My goal here is to attempt to describe the technical details of the situation. I’ll discuss my personal position (I favor Apple) on my other blog, and add a link here.
Let me be clear at the outset. I do not have any inside information on this. What I know comes from public news reports. I have been attempting to understand the issues based on that. It is entirely possible that I have some of the details wrong.
This is about an iPhone, used by the San Bernardino Terrorists. The FBI wants access to that iPhone to help in their investigation. It is entirely reasonable for the FBI to want access.
When support for legacy grub (or grub1) was dropped for opensuse 13.2, one of the reasons was to make it easier to support encryption without a separate unencrypted “/boot” partition. Recent releases of grub2 have some support for accessing encrypted file systems, so it was mostly a matter of adding support to the installer.
I decided to test how that works. So I did a test install of opensuse 13.2 into an encrypted LVM, without a separate “/boot”. The Yast installer was happy with that. It did not complain that there was no “/boot”. So I continued through the full install.
There were no install errors reported. But it didn’t work. Instead, while booting, I got a grub shell. And the grub shell did not offer any commands related to crypto.
After updating my Tumbleweed system last week, I noticed that something had changed with “gpg”. Or, more explicitly, “gpg” was not working at all. This was immediately noticeable, because I had configured “kdewallet” to use “gpg” for encryption.
Okay, that’s a bug. It will presumably be fixed before opensuse 13.3 is released. For now, I had to find out what was up and how to work around the problem.
The specific Tumbleweed change was an update of gpg from version 2.1.0 to 2.1.1. The major change was already there in 2.1.0, but I had not noticed it because everything that I was doing still worked. The 2.1.1 update broke that.
The specific change was to remove support for old pgp2 keys. These are the type of key introduced with pgp2 in the early 1990s. They use RSA (for the public key encryption) and the md5 digest algorithm for hashing. These days, the md5 hash is considered too weak.
The TrueCrypt home page now says:
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP.
The page now offers advice that Windows users should switch to BitLocker, and gives advice on how to do that.
If you are a linux user, the best choice would be to use LUKS encryption.
There are rumors floating around as to what is behind this. But maybe the developers are just deciding that the original need for TrueCrypt has passed, now that most recent systems have their own way of handling encrypted disks.
Personally, I chose LUKS for encryption on linux. So the apparent end of TrueCrypt does not affect me.
According to an announcement that I saw today, it is now possible to use “cryptsetup” with “truecrypt” volumes.
The announcement was on the lizards mailing list, and also showed up in opensuse forums.
I have not tested this. The “man” pages for “cryptsetup” do explain how to use it to access a truecrypt volume. There is currently no support for creating a “truecrypt” volume with “cryptsetup”.
The other way of using “TrueCrypt” is to install “realcrypt” from the packman repos (also not tested).
There’s what seems to be a pretty good explanation of Bitcoin, and how it works, here (h/t Bruce Schneier). It goes into detail on the use of crypto (mostly digital signatures), and on other techniques intended to avoid cheating.
For myself, I am not currently using Bitcoin. I’ll wait to see how use of it settles down before I decide whether to join in.
What is interesting, is the way that it uses crypto, and the way that it manages distributed control so that there is no central bank. This latter aspect is what has some governments concerned, for they do not like the idea of a banking system that they cannot regulate.
In case you have been wondering what ECC is, here’s a pretty good overview:
h/t Bruce Schneier
A little background
Most encryption that we use is symmetric encryption, with algorithms such as AES. It is called “symmetric encryption” because the same key is used for both encryption and decryption. And that requires that both sender and receiver share a common encryption key.
The big problem with symmetric encryption, is with the key exchange needed for that shared encryption/ decryption key. If somebody can spy on the key exchange, then the encrypted session is compromised. That’s where public key encryption comes in. With public key encryption, there is no shared key. There is as pair of keys, one made public and the other kept secret.
Elliptic Curve Cryptography, along with RSA and Diffie Hellman, are public key methods. They are typically used to exchange symmetric encryption keys.
Bruce Schneier has a new blog post:
It’s about a new research paper on the weaknesses of random number generators such as the one use for “/dev/random” and “/dev/urandom” in linux. Check Schneier’s post for the abstract of the paper, and a link to the full paper.
Thus far, I have only skimmed the paper, so I won’t be explaining it here. But I shall use this post to explain why it is important.
The main use of random numbers is in cryptography.
This is a bit different from what I usually post here. But I do post about cryptography.
A report at The Guardian describes what appears to be an attempt by the NSA to suppress speech about cryptography. Worse still, a university cooperated in the suppression of speech, at least until a fuss was made about it.
Please read the full Guardian article.
h/t Brian Leiter
A quick note to opensuse users about ecryptfs. A recent patch to 12.3 caused ecryptfs to stop working. The patch messed up the pam configuration.
If you experience this, then after login you can use
to mount your Private directory. That’s a temporary fix for one session. If you use ecryptfs for your home directory, that might not solve your problem.
For a more permanent fix, login as root, and run
# pam-config -a --ecryptfs
which will fix the pam configuration.