Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!sol.ctr.columbia.edu!emory!wa4mei!nanovx!msa3b!kevin
From: kevin@msa3b.UUCP (Kevin P. Kleinfelter)
Newsgroups: comp.sys.ibm.pc.misc
Subject: Re: Encrypting Disk Device Driver
Message-ID: <1648@msa3b.UUCP>
Date: 17 May 91 17:06:11 GMT
References: <1991May15.173908.12999@unlv.edu> <1991May16.153457.9749@cbnewsc.att.com>
Organization: Dun and Bradstreet Software, Inc., Atlanta, GA
Lines: 39

tjr@cbnewsc.att.com (thomas.j.roberts) writes:

>From article <1991May15.173908.12999@unlv.edu>, by grover@dawkins.cs.unlv.edu (Kevin Grover):
>> In article <1642@msa3b.UUCP>, kevin@msa3b.UUCP (Kevin P. Kleinfelter) writes:
>> ) 
>> ) Scenario:I've got lots of stuff on a disk I'd like to keep CONFIDENTIAL.
>> )          I'd like to make sure that NO ONE but I can get to the data on the
>> )          entire disk.
>> ) 
>> ) Proposal:I'd like a device driver, which manages the hard disk, and
>> )          encrypts all data written to the disk.  I'd like the
>> )          device driver to prompt me to enter the encryption key when
>> )          the system boots.
>>

>This sounds like false security to me. Note - I have not evaluated this
>product. There is, however, a "theorem" in security that states that
>there can be no secure computer system without some physical security.
>	This is a "theorem" in that I am not sure it can be rigorously
>	proven, but I am sure it is true to a high degree of confidence.
>From the above description, I suspect that there is no physical security,
>and hence no real security. In particular, an attacker could install
>a Trojan Horse on the boot disk to save all keystrokes; later the
>attacker reads back the keystrokes and searches for the password

What I am more concerned about is seizure of the computer at a later date.
For instance, a newspaper reporter might want to record his sources, and
yet not reveal them to the government; he'd like to know that even if the
government steals ("seizes") his PC, they won't be able to read it.  I don't
think that he has to worry about Trojans before he gets into trouble, he just
has to worry about someone getting to the data after he already knows he is
in trouble.  Locking up the diskettes does NOT accomplish the desired security,
because if the location is known, the government is going to get them.
The reporter can just "forget" the password.
-- 
Kevin Kleinfelter @ DBS, Inc (404) 239-2347   ...gatech!nanoVX!msa3b!kevin
English Lesson: THEY'RE at THEIR home, over THERE. YOU'RE sure of YOUR facts?
"Its" & "their" are like 'his'. "They're" == "they are." "It's" == "it is."
If you can do regular expressions, you can handle a natural language. Syntax!