Disk Encryption Security Flaws. Should you go Open Source?
Posted in linux security by admin on January 12th, 2009 It’s easy to find a cheap security product on the internet these days. One look at the many websites that peddle free downloads and try now, buy later products and you’ll be presented with a myriad of options.
When it comes to your IT security, you should always choose the software that you believe will stop the biggest threat to your computer. When you’re on these download sites you should take your time to weigh up the benefits and pitfalls of each product carefully. Cost is generally the first thing people consider. Ultimately, you get what you pay for, but free open source products are getting better and better every few months.
Ideally you’d want an unlimited budget and you’d buy whatever you felt did everything required, and often open source software doesn’t quite cut the mustard. Evaluating every aspect of your selected product; what does it cover? Is technical support available? what about upgrades? Does the price increase after the first year? Is their really a big difference between the free version and the paid version?
Let’s look at disk encryption software. Can open source software provide a solid alternative to off the shelf products?
The first thing to consider is would you use any software that uses a proprietary encryption algorithm. At the core of any product with cryptographic services is a cryptographic module. This module generally does not have adequate testing and validation against established standards, so won’t provide the security level you require. With an open source alternative the cryptographic module will not be proprietary and is generally tightened up by a squad of security experts.
If the software is poorly designed the product will prove insecure, placing your valuable information at risk of theft or damage. The major advantage the many security experts cite is that with an open source security option, you are able to check the source code itself to ensure the encryption algorithms are implemented correctly.
This being said, just because you maybe prefer open source to ‘off the shelf’ products, you shouldn’t rest on your laurels. Even a good open source cryptographic module that has been badly implemented can lead to a serious vulnerability that could have dire consequences for your data.
You shouldn’t assume as well that it’s just the smaller open source developers that get in a mess. In May 2008, Debian has a major security failure in its GNU/Linux operating systems random number generator, making any OpenSSL keys generated during that past 20 months so predictable that they could be guessed in only a few hours.
