speed.
- Even though the TPM can perform RSA encryption on the chip, it will be much slower for Full Disk Encryption (FDE).
Therefore, TPM-based FDEs use TPM for key storage.
answered 2 days ago
kelalakakelalaka
9,00832352
$endgroup$
$begingroup$
This is the correct answer, and the only one which does not perpetuate the myth that a TPM device itself performs disk encryption or that it somehow mitigates cold boot attacks.
$endgroup$
– forest
19 hours ago
add a comment |
$begingroup$
The cold boot attack can be performed on any encryption scheme as long as the keys reside in memory. For full-disk encryption (FDE) with symmetric algorithms like AES, you will need to take the key out from the TPM, where you will be susceptible to a cold boot attack.
Though the TPM is capable of RSA encryption and decryption, for FDE RSA has problems, in short the speed:
- RSA must use the OAEP scheme to be secure which reduces the message size.
- To speed up public key encryption the public key is selected as 3, 5, ... However, the decryption to access one block will be much slower even if you use CRT to gain 4x speed.
- Even though the TPM can perform RSA encryption on the chip, it will be much slower for Full Disk Encryption (FDE).
Therefore, TPM-based FDEs use TPM for key storage.
answered 2 days ago
kelalakakelalaka
9,00832352
$endgroup$
$begingroup$
This is the correct answer, and the only one which does not perpetuate the myth that a TPM device itself performs disk encryption or that it somehow mitigates cold boot attacks.
$endgroup$
– forest
19 hours ago
add a comment |
$begingroup$
The cold boot attack can be performed on any encryption scheme as long as the keys reside in memory. For full-disk encryption (FDE) with symmetric algorithms like AES, you will need to take the key out from the TPM, where you will be susceptible to a cold boot attack.
Though the TPM is capable of RSA encryption and decryption, for FDE RSA has problems, in short the speed:
- RSA must use the OAEP scheme to be secure which reduces the message size.
- To speed up public key encryption the public key is selected as 3, 5, ... However, the decryption to access one block will be much slower even if you use CRT to gain 4x speed.
- Even though the TPM can perform RSA encryption on the chip, it will be much slower for Full Disk Encryption (FDE).
Therefore, TPM-based FDEs use TPM for key storage.
answered 2 days ago
kelalakakelalaka
9,00832352
$endgroup$
The cold boot attack can be performed on any encryption scheme as long as the keys reside in memory. For full-disk encryption (FDE) with symmetric algorithms like AES, you will need to take the key out from the TPM, where you will be susceptible to a cold boot attack.
Though the TPM is capable of RSA encryption and decryption, for FDE RSA has problems, in short the speed:
- RSA must use the OAEP scheme to be secure which reduces the message size.
- To speed up public key encryption the public key is selected as 3, 5, ... However, the decryption to access one block will be much slower even if you use CRT to gain 4x speed.
- Even though the TPM can perform RSA encryption on the chip, it will be much slower for Full Disk Encryption (FDE).
Therefore, TPM-based FDEs use TPM for key storage.
answered 2 days ago
kelalakakelalaka
9,00832352
answered 2 days ago
kelalakakelalaka
9,00832352
answered 2 days ago
kelalakakelalaka
9,00832352
answered 2 days ago
kelalakakelalaka
9,00832352
9,00832352
$begingroup$
This is the correct answer, and the only one which does not perpetuate the myth that a TPM device itself performs disk encryption or that it somehow mitigates cold boot attacks.
$endgroup$
– forest
19 hours ago
add a comment |
$begingroup$
This is the correct answer, and the only one which does not perpetuate the myth that a TPM device itself performs disk encryption or that it somehow mitigates cold boot attacks.
$endgroup$
– forest
19 hours ago
$begingroup$
This is the correct answer, and the only one which does not perpetuate the myth that a TPM device itself performs disk encryption or that it somehow mitigates cold boot attacks.
$endgroup$
– forest
19 hours ago
$begingroup$
This is the correct answer, and the only one which does not perpetuate the myth that a TPM device itself performs disk encryption or that it somehow mitigates cold boot attacks.
$endgroup$
– forest
19 hours ago
add a comment |
$begingroup$
TPMs do not perform the actual encryption used for full disk encryption. All they do is encrypt the key while the system is powered off or in a suspended state. The key is decrypted and passed once to the operating system over the LPC bus, which then keeps it in memory while encryption is performed. The reason a TPM would be a poor choice for securely accelerating full disk encryption is threefold:
The TPM communicates over the extremely slow LPC bus (4 bit width at 33 MHz).
The TPM hardware is generally very slow, being designed for security, not speed.
TPMs are not general-purpose encryption coprocessors that take arbitrary keys.
If you really wanted to use it to perform the actual encryption in a way that would mitigate cold boot attacks, you would need to pass the plaintext (or ciphertext) from the disk to the TPM over the LPC bus to encrypt (or decrypt) it, then pass the ciphertext (or plaintext) back over the LPC bus to the computer. This process would be an extremely slow way to avoid cold boot attacks, and would likely be easy to bypass given the ability to tamper with signals on the LPC bus (the TPM would be a decryption oracle!).
Although you could in theory use RSA for bulk encryption, provided you used proper padding like PKCS#1v1.5 or OAEP, it would expand the message (ciphertext would be larger than plaintext), and it would be extremely slow and inefficient. Despite what some other answers have claimed, it would not be insecure when a proper padding scheme is used, but it would be a silly and inefficient use of RSA.
answered 18 hours ago
forestforest
5,16611744
$endgroup$
1
$begingroup$
I'd say that the frequent use of RSA with a static private key (for decryption) would probably be more susceptible to side channel attacks than AES. It would of course be dependent on the implementation specifics, but I'd rather put my cards on AES...
$endgroup$
– Maarten Bodewes♦
16 hours ago
$begingroup$
@MaartenBodewes Yes, with one of my half work, I could easily extract keys from OpenSSL. The library implementation, as you noted, really determines the attacks success ratio.
$endgroup$
– kelalaka
14 hours ago
$begingroup$
Not merely inefficient, but it would be difficult to make it resemble the block characteristics of the underlying device. Any ciphertext expansion, which is a necessary feature of any RSA-shoehorned encryption, would violate OS and application assumptions about atomic or linear writes, requiring another layer in the middle. Avoiding this requires qualitatively changing the premises, from sector-by-sector disk encryption (which is essentially transparent) to what is essentially a file system in its own right.
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
@SqueamishOssifrage Indeed. It could not be used as a drop-in replacement for a block cipher. Although the implementation would not be elegant in the slightest, it would be possible and could be made secure.
$endgroup$
– forest
7 hours ago
add a comment |
$begingroup$
TPMs do not perform the actual encryption used for full disk encryption. All they do is encrypt the key while the system is powered off or in a suspended state. The key is decrypted and passed once to the operating system over the LPC bus, which then keeps it in memory while encryption is performed. The reason a TPM would be a poor choice for securely accelerating full disk encryption is threefold:
The TPM communicates over the extremely slow LPC bus (4 bit width at 33 MHz).
The TPM hardware is generally very slow, being designed for security, not speed.
TPMs are not general-purpose encryption coprocessors that take arbitrary keys.
If you really wanted to use it to perform the actual encryption in a way that would mitigate cold boot attacks, you would need to pass the plaintext (or ciphertext) from the disk to the TPM over the LPC bus to encrypt (or decrypt) it, then pass the ciphertext (or plaintext) back over the LPC bus to the computer. This process would be an extremely slow way to avoid cold boot attacks, and would likely be easy to bypass given the ability to tamper with signals on the LPC bus (the TPM would be a decryption oracle!).
Although you could in theory use RSA for bulk encryption, provided you used proper padding like PKCS#1v1.5 or OAEP, it would expand the message (ciphertext would be larger than plaintext), and it would be extremely slow and inefficient. Despite what some other answers have claimed, it would not be insecure when a proper padding scheme is used, but it would be a silly and inefficient use of RSA.
answered 18 hours ago
forestforest
5,16611744
$endgroup$
1
$begingroup$
I'd say that the frequent use of RSA with a static private key (for decryption) would probably be more susceptible to side channel attacks than AES. It would of course be dependent on the implementation specifics, but I'd rather put my cards on AES...
$endgroup$
– Maarten Bodewes♦
16 hours ago
$begingroup$
@MaartenBodewes Yes, with one of my half work, I could easily extract keys from OpenSSL. The library implementation, as you noted, really determines the attacks success ratio.
$endgroup$
– kelalaka
14 hours ago
$begingroup$
Not merely inefficient, but it would be difficult to make it resemble the block characteristics of the underlying device. Any ciphertext expansion, which is a necessary feature of any RSA-shoehorned encryption, would violate OS and application assumptions about atomic or linear writes, requiring another layer in the middle. Avoiding this requires qualitatively changing the premises, from sector-by-sector disk encryption (which is essentially transparent) to what is essentially a file system in its own right.
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
@SqueamishOssifrage Indeed. It could not be used as a drop-in replacement for a block cipher. Although the implementation would not be elegant in the slightest, it would be possible and could be made secure.
$endgroup$
– forest
7 hours ago
add a comment |
$begingroup$
TPMs do not perform the actual encryption used for full disk encryption. All they do is encrypt the key while the system is powered off or in a suspended state. The key is decrypted and passed once to the operating system over the LPC bus, which then keeps it in memory while encryption is performed. The reason a TPM would be a poor choice for securely accelerating full disk encryption is threefold:
The TPM communicates over the extremely slow LPC bus (4 bit width at 33 MHz).
The TPM hardware is generally very slow, being designed for security, not speed.
TPMs are not general-purpose encryption coprocessors that take arbitrary keys.
If you really wanted to use it to perform the actual encryption in a way that would mitigate cold boot attacks, you would need to pass the plaintext (or ciphertext) from the disk to the TPM over the LPC bus to encrypt (or decrypt) it, then pass the ciphertext (or plaintext) back over the LPC bus to the computer. This process would be an extremely slow way to avoid cold boot attacks, and would likely be easy to bypass given the ability to tamper with signals on the LPC bus (the TPM would be a decryption oracle!).
Although you could in theory use RSA for bulk encryption, provided you used proper padding like PKCS#1v1.5 or OAEP, it would expand the message (ciphertext would be larger than plaintext), and it would be extremely slow and inefficient. Despite what some other answers have claimed, it would not be insecure when a proper padding scheme is used, but it would be a silly and inefficient use of RSA.
answered 18 hours ago
forestforest
5,16611744
$endgroup$
TPMs do not perform the actual encryption used for full disk encryption. All they do is encrypt the key while the system is powered off or in a suspended state. The key is decrypted and passed once to the operating system over the LPC bus, which then keeps it in memory while encryption is performed. The reason a TPM would be a poor choice for securely accelerating full disk encryption is threefold:
The TPM communicates over the extremely slow LPC bus (4 bit width at 33 MHz).
The TPM hardware is generally very slow, being designed for security, not speed.
TPMs are not general-purpose encryption coprocessors that take arbitrary keys.
If you really wanted to use it to perform the actual encryption in a way that would mitigate cold boot attacks, you would need to pass the plaintext (or ciphertext) from the disk to the TPM over the LPC bus to encrypt (or decrypt) it, then pass the ciphertext (or plaintext) back over the LPC bus to the computer. This process would be an extremely slow way to avoid cold boot attacks, and would likely be easy to bypass given the ability to tamper with signals on the LPC bus (the TPM would be a decryption oracle!).
Although you could in theory use RSA for bulk encryption, provided you used proper padding like PKCS#1v1.5 or OAEP, it would expand the message (ciphertext would be larger than plaintext), and it would be extremely slow and inefficient. Despite what some other answers have claimed, it would not be insecure when a proper padding scheme is used, but it would be a silly and inefficient use of RSA.
answered 18 hours ago
forestforest
5,16611744
answered 18 hours ago
forestforest
5,16611744
answered 18 hours ago
forestforest
5,16611744
answered 18 hours ago
forestforest
5,16611744
5,16611744
1
$begingroup$
I'd say that the frequent use of RSA with a static private key (for decryption) would probably be more susceptible to side channel attacks than AES. It would of course be dependent on the implementation specifics, but I'd rather put my cards on AES...
$endgroup$
– Maarten Bodewes♦
16 hours ago
$begingroup$
@MaartenBodewes Yes, with one of my half work, I could easily extract keys from OpenSSL. The library implementation, as you noted, really determines the attacks success ratio.
$endgroup$
– kelalaka
14 hours ago
$begingroup$
Not merely inefficient, but it would be difficult to make it resemble the block characteristics of the underlying device. Any ciphertext expansion, which is a necessary feature of any RSA-shoehorned encryption, would violate OS and application assumptions about atomic or linear writes, requiring another layer in the middle. Avoiding this requires qualitatively changing the premises, from sector-by-sector disk encryption (which is essentially transparent) to what is essentially a file system in its own right.
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
@SqueamishOssifrage Indeed. It could not be used as a drop-in replacement for a block cipher. Although the implementation would not be elegant in the slightest, it would be possible and could be made secure.
$endgroup$
– forest
7 hours ago
add a comment |
1
$begingroup$
I'd say that the frequent use of RSA with a static private key (for decryption) would probably be more susceptible to side channel attacks than AES. It would of course be dependent on the implementation specifics, but I'd rather put my cards on AES...
$endgroup$
– Maarten Bodewes♦
16 hours ago
$begingroup$
@MaartenBodewes Yes, with one of my half work, I could easily extract keys from OpenSSL. The library implementation, as you noted, really determines the attacks success ratio.
$endgroup$
– kelalaka
14 hours ago
$begingroup$
Not merely inefficient, but it would be difficult to make it resemble the block characteristics of the underlying device. Any ciphertext expansion, which is a necessary feature of any RSA-shoehorned encryption, would violate OS and application assumptions about atomic or linear writes, requiring another layer in the middle. Avoiding this requires qualitatively changing the premises, from sector-by-sector disk encryption (which is essentially transparent) to what is essentially a file system in its own right.
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
@SqueamishOssifrage Indeed. It could not be used as a drop-in replacement for a block cipher. Although the implementation would not be elegant in the slightest, it would be possible and could be made secure.
$endgroup$
– forest
7 hours ago
1
1
$begingroup$
I'd say that the frequent use of RSA with a static private key (for decryption) would probably be more susceptible to side channel attacks than AES. It would of course be dependent on the implementation specifics, but I'd rather put my cards on AES...
$endgroup$
– Maarten Bodewes♦
16 hours ago
$begingroup$
I'd say that the frequent use of RSA with a static private key (for decryption) would probably be more susceptible to side channel attacks than AES. It would of course be dependent on the implementation specifics, but I'd rather put my cards on AES...
$endgroup$
– Maarten Bodewes♦
16 hours ago
$begingroup$
@MaartenBodewes Yes, with one of my half work, I could easily extract keys from OpenSSL. The library implementation, as you noted, really determines the attacks success ratio.
$endgroup$
– kelalaka
14 hours ago
$begingroup$
@MaartenBodewes Yes, with one of my half work, I could easily extract keys from OpenSSL. The library implementation, as you noted, really determines the attacks success ratio.
$endgroup$
– kelalaka
14 hours ago
$begingroup$
Not merely inefficient, but it would be difficult to make it resemble the block characteristics of the underlying device. Any ciphertext expansion, which is a necessary feature of any RSA-shoehorned encryption, would violate OS and application assumptions about atomic or linear writes, requiring another layer in the middle. Avoiding this requires qualitatively changing the premises, from sector-by-sector disk encryption (which is essentially transparent) to what is essentially a file system in its own right.
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
Not merely inefficient, but it would be difficult to make it resemble the block characteristics of the underlying device. Any ciphertext expansion, which is a necessary feature of any RSA-shoehorned encryption, would violate OS and application assumptions about atomic or linear writes, requiring another layer in the middle. Avoiding this requires qualitatively changing the premises, from sector-by-sector disk encryption (which is essentially transparent) to what is essentially a file system in its own right.
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
@SqueamishOssifrage Indeed. It could not be used as a drop-in replacement for a block cipher. Although the implementation would not be elegant in the slightest, it would be possible and could be made secure.
$endgroup$
– forest
7 hours ago
$begingroup$
@SqueamishOssifrage Indeed. It could not be used as a drop-in replacement for a block cipher. Although the implementation would not be elegant in the slightest, it would be possible and could be made secure.
$endgroup$
– forest
7 hours ago
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68988%2fwhy-does-bitlocker-not-use-rsa%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
17
$begingroup$
How would using asymmetric encryption even help? Unless you never intend to write any data to the disk, you would need to have both sides of the key in memory in order to use the disk anyway. (I suppose there are special cases where you'd want a disk anyone can read but with strong authentication of its content -- but even there encrypting each block separately with an asymmetric primitive would not be the solution of choice).
$endgroup$
– Henning Makholm
2 days ago
1
$begingroup$
BTW, you might be interested to know that there are ways to mitigate cold boot attacks against FDE, such as TRESOR or using a new CPU with TME (Total Memory Encryption). Neither of those require a TPM.
$endgroup$
– forest
17 hours ago
$begingroup$
@forest, there is an attack on TRESOR, TRESOR Hunt
$endgroup$
– kelalaka
16 hours ago
1
$begingroup$
@kelalaka I've always found that paper a bit silly. It's a DMA attack, which naturally needs to be mitigated separately (with a properly-configured IOMMU). It isn't specific to TRESOR at all. It's no more an "attack on TRESOR" than using JTAG to debug the CPU and extract the keys is an "attack on TRESOR". Same with attaching a logic probe to the DRAM modules and triggering an NMI and reading the registers as they are pushed to the stack. Or a browser 0day combined with a kernel exploit to read the keys. Anyway, just boot with
intel_iommu=onand you should be safe from that particular attack.$endgroup$
– forest
16 hours ago