[cryptography] secure deletion on SSDs (Re: Asynchronous forward secrecy encryption)
iang at iang.org
Tue Sep 24 05:23:57 EDT 2013
On 24/09/13 11:36 AM, Michael Rogers wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 24/09/13 00:18, Adam Back wrote:
>> On Mon, Sep 23, 2013 at 01:39:35PM +0100, Michael Rogers wrote:
>>> Apple came within a whisker of solving the problem in iOS by
>>> creating an 'effaceable storage' area within the flash storage,
>>> which bypasses block remapping and can be deleted securely.
>>> However, iOS only uses the effaceable storage for resetting the
>>> entire device (by deleting the key that encrypts the user's
>>> filesystem), not for securely deleting individual files.
>> Hmm well thats interesting no? With the ability to securely
>> delete a single key you can probably use that to selectively delete
>> files with an appropriate key management structure. eg without
>> optimizing that, you could have a table of per file keys, encrypted
>> with the master key. To delete a given file you'd re-encrypt
>> everything in the file table to a new key, except the deleted file,
>> and delete, then over-rewrite this "effaceable storage" area.
> Yes, absolutely, that's what makes it so frustrating - they already
> have per-file encryption keys with user-selectable key management
> policies and a hierarchy of keybags - adding a policy for efficient
> secure deletion would be a small amount of work. But it's work that
> would have to be done by Apple, not in userland.
Right. Reading this, as posted by Michael Rogers:
Android's offering is a mess. Here's the clue:
"Instead of introducing yet another Android-specific API, key store
access is exposed via standard JCE APIs, namely KeyGenerator and KeyStore."
Plonk. A mess of corporate/proprietary accesses that aren't guaranteed
compatible nor reliable nor secure across platforms/releases, and
provide only a bare minimum idea some long-dead designer seemed keen on.
Ug, it's back to the 1990s, when every BigCorp imagines they can
create the secure platform for everyone else's corporate lemmings.
I don't expect Apple to be able to solve this mess, as they are also
subject to competing interests within (cf 'effaceable storage' only for
their own purposes). They'll likely do a much better job than Android
because they are vertically integrated and care more, but that doesn't
mean they can solve it.
I feel like we're on our own. Which means that notions like Shamir
Secret Sharing have more credence than I'd like, I'd ordinarily run a
mile from such exotica.
On 23/09/13 15:39 PM, Michael Rogers wrote:
> On 23/09/13 05:12, Dev Random wrote:
>> So, I submit that PFS in [ed: STUFF] is impossible without help
>> from some kind of ephemeral, yet persistent storage. A possible
>> solution might be to store a portion of the key material (through
>> Shamir's secret sharing) on servers that you partially trust.
> Sounds like a great idea, especially in combination with a panic
> button or dead man's switch feature that alerts the servers to delete
> their shares.
Yes, enticing thoughts!
More information about the cryptography