sSSSSs FFFFFFFFFF sSSSSs sSSSSSSs FFFFFFFFF sSSSSSSs sSs sS FF sSs sS SS FF SS sSs FF sSs sSSSSSSs FFFFFFF sSSSSSSs sSs FF sSs SS FF SS Ss Ss FF Ss Ss sSSSSSSs FF sSSSSSSs sSSSSs FF sSSSSs S e c u r e F i l e S y s t e m Version 1.20 Copyright Peter C.Gutmann 1993, 1994, 1995 "The right to privacy... is the most comprehensive of rights and the right most valued by civilized man" - Justice Louis Brandeis, US Supreme Court, 1928 Ever since Julius Caesar used the cipher which now bears his name to try to hide his military dispatches from prying eyes, people have been working on various means to keep their confidential information private. Over the years, the art of cryptography (that is, of scrambling information so only those in possession of the correct password can unscramble it) has progressed from simple pencil-and-paper systems to more sophisticated schemes involving complex electromechanical devices and eventually computers. The means of breaking these schemes has progressed on a similar level. Today, with the ever-increasing amount of information stored on computers, good cryptography is needed more than ever before. There are two main areas in which privacy protection of data is required: - Protection of bulk data stored on disk or tape. - Protection of messages sent to others. SFS is intended to solve the problem of protecting bulk data stored on disk. The protection of electronic messages is best solved by software packages such as PGP (available on sites the world over) or various implementations of PEM (currently available mainly in the US, although non-US versions are beginning to appear). SFS has the following features: - The current implementation runs as a standard DOS device driver, and therefore works with both plain MSDOS or DRDOS as well as other software such as Windows, QEMM, Share, disk cacheing software, Stacker, JAM, and so on. SFS has been used to encrypt disk volumes ranging from 360K floppy disks up to 2.1 GB SCSI drives without problems. - Up to five encrypted volumes can be accessed at any one time, chosen from a selection of as many volumes as there is storage for. - Volumes can be quickly unmounted with a user-defined hotkey, automatically unmounted after a certain amount of time, or unmounted under control of a smart card. They can also be converted back to unencrypted volumes or have their contents destroyed if required. - SFS volumes can be controlled using either DOS or Windows software, and are fully compatible with Windows 32-bit disk access. The Windows software has internationalization support and is available in English, German, and Italian. - The software contains various stealth features to minimise the possibility of other programs monitoring or altering its operation. - The encryption algorithms used have been selected to be free from any patent restrictions, and the software itself is not covered by US export restrictions as it was developed entirely outside the US (although once a copy is sent into the US it can't be re-exported). - SFS complies with a number of national and international data encryption standards, among them ANSI X3.106, ANSI X9.30 Part 2, Federal Information Processing Standard (FIPS) 180, Australian Standard 2805.5.2, ISO 10116:1991 and ISO 10126-2:1991, and is on nodding terms with several other relevant standards. - The documentation includes fairly in-depth analyses of various security aspects of the software, as well as complete design and programming details necessary to both create SFS-compatible software and to verify the algorithms used in SFS. - The encryption system provides reasonable performance. One tester has reported a throughput of 250 K/s for the basic version of SFS, and 260 K/s for the 486+ version on his 486 system, when copying a file with the DOS copy command from one location on an SFS volume to another. Throughput on a vanilla 386 system was reported at around 160 K/s. The resident portion requires around 7.5K of memory, and can be loaded high if desired. - Direct access to IDE and SCSI drives is available for better performance and for drives which aren't normally accessible to DOS (for (for example systems with more than 2 hard drives). SFS supports SCSI host adapters from Adaptec, Advanced Integration Research (AIR), Alpha Research, Always Technology, American Megatrends (AMI), BusLogic, Distributed Processing Technology, DTC, Future Domain, IBM, LinkSys, NEC, Trantor, Ultrastor, and others. - The software provides an extensive key safeguarding system using a threshold scheme to allow emergency access to SFS volumes if the original key is forgotten or lost. - Smart card access control for invidual SFS volumes or groups of volumes is possible. Although the use of DOS is described throughout this document, SFS is not limited to any particular operating environment, and can be used to contain virtually any type of filesystem. In the future an SFS driver for OS/2 HPFS filesystems may be developed, and there have been discussions on creating a Linux SFS driver for Unix machines. A 68000 version of SFS is also rumoured to be under development. Overview -------- This document is arranged to provide step-by-step instructions on setting up the SFS driver, creating an encrypted volume, and using the encrypted volume to store information securely. The first three sections cover each of these steps, with a special quick-start section preceding them giving a rapid introduction to getting an encrypted disk volume up and running. The next sections provide extra details on topics such as password management, incompatibility problems, other encryption software, and the politics of cryptography and privacy. The final sections provide an in-depth security analysis, technical information on the SFS driver, and data formats for anyone wanting to write SFS-compatible software or wanting to check the security of the software for themselves. The document is divided into sections as follows: Why Use SFS? Some reasons why use of security measures like SFS may be necessary for your data. Terminology An explanation of some of the technical terms use in this document. Experienced users can skip this section. Quick Start A quick overview of the use of SFS which summarizes the next three sections for people in a hurry Loading the SFS Driver How to set up the SFS driver needed to handle encrypted volumes. Creating an SFS Volume How to prepare an SFS encrypted volume for use. Mounting an SFS Volume How to mount a previously prepared SFS encrypted volume so the operating system can use it. Unmounting an SFS Volume How to unmount and otherwise change the status of one or more SFS volumes after they have been mounted. Advanced SFS Driver Options Various advanced options such as how to mount SFS volumes at system startup so that they are automatically available when the system is booted, and customizing the SFS driver operation and user interface. Changing the Characteristics of an SFS Volume How to change various characteristics of an SFS volume such as the password, volume name, disk access method, and auto-unmount timeout, and how to delete SFS volumes or convert them back to normal DOS volumes. Sharing SFS Volumes Between Multiple Users How to securely share a single encrypted SFS volume between multiple users. Creating Compressed SFS Volumes How to create a compressed drive inside a normal SFS volume Emergency Access to Encrypted Information How to use the SFS key safeguarding features to allow emergency access to SFS volumes if a key is lost or forgotten. Controlling SFS Volumes with Smart Cards How to control access to SFS volumes using smart cards. WinSFS - Using SFS with Windows An overview of the Windows version of SFS. Usage Examples Examples of how to perform various basic operations using the SFS software. Command Summary A summary of the commands available with the various SFS programs. Troubleshooting Comments on unusual hardware and software combinations which may create problems for SFS. Authentication of SFS Software How to verify that the SFS distribution you have is indeed the real thing. Applications Various applications and uses for SFS. The Care and Feeding of Passwords Details on how to choose and handle a password to protect an SFS volume. Other Software An overview of other available security software and the weakness and problems present in it. Data Security Various issues in data security which should be taken into consideration when using SFS and similar encryption software. Politics A discussion on the politics of cryptography, the right to privacy, and some of the reasons why SFS was written. An Introduction to Encryption Systems A brief introduction to encryption systems with an emphasis on the methods used in SFS. Security Analysis An analysis of the level of security offered by SFS and some possible attacks on it. Design Details Various in-depth design details not covered in the security analysis. SFS Disk Volume Layout Details on the disk layout used by SFS. SFS Share File Layout Details on the share file layout used in the SFS key safeguarding system. SFS Smart Card Data Layout Details on the layout of the data stored inside smart cards by SFS. Interfacing with SFS How to control the SFS driver through software. Interfacing with mountsfs How to control the mountsfs program from external software such as graphical front-ends. Selected Source Code A walkthrough of selected portions of the source code to allow verification and help implementors. Future Work Various enhancements which may be incorporated into future versions of SFS. Recommended Reading A short list of recommended reading material for those wishing to know more about the design of SFS and encryption in general. Staying Current with SFS Developments Information on using the SFS mailing list and SFS Web page to stay up to date with the latest SFS developments. Using SFS Conditions and terms for use of SFS. Revision Levels The changes and improvements made for each release of the SFS software. Credits Warranty Why Use SFS? ------------ Virtually all information stored on computer systems is sensitive to some degree, and therefore worth protecting. Exactly how sensitive a piece of data is is unique to each environment. In some cases the data may be much more sensitive to errors or omissions, or to unavailability, or to fraudulent manipulation, than to the problems SFS is designed to guard against. SFS helps guard against data being disclosed to the wrong people or organisations, and against some types of fraudulent manipulation. By making the data being protected accessible only to those with authorized access, SFS helps protect the confidentiality of the information, and the privacy of the individuals the information pertains to. Preventing access by unauthorized users also helps to protect the integrity of the data[1]. One way to determine whether your data is sensitive enough to require the use of SFS is to consider the following: What are the consequences of the data being made available to the wrong people or organisations? What are the consequences of the data being manipulated for fraudulent purposes? An additional impetus for security comes from the legal requirement of many countries for individuals and organisations to maintain the confidentiality of the information they handle, or to control their assets (such as computer data) properly. For example, one of the "OECD guidelines governing the protection of privacy and transborder flows of computer data" states that data should be protected against "loss or unauthorized access, destruction, use, modification, or disclosure"[2]. An example of the requirements for the control of assets is the US Foreign Corrupt Practices Act of 1977. In summary, if the cost of damage or disclosure of your data is more than the cost of using a security measure such as SFS (where cost is measured not only in monetary terms but also in terms of damage to business and loss of privacy) then the data should be regarded as being sensitive and should have adequate security controls to prevent or lessen the potential loss. Footnote [1]: Although inadvertent modification by authorized users is still possible, the risk from deliberate compromise of the data is greatly reduced. Footnote [2]: These guidelines are discussed in more detail in "Computer Networks", Volume 5, No.2 (April 1981). Terminology ----------- Throughout this document a number of specialised terms are used to describe the operation of the SFS encryption software. This section provides a brief explanation of the terms used. Experienced users can skip this material and go directly to the "Loading the SFS Driver" section below. Disk volume: An individual logical disk drive, volume, partition, or filesystem. A single physical hard disk can (and usually does) contain more than one volume on it. Under DOS, each of these volumes is assigned its own drive letter and appears as a separate drive, even though they all reside on the same physical hard disk. Thus a system might have a single 240MB hard disk which contains four 60MB volumes accessed by the drive letters C:, D:, E:, and F:. This system is rather confusing and dates back fifteen to twenty years. SFS refers to these volumes by name rather than an arbitrary letter, so that the volumes might be called "Encrypted data", "Personal correspondence", or "Accounts receivable, March 1994". Unfortunately once SFS has set up the volume for DOS to access, it's back to the old F: to identify your data. Password, key: The password or encryption key that is used to protect the data on an encrypted volume. Despite its name, a password can (and should) be more than just a single word. The SFS software will accept up to 100 characters of password, so that perhaps the term "passphrase" would be more appropriate. For maximum security, you should protect each volume with its own unique password. The SFS software takes the password for a volume, adds extra keying information to it, and converts the result into an encryption key which is used to encrypt and decrypt data on a given volume. You should take great care in how you choose your passwords and how you keep them secret. More details on this are given in the section "The Care and Feeding of Passwords" below. Device driver: A device driver is a special piece of software which is used by the operating system to access hardware which it wasn't designed to. Unless the device driver is loaded, the operating system generally won't recognise that a piece of hardware even exists. Even the computer's monitor, keyboard, and disk drives are accessed through device drivers, although their presence is hidden by the operating system. An example of a visible device driver is the one used to handle a mouse. Networked disk drives may be accessed through a device driver[1]. RAM disks are implemented as device drivers. CDROM drives are handled via a device driver. Finally, encrypted SFS volumes are accessed through a device driver. Mount point: Mount points are the locations provided by the SFS driver for mounting encrypted volumes - in other words the number of encrypted volumes which can be accessed by the driver at any one time. By default the driver provides one mount point, which means one encrypted volume can be accessed through it at any given time. The exact number of mount points can be specified when the SFS driver is loaded. Footnote [1]: Actually they use a specialised kind of driver called a network redirector. Quick Start ----------- This section contains a condensed version of the next three sections and allows a quick start for SFS. Although it is recommended that you read the full text, it should be possible to install and use a minimal SFS setup using only the quick-start information. Initially, you need to load the SFS driver by adding an entry for it to your CONFIG.SYS file. For example if the SFS.SYS driver was located in the DOS directory on drive C: the following line should be added to the CONFIG.SYS file: DEVICE=C:\DOS\SFS.SYS Alternatively, you can use the DEVICEHIGH option to load the driver into high memory under those versions of DOS which support it. After you have set the CONFIG.SYS entry for the SFS driver, you should reboot your system to make sure the driver is installed. The use of the SFS driver is covered in more detail in the sections "Loading the SFS Driver" and "Advanced SFS Driver Options" below. If you want to use SFS under Windows, you should copy the SFS assist program SFS.EXE into the Windows directory, copy the SFS dynamic link library SFS.DLL into the Windows\System directory, and edit the WIN.INI file to include SFS.EXE in the list of programs which are run when Windows is started up. You can do this by adding it to the list of programs in the RUN= entry in WIN.INI: RUN=SFS.EXE Although the SFS driver will function normally under Windows without this step being taken, the use of timed unmounts, smart card unmounts, and hotkey unmounts will be disabled unless SFS.EXE is also run. You can create encrypted SFS volumes with the "mksfs" program, giving it the letter of the drive to encrypt and the name of the encrypted volume preceded by the "volume=" option as arguments. For example to encrypt the E: drive to create a volume with the name "Encrypted volume", the command would be: mksfs "volume=Encrypted volume" e: Note that that "volume=..." option is quoted, as the volume name contains a space. Volume names without a space don't need to be quoted. mksfs will ask you to confirm that the given drive is indeed the one to be encrypted, and then ask for an encryption password of between 10 and 100 characters. After asking for the password a second time to confirm it, it will encrypt the drive. This will take a few minutes, and the program will display a progress bar as the encryption takes place. There are a great many options and special safety checks built into mksfs to ensure that no data is accidentally destroyed, and it is recommended that you at least glance through the section "Creating an SFS Volume" to get an idea of the functioning of mksfs before it is run. Once you have loaded the SFS driver and created an encrypted volume, you can mount it with the "mountsfs" utility. Mounting a volume makes it available to DOS as a normal disk volume, with all encryption being done transparently by the SFS driver. As with mksfs, you must tell mountsfs the name of the encrypted volume in order to access it. The full name doesn't need to be used, mountsfs will accept any part of the name in upper or lower case. Using the name from the previous example, the command to mount the volume would be: mountsfs volume=encrypt mountsfs will match the partial name "encrypt" with the full volume name "Encrypted volume", ask for the encryption password for the volume, and mount it. The volume will now be accessible as a normal DOS drive. More details on the use of mountsfs are contained in the section "Mounting an SFS Volume" and "Unmounting an SFS Volume" below. Other methods for mounting volumes are given in the section "Advanced SFS Driver Options" below. Loading the SFS Driver ---------------------- You can load the SFS device driver SFS.SYS or SFS486.SYS just like any other device driver by specifying it in the CONFIG.SYS file: DEVICE=[drive][path]SFS.SYS [SILENT] [UNITS=n] [NOXMS] [PROMPT=xxxx] [READONLY] [READWRITE] [FIXED] [REMOVABLE] [ECHO] [ACCESS=xxxx] [HOTKEY=xxxx] [TIMEOUT=nn] [MOUNT=nnnn] You can also load it high under those versions of DOS which support this with: DEVICEHIGH=[drive][path]SFS.SYS [SILENT] [UNITS=n] [NOXMS] [PROMPT=xxxx] [READONLY] [READWRITE] [FIXED] [REMOVABLE] [ECHO] [ACCESS=xxxx] [HOTKEY=xxxx] [TIMEOUT=nn] [MOUNT=nnnn] The SFS486.SYS driver is loaded the same way. This driver contains code for 80486 and higher processors, and is slightly smaller and a few percent faster than the equivalent 80386 version. The arguments to SFS are not case-sensitive, and can be given in upper or lower case. You can optionally precede them with a '/' for compatibilty with older types of software. For example if your copy of the SFS.SYS driver was located in the DOS directory on drive C: you would add the following line to your CONFIG.SYS file: DEVICE=C:\DOS\SFS.SYS The driver will only work on systems with an 80386 or higher processor. This is because the en/decryption code (over 10,000 lines of assembly language) has to have a 32-bit processor to run on. Virtually all recent PC's fulfil these requirements, and a 16-bit version would both be much slower and require about three times as much code space to run in[1]. If you try to load SFS.SYS on a machine which doesn't have a 32-bit CPU, the driver will display the message: Error: Processor must be 386 or higher and de-install itself. The driver currently recognises thirteen options, ACCESS, ECHO, FIXED, HOTKEY, MOUNT, NOXMS, PROMPT, READONLY, READWRITE, REMOVABLE, SILENT, TIMEOUT, and UNITS: The ACCESS option is used in conjunction with the MOUNT option to enable various high-speed direct disk access modes in the SFS driver. These can significantly affect the overall performance of the driver, and are discussed in more detail in the section "Advanced SFS Driver Options" below. The ECHO option is used in conjunction with the MOUNT option to echo the password to the screen when asking for the password for the SFS volume to be mounted, and is explained in more detail in the section "Advanced SFS Driver Options" below. The FIXED option is used in conjunction with the MOUNT option to indicate that a volume mounted at system startup is to be kept mounted until the system is turned off or reset, as opposed to the normal behaviour of allowing it to be unmounted at any point. This is discussed in more detail in the section "Advanced SFS Driver Options" below. The HOTKEY option is used to specify the quick-unmount hotkey which can be used to instantly unmount all currently mounted SFS volumes, and is explained in more detail in the sections "Mounting an SFS Volume" and "Advanced SFS Driver Options" below. The MOUNT option is used to mount SFS volumes at system startup, and is explained in more detail in the section "Advanced SFS Driver Options" below. The older AUTOMOUNT form of this command is still supported by this version of SFS, but will be discontinued in future versions. The NOXMS option is used to disable SFS buffering data in extended memory. By default SFS will allocate a 64K write buffer to speed up disk writes. If no extended memory is available or if the NOXMS option is used, SFS will print: Warning: No XMS buffers available, slow writes will be used The driver will then switch to using slow disk writes which are about half as fast as normal reads and writes. These are necessary to fix buffering problems in MSDOS 6.x and some disk utilities. If an extended memory buffer is used, the slow writes aren't necessary. The PROMPT option is used in conjunction with the MOUNT option to display a user-defined prompt when asking for the password for the SFS volume to be mounted, and is explained in more detail in the section "Advanced SFS Driver Options" below. The READONLY and READWRITE options are used in conjunction with the MOUNT option to disable write access to the volumes being mounted. The READONLY option disables write access to all following mounted volumes; the READWRITE option enables write access to all following mounted volumes. The default setting is to allow read and write access to all volumes. More details on read-only access to SFS volumes is given in the section "Mounting an SFS Volume" below. The REMOVABLE option is used to undo the effects of the FIXED option which is explained above. The SILENT option can be used to suppress the printing of the start-up message. The TIMEOUT option is used to specify the time in minutes after which SFS volumes are automatically unmounted if they haven't been accessed during that time, and is explained in more detail in the sections "Mounting an SFS Volume" and "Advanced SFS Driver Options" below. The UNITS=n option specifies the number of mount points (or number of disk volumes) the driver will provide, where `n' is the number of units and can range from 1 to 5. Each drive mount point requires 384 bytes of extra memory storage. By default, the driver allocates storage for one mount point. As an example, to suppress the printing of the start-up message and to specify that the driver should handle up to three encrypted volumes, you would change the previously given example for loading the driver to: DEVICE=C:\DOS\SFS.SYS SILENT UNITS=3 The number of mount points can range from 1 to 5. If you specify a number outside this range, the driver will display the message: Error: Invalid number of units specified and will de-install itself. Finally, if you give an invalid option (such as a misspelled or badly-formatted parameter) SFS will again de-install itself after displaying: Error: Unknown parameter specified All the remaining driver options are covered in the section "Advanced SFS Driver Options" below. If the driver installs successfully, and unless the SILENT option is used, it will display a general message showing that it has been installed and then indicate which drive or drives will be used as the encrypted ones. For example if the encrypted drive is made available as E:, the message indicating the drive availability would be: Encrypted volume will be mounted as drive E: This indicates that once an encrypted volume is mounted, DOS will access it as drive E: If you specify more than one mount point, the complete range of drives which will be made available is shown, so that if you used UNITS=3 when loading the driver the message would be: Encrypted volumes will be mounted as drives E: - G: If a smart card reader is present, the driver will check for the presence of a card and set the LED on the reader to either green (to indicate that no card is present) or orange (to indicate that a card is present which is not currently in use by the reader). When installed, the SFS driver consumes around 7.5K of memory, most of which is encryption code. If you want to use SFS under Windows, you should copy the SFS assist program SFS.EXE into the Windows directory, copy the SFS dynamic link library SFS.DLL into the Windows\System directory, and edit the WIN.INI file to include SFS.EXE in the list of programs which are run when Windows is started up. You can do this by adding it to the list of programs in the RUN= entry in WIN.INI: RUN=SFS.EXE Although the SFS driver will function normally under Windows without this step being taken, the use of timed unmounts, smart card unmounts, and hotkey unmounts will be disabled unless SFS.EXE is also run. Footnote [1]: There have been calls for 286 versions of SFS from countries in which 386+ machines are still difficult to obtain. There may eventually be a 16-bit version, although at the current rate by the time it's written everyone will be using Pentiums anyway.