Re: [Fed-Talk] File Vault question
Re: [Fed-Talk] File Vault question
- Subject: Re: [Fed-Talk] File Vault question
- From: Shawn Geddis <email@hidden>
- Date: Tue, 26 Jul 2005 18:01:54 -0400
On Jul 26, 2005, at 4:07 PM, Michael Pike wrote:
I know that when you initially set up filevault it uses your
password for the encryption key. When I change my password and the
master password, does it re-key the encryption key so that the old
one would not be able to decrypt it, or is it just a password change?
Mike,
Your question makes sense, it is just a misunderstanding of the
implementation.
* Enabling FileVault ...
- Creates a System Managed Keychain "FileVaultMaster"
+ Private Key - "FileVault Master Password Key"
+ Root Certificate Authority - "FileVault Recovery Key"
- Generates a random AES 128-bit Symmetric Key for the encrypted
storage
- "Wrap" Symmetric Key
+ "Wraps" that Symmetric key with Key generated from Login
Password
+ "Wraps" that Symmetric key with FileVault Master Password Key
http://developer.apple.com/documentation/Security/Conceptual/
Security_Overview/Security_Services/chapter_4_section_13.html
FileVault
When the user turns on FileVault (see Figure 3-5), Mac OS X uses
128-bit AES encryption to encrypt everything in the user’s home
folder. As long as the user is authenticated and logged in, the
system automatically unencrypts any file the user opens. However,
no other user can gain access to these files.
AES (Advanced Encryption Standard) is a symmetric-key algorithm
adopted by the National Institute of Standards and Technology
(NIST) as a standard for government and private use to protect
sensitive, nonclassified data. It enables very fast and highly
secure encryption and decryption of data. Because it is a symmetric-
key algorithm, keys are stored securely on the user’s computer.
Full documentation of the AES algorithm is available on the NIST
website at http://csrc.nist.gov/CryptoToolkit/aes/rijndael/.
When/if a user changes his/her account password, the user's wrapping
of the key is changed, but not the FileVault Master wrapping. They
are independent of each other, but the ultimate Symmetrical Key used
for encryption/decryption of the FileVault enabled Home Directory is
still the same.
-Shawn
___________________________________________
Shawn Geddis T (703) 264-5103
Security Consulting Engineer C (703) 623-9329
US Federal Government email@hidden
Apple Computer, Inc.
1892 Preston White Drive T (703) 264-5100
Reston, VA 20191
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden