Our work allows any forensic investigator to use ar- bitrary tools to decrypt any data from a FileVault 2 en- crypted volume, when the user password
or a recovery token of the system are known.
Wow, that's impressive! They can read the disk if they know the password.
Also, isn't think really old news. Some of the issues in the article have been patched by apple. This article also shows why you need a strong password.
--
Thanks,
Allan Marcus
505-667-5666
email@hidden
Abstract
With the launch of Mac OS X 10.7 (Lion), Apple has introduced a volume
encryption mechanism known as FileVault 2. Apple only disclosed
marketing aspects of the closed-source software, e.g. its use of the
AES-XTS tweakable encryption, but a publicly available security
evaluation and detailed description was unavailable until now.
We have performed an extensive analysis of FileVault 2 and we have
been able to find all the algorithms and parameters needed to
successfully read an encrypted volume. This allows us to perform
forensic investigations on encrypted volumes using our own tools.
In this paper we present the architecture of FileVault 2, giving
details of the key derivation, encryption process and metadata
structures needed to perform the volume decryption. Besides the
analysis of the system, we have also built a library that can mount a
volume encrypted with FileVault 2. As a contribution to the research
and forensic communities we have made this library open source.
Additionally, we present an informal security evalua- tion of the
system and comment on some of the design and implementation features.
Among others we analyze the random number generator used to create the
recovery password. We have also analyzed the entropy of each 512-byte
block in the encrypted volume and discovered that part of the user
data was left unencrypted.
...
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Help/Unsubscribe/Update your Subscription: