What''s the status of deniability in ZFS crypto? 1. not feasible 2. feasible but no plans to implement 3. will be implemented after initial crypto support 4. planned for initial release The draft proposal mentions secure deletion, but deniability is required to make key destruction as good as data destruction (and even then only assuming cipher integrity and ideal implementation). The concept of partial pool availability is related as well. While undeniable encrypted filesystems should be supported and probably should be the default, deniable filesystems would have to be handled differently. ZFS must have no knowledge of them, and their space should be overwritten unless they''re keyed (hence why this would be an undesirable default). -- This messages posted from opensolaris.org
On Mon, 2006-02-27 at 16:26, Jake Maciejewski wrote:> What''s the status of deniability in ZFS crypto?So we start off on the right foot, what''s your definition of "deniable" ? (in the protocol space I''ve seen too many arguments about the meaning of "forward secrecy" ...) - Bill
A deniable filesystem would ideally be indistinguishable from empty space unless the key is provided. I say ideally because some past encryption techniques (Linux cryptoloop for example) have been vulnerable to watermark attacks. To some extent suspicion would then be proportional to unaccounted for space, but neither the key holder nor the attacker should be able to prove or disprove the presence of a deniable filesystem. I forgot to mention my previous thread on the subject from late December on the ZFS list. See http://www.opensolaris.org/jive/thread.jspa?messageID=18408 to quote myself: "Under the system I''d like to see implemented, you''d reveal data depending on who you encounter. If you''re worried about an overbearing government and competitors out to steal trade secrets, you could trust both with your latest SchilliX ISOs and additionally give the competing company''s thugs your subversive literature and the government agents your trade secrets, in each case having an excuse for using a plausibly deniable system." -- This messages posted from opensolaris.org
On Mon, 2006-02-27 at 18:19, Jake Maciejewski wrote:> A deniable filesystem would ideally be indistinguishable from empty space > unless the key is provided.What do you mean by "empty"? The few times I''ve looked at fresh-from-the-factory disks, their contents were anything but random. Do you mean to say "indistinguishable from random bits unless you can guess the key" ? - Bill