The Care and Feeding of Passwords
---------------------------------
With the inherent strength of an encryption system like the one used by SFS,
the password used for encryption is becoming more the focus of attack than the
encryption system itself. The reason for this is that trying to guess an
encryption password is far simpler than trying to break the encryption system.
SFS allows keys of up to 100 characters in length. These keys can contain
letters, numbers, spaces, punctuation, and most control and extended characters
except backspace (which is used for editing), escape (which is used to abort
the password entry), and carriage return or newline, which are used to signify
the end of the password. You should try and take advantage of this fact as
much as possible, with preferred passwords being entire phrases rather than
individual words (in fact since very few words are longer than the SFS absolute
minimum password length of 10 characters, the complete set of these words can
be checked in moments). There exist programs designed to allow high-speed
password cracking of standard encryption algorithms which can, in a matter of
hours (sometimes minutes, even seconds in the case of very weak algorithms),
attempt to use the contents of a number of very large and complete dictionaries
as sample passwords [1][2][3][4][5]. For example one recent study of passwords
used on Unix systems[6] found 25% of all passwords simply by using
sophisticated guessing techniques. Of the 25% total, nearly 21% (or around
3,000 passwords) were found within the first week using only the spare
processing power of a few low-end workstations. 368 were found within the
first few minutes. On an average system with 50 users, the first password
could be found in under 2 minutes, with 5-15 passwords being found by the end
of the first day[7].
Virtually all passwords composed of single words can be broken with ease in
this manner, even in the case of encryption methods like the one which is used
by SFS, which has been specially designed to be resistant to this form of
attack (doing a test of all possible 10-letter passwords assuming a worst-case
situation in which the password contains lowercase letters only, can be
accomplished in 450,000 years on a fast workstation (DEC Alpha) if the attacker
knows the contents of the encrypted volume in advance - or about 4 1/2 years on
a network of 100,000 of these machines). Of course no attacker would use this
approach, as few people will use every possible combination of 10 letter
passwords. By using an intelligent dictionary-based cracking program, this
time can be reduced to only a few months. Complete programs which perform this
task and libraries for incorporation into other software are already widely
available[8]. This problem is especially apparent if the encryption algorithm
used is very weak - the encryption used by the popular Pkzip archiver, for
example, can usually be broken in this manner in a few seconds on a cheap
personal computer using the standard wordlist supplied with all Unix
systems[9].
You shouldn't rely on simple modifications to passwords for security.
Capitalizing some letters, spelling the words backwards, adding one or two
digits to the end, and so on, increase the amount of work which needs to be
done by the average password-cracker by only a small amount over that needed
for plain unadorned passwords. You should avoid any phrase which could be
present in any kind of list (song lyrics, movie scripts, books, plays, poetry,
famous sayings, and so on) - again, these can be easily and automatically
checked by computers. Using foreign languages offers no extra security, since
it means an attacker merely has to switch to using foreign-language
dictionaries (or phrase lists, song lyrics, and so on). Relying on an attacker
not knowing that a foreign language is being used ("If I use Swahili they'll
never think of checking for it" - the so-called "Security through obscurity"
technique) offers no extra security, since the few extra days or months it will
take to check every known language are only a minor inconvenience.
Probably the most difficult passwords to crack are ones comprising unusual
phrases or sentences, since instead of searching a small body of text like the
contents of a dictionary, book, or phrase list, the cracker must search a much
larger corpus of data, namely all possible phrases in the language being used.
Needless to say, the use of common phrases should be avoided, since these will
be an obvious target for crackers.
Some examples of bad passwords are:
misconception Found in a standard dictionary
noitpecnocsim Reversed standard dictionary word
miskonseption Simple misspelling of a standard word
m1skon53pshun Not-so-simple misspelling of a standard word
MiScONcepTiON Standard word with strange capitalization
misconception1234 Standard word with simple numeric code appended
3016886726 Simple numeric code, probably a US phone number
YKYBHTLWYS Simple mnemonic
In general coming up with a secure single-word password is virtually impossible
unless you have a very good memory for things like unique 20-digit numbers.
Some examples of bad passphrases are:
What has it got in its
pocketses? Found in a common book
Ph'n-glui mgl'w naf'h
Cthulhu R'yleh w'gah Found in a somewhat less common book
For yesterday the word of
Caesar might have stood Found in a theatrical work
modify the characteristics
of a directory Found in a technical manual
T'was brillig, and the
slithy toves Found in a book of poetry
I've travelled roads that
lead to wonder Found in a list of music lyrics
azetylenoszilliert in
phaenomenaler kugelform Found in an obscure foreign journal
Arl be back Found in several films
I don't recall Associated with a famous person (although
it does make a good answer to the question
"What's the password?" during an
interrogation)
Needless to say, you should never write a passphrase down or record it in any
other way, or communicate it to anyone else.
Footnote [1]: A large collection of word lists suitable for this kind of attack
can be found on ftp.ox.ac.uk in directories below the
/pub/wordlists directory, and total about 15MB of compressed
data. These dictionaries contain, among other things, 2MB of
Dutch words, 2MB of German words, 600KB of Italian words, 600KB
of Norwegian words, 200KB of Swedish words, 3.3MB of Finnish
words, 1MB of Japanese words, 1.1MB of Polish words, 700KB of
assorted names, and a very large collection of assorted wordlists
covering technical terms, jargon, hostnames, internet machine
names, login ID's, usenet sites, computer languages, computer
companies, the Koran, the Bible, the works of Lewis Carrol,
Shakespeare, acronyms, characters from books, plays and films,
actors given names, actors surnames, titles from movies, plays,
and television, Monty Python, Star Trek, US politics, US postal
areas, US counties, the CIA world fact book, the contents of
several large standard dictionaries and thesaurii, and common
terms from Australian, Chinese, Croatian, Danish, Dutch, English,
Finnish, French, German, Hindi, Hungarian, Italian, Japanese,
Latin, Norwegian, Polish, Russian, Spanish, Swahili, Swedish,
Yiddish, computers, literature, places, religion, and scientific
terms.
The ftp.ox.ac.uk site also contains, in the directory
/src/security, the file cracklib25.tar.Z, a word dictionary of
around 10MB, stored as a 6.4MB compressed tar file.
Footnote [2]: A large dictionary of English words which also contains
abbreviations, hyphenations, and misspelled words, is available
from wocket.vantage.gte.com (131.131.98.182) in the
/pub/standard_dictionary directory as dic-0594.tar, an
uncompressed 16.1MB file, dic-0594.tar.Z, a compressed 7.6MB
file, dic-0594.tar.gz, a Gzip'ed 5.9MB file, and dic-0594.zip, a
Zipped 5.8MB file. This contains around 1,520,000 entries. In
combination with a Markov model for the English language built
from commonly-available texts, this wordlist provides a powerful
tool for attacking even full passphrases.
Footnote [3]: A Unix password dictionary is available from ftp.spc.edu as
.unix/password-dictionary.txt.
Footnote [4]: Grady Ward <grady@netcom.com> has collected very large
collections of words, phrases, and other items suitable for
dictionary attacks on cryptosystems. Even the NSA has used his
lists in their work. Of particular interest are Moby Words,
which contains 610,000 English entries including Scrabble(tm)
compatible words, baby names, word frequencies, special subsets
for spelling checkers and more, Moby Part-of-Speech, which
contains 230,000 words and phrases marked with full
part-of-speech data (in priority order for those words having
more than one part-of-speech), Moby Pronunciator with 175,000
words and phrases fully coded with International Phonetic
Alphabet (IPA) ASCII symbols including up to three levels of
emphasis (stress), and Moby Thesaurus with 30,000 root words and
more than 2.5 million synonyms and related words. Samples of
each of the lexical databases are available from ftp.netcom.com
(192.100.81.100) in the /pub/grady directory as
Moby-Sampler.tar.Z. A Postscript brochure describing the lists
is available from the same location as Moby_Brochure8.5x14.ps.Z,
the full datasets can be obtained from Grady Ward, 3449 Martha
Ct., Arcata, CA 95521-4884, ph/fax 1-707-826-7715
Footnote [5]: A number of CDROM's are available which contain information
useful for password-cracking. Two of these are the Chestnut
"Dictionaries and Languages" CDROM and the Walnut Creek "Project
Gutenberg" CDROM.
Footnote [6]: Daniel Klein, "Foiling the Cracker: A Survey of, and Improvements
to, Password Security", Software Engineering Institute, Carnegie
Mellon University.
Footnote [7]: An improved implementation is approximately 3 times faster on an
entry-level 386 system, 4 times faster on an entry-level 486
system, and up to 10 times faster on a more powerful workstation
such as a Sparcstation 10 or DEC 5000/260, meaning that the first
password would be found in just over 10 seconds on such a
machine.
Footnote [8]: One such program is "crack", currently at version 4.1 and
available from ftp.ox.ac.uk in the directory /src/security as
crack41.tar.Z.
Footnote [9]: Actual cryptanalysis of the algorithm, rather than just trying
passwords, takes a little longer, usually on the order of a few
hours with a low-end workstation. However this method will
(after a little work) break all encrypted zip files, not just the
ones for which the password can be guessed.
Other Software
--------------
There are a small number of other programs available which claim to provide
disk security of the kind provided by SFS. However by and large these tend to
use badly or incorrectly implemented algorithms, or algorithms which are known
to offer very little security. One such example is Norton's Diskreet, which
encrypts disks using either a fast proprietary cipher or the US Data Encryption
Standard (DES). The fast proprietary cipher is very simple to break (it can be
done with pencil and paper), and offers protection only against a casual
browser. Certainly anyone with any programming or puzzle-solving skills won't
be stopped for long by a system as simple as this[1].
The more secure DES algorithm is also available in Diskreet, but there are
quite a number of implementation errors which greatly reduce the security it
should provide. Although accepting a password of up to 40 characters, it then
converts this to uppercase-only characters and then reduces the total size to 8
characters of which only a small portion are used for the encryption itself.
This leads to a huge reduction in the number of possible encryption keys, so
that not only are there a finite (and rather small) total number of possible
passwords, there are also a large number of equivalent keys, any of which will
decrypt a file (for example a file encrypted with the key 'xxxxxx' can be
decrypted with 'xxxxxx', 'xxxxyy', 'yyyyxx', and a large collection of other
keys, too many to list here).
These fatal flaws mean that a fast dictionary-based attack can be used to check
virtually all possible passwords in a matter of hours on a standard PC. In
addition the CBC (cipher block chaining) encryption mode used employs a known,
fixed initialisation vector (IV) and restarts the chaining every 512 bytes,
which means that patterns in the encrypted data are not hidden by the
encryption. Using these two implementation errors, a program can be
constructed which will examine a Diskreet-encrypted disk and produce the
password used to encrypt it (or at least one of the many, many passwords
capable of decrypting it) within moments. In fact, for any data it encrypts,
Diskreet writes a number of constant, fixed data blocks (one of which contains
the name of the programmer who wrote the code, many others are simply runs of
zero bytes) which can be used as the basis of an attack on the encryption.
Even worse, the very weak proprietary scheme used by Diskreet gives away the
encryption key used so that if any two pieces of data are encrypted with the
same password, one with the proprietary scheme and the other with Diskreet's
DES implementation, the proprietary-encrypted data will reveal the encryption
key used for the DES-encrypted data[1].
These problems are in fact explicitly warned against in any of the documents
covering DES and its modes of operation, such as ISO Standards 10116 and
10126-2, US Government FIPS Publication 81, or basic texts like Denning's
"Cryptography and Data Security". It appears that the authors of Diskreet
never bothered to read any of the standard texts on encryption to make sure
they were doing things right, or never really tested the finished version. In
addition the Diskreet encryption code is taken from a code library provided by
another company rather than the people who sell Diskreet, with implementation
problems in both the encryption code and the rest of Diskreet.
The DES routines used in Da Vinci, a popular groupware product, are similarly
poorly implemented. Not only is an 8-character password used directly as the
DES key, but the DES encryption method used is the electronic codebook (ECB)
mode, whose use is warned against in even the most basic cryptography texts
and, in a milder form, in various international encryption standards. For
example, Annex A.1 of ISO 10116:1991 states "The ECB mode is in general not
recommended". ISO 10126-2:1991 doesn't even mention ECB as being useful for
message encryption. The combination of Da Vinci's very regular file structure
(which provides an attacker with a large amount of known data in very file),
the weak ECB encryption mode, and the extremely limited password range, makes a
precomputed dictionary attack (which involves a single lookup in a pre-set
table of plaintext-ciphertext pairs) very easy (even easier, in fact, than the
previously-discussed attack on Unix system passwords). In fact, as ECB mode
has no pattern hiding ability whatsoever, all that is necessary is to encrypt a
common pattern (such as a string of spaces) with all possible dictionary
password values, and sort and store the result in a table. Any password in the
dictionary can then be broken just as fast as the value can be read out of the
table.
PC Tools is another example of a software package which offers highly insecure
encryption. The DES implementation used in this package has had the number of
rounds reduced from the normal 16 to a mere 2, making it trivial to break on
any cheap personal computer. This very weak implementation is distributed
despite a wide body of research which documents just how insecure 2-round DES
really is[2].
Even a correctly-implemented and applied DES encryption system offers only
marginal security against a determined attacker. It has long been rumoured
that certain government agencies and large corporations (and, no doubt,
criminal organizations) possessed specialized hardware which allowed them to
break the DES encryption. However only in August of 1993 have complete
constructional details for such a device been published. This device, for
which the budget version can be built for around $100,000, can find a DES key
in 3.5 hours for the somewhat more ambitious $1 million version (the budget
version takes 1 1/2 days to perform the same task). The speed of this device
scales linearly with cost, so that the time taken can be reduced to minutes or
even seconds if enough money is invested. This is a one-off cost, and once a
DES-breaking machine of this type is built it can sit there day and night
churning out a new DES key every few minutes, hours, or days (depending on the
budget of the attacker).
In the 1980's, the East German company Robotron manufactured hundreds of
thousands of DES chips for the former Soviet Union. This means one of two
things: Either the Soviet Union used the chips to build a DES cracker, or they
used DES to encrypt their own communications, which means that the US built
one.
The only way around the problem of fast DES crackers is to run DES more than
once over the data to be encrypted, using so-called triple DES (using DES twice
is as easy to attack as single DES, so in practice three iterations must be
used). DES is inherently slow. Triple DES is twice as slow[3]. A hard drive
which performs like a large-capacity floppy drive may give users a sense of
security, but won't do much for their patience.
The continued use of DES, mainly in the US, has been due more to a lack of any
replacement than to an ongoing belief in its security. The National Bureau of
Standards (now National Institute of Standards and Technology) has only
relucatantly re-certified DES for further use every five years. Interestingly
enough, the Australian government, which recently developed its own replacement
for DES called SENECA, now rates DES as being "inappropriate for protecting
government and privacy information" (this includes things like taxation
information and social security and other personal data). Now that an
alternative is available, the Australian government seems unwilling to certify
DES even for information given under an "in confidence" classification, which
is a relatively low security rating[4].
In comparison, the RC4 encryption used in Lotus Notes has been deliberately
designed to offer only a certain level of security which means it is exportable
under the US crypto export restrictions. The key length is limited to 40 bits,
making it possible to mount a brute-force attack against it in a reasonable
amount of time[5]. A similar measure is used in IBM's Commercial Data Masking
Facility, which uses a DES implementation limited to a 40-bit key. Although
the RC4 algorithm has a number of interesting properties which make it less
than perfect, the simplest attack is still a brute-force check of all possible
40-bit key combinations[6]. Both RC4 and the CDMF are properly designed and
implemented, but have been weakened somewhat by the need to satisfy the US
governments restrictions on the use of strong cryptography.
Finally, the add-on "encryption" capabilities offered by general software
packages are usually laughable. Various programs exist which will
automatically break the "encryption" offered by software such as Ami Pro, Arc,
Arj, Lotus 123, the "improved encryption" in Lotus 123 3.x and 4.x, Lotus
Symphony, Microsoft Excel, Microsoft Word, Novell Netware, Paradox, Pkzip 1.x,
the "improved encryption" in Pkzip 2.x, Quattro Pro, Unix crypt(1), Wordperfect
5.x and ealier, the "improved" encryption in Wordperfect 6.x, and many
others[7][8][9]. Indeed, these systems are often so simple to break that at
least one package which does so adds several delay loops simply to make it look
as if there were actually some work involved in the process. Although the
manuals for these programs make claims such as "If you forget the password,
there is absolutely no way to retrieve the document", the "encryption" used can
often be broken with such time-honoured tools as a piece of paper, a pencil,
and a small amount of thought. Some programs which offer "password protection
security" don't even try to perform any encryption, but simply do a password
check to allow access to the data. Three examples of this are Stacker,
Fastback, and Norton's partition security system, all three of which can either
have their code patched or have a few bytes of data changed to ignore any
password check before granting access to data.
Footnote [1]: There are at least three products available which will break both
the proprietary and DES encryption used in Diskreet. One
publicly-available program which will perform this task is sold
by a company called AccessData. More information on their
encryption-breaking software can be found a few paragraphs down.
Footnote [2]: A 2-round version is in fact so weak that most attackers never
bother with it. Biham and Shamirs "Differential Cryptanalysis of
the Data Encryption Standard" only starts at 4 rounds, for which
16 encrypted data blocks are needed for a chosen-plaintext
attack. A non-differential, ciphertext-only attack on a 3-round
version requires 20 encrypted data blocks. A known-plaintext
attack requires "several" encrypted data blocks. A 2-round
version will be significantly weaker than the 3-round version.
It has been reported that a university lecturer once gave his
students 2-round DES to break as a homework exercise.
Footnote [3]: There are some clever tricks which can be used to make a triple
DES implementation only twice as slow as single DES, rather than
three times as slow as would be expected.
Footnote [4]: The Commonwealth of Australia Protective Security Manual (PSM)
defines two classes of material, National Security Material and
Sensitive Material. Sensitive Material is the lower
classification category, and the "In-Confidence" category is the
lowest sub-category for Sensitive Material, being defined in the
PSM as "Material which requires a limited degree of protection.
Unauthorised disclosure, loss, compromise, misuse of which, or
damage to in-confidence data might possibly cause harm to the
country, Government, or give unfair advantage to any entity". In
addition "information considered private that needs some degree
of protection should normally be categorised as In-Confidence".
Footnote [5]: A sieve array populated by single-bit boolean processors running
at 40 MIPS would produce one trial per cycle, with the average
time to break a 40 bit key by brute force (.5x10^12) being a
little over three hours. There are inexpensive DSP's (digital
signal processors) available which can be used for this purpose,
in a device costing a few tens of thousands of dollars.
Footnote [6]: RC4 has two parts, the initialization phase, and the random
number generation phase used for the encryption itself. An array
is initialized with the user's key to be a random permutation.
The random number generator then mixes the permutation and
reports values looked up pseudorandomly in that permutation.
Among the weaknesses in RC4 are that there is too high a
likelihood during the initialization phase that small values
will remain in small positions in the initial permutation; user
keys are repeated to fill 256 bytes, so 'aaaa' and 'aaaaa'
produce the same permutation; results are looked up at
pseudorandom positions in the array, and if some internal state
causes a certain sequence of positions to be looked up, there are
255 similar internal states that will look up values in the same
sequence of positions (although the values in those positions
will be different), from which it can be shown that cycles come
in groups of 2^n, where all cycles in a group have the same
length, and all cycles are of an odd length * 256 unless they are
in a group of 256; there is a bias in the results so that, for
example, the pattern "a a" is too likely and the pattern "a b a"
is too unlikely, which can be detected only after examining about
8 trillion bytes; the internal state is not independent of the
results, so that with a given result there are two patterns in
the internal state that appear 1/256 times more often than they
ought to; and at least two seperate methods exist for deducing
the internal state from the results in around 2^900 steps.
In none of these cases do they reduce the complexity of an attack
to anywhere near the level of simply trying all 2^40 keys - like
the differential and linear cryptanalysis results for DES, they
serve more as an indication of how strong the cipher is than how
weak it is.
Footnote [7]: A package which will break many of these schemes is sold by
AccessData, 560 South State, Suite J-1, Orem, Utah 84058, ph.
1-801-224-6970, fax 1-801-224-6009, email support@accessdata.com.
Access Data's main European distributor, Key Exchange, is based
in London, ph. +44-81-744-1551. They provide software which will
break WordPerfect (versions 4.2-6.1, regular or enhanced
encryption), Microsoft Word (versions 2.0-6.1), Microsoft Excel
(all versions including the Macintosh one), Lotus 1-2-3 (all
versions), Quattro Pro, Paradox, Pkzip, Norton's Diskreet (both
DES and proprietary encryption), Novell NetWare (versions
3.x-4.x), and others. All the programs come with a 100%
guarantee. AccessData also offers to its customers free inhouse
recovery of data created with applications like Quicken,
Microsoft Money, and other simple (non-encryption based) password
systems.
AccessData provide a free demonstration disk which will decrypt
files that have a password of 10 characters in length. The
lengths of passwords other than 10 characters in length will be
displayed, but not the password itself. They also make demo
versions of their software available on their FTP site
ftp.accessdata.com in the directory /pub/demo, and have a Web
page at http://www.accessdata.com. As an example, a demo of
their WordPerfect 6.0b encryption breaker is available from the
FTP site as wrpassd.exe. More information on the contents of the
directory is present in the directory itself.
Footnote [8]: A number of programs (too many to list here) which will break the
encryption of all manner of software packages are freely
available via the internet. For example, a WordPerfect
encryption cracker is available from garbo.uwasa.fi in the
directory /pc/util as wppass2.zip. The Pkzip 1.x and 2.x
encryption was first publicly broken by Paul Kocher in August
1994 (although the NSA must have broken it much earlier, as they
allowed it to be exported from the US). His method works
regardless of the password size or file content. The Ami Pro
encryption was also first publicly broken by Paul Kocher in
February 1995 (although again it was rumoured that private
organisations had broken it much earlier). The method of
breaking Ami Pro also works regardless of password size or file
content.
Footnote [9]: CRAK Software produce encryption breaking software for a wide
variety of popular word processor, spreadsheet, and financial
programs including MS Excel 5.0, Lotus 123 version 4.0, Quattro
Pro 6.0, MS Word 6.0, Wordperfect through to version 5.2, and
Quicken through to version 4.0, with software to handle earlier
versions of these programs available on request. Demo versions
of some of these programs are available from ftp.indirect.com in
the directory /www as excrak.zip, locrak.zip, qpcrak.zip,
wdcrak.zip, and wpcrak.zip respectively. CRAK Software can be
contacted at 1-800-484-9628 ext.7584 or through their WWW home
page at http://www.indirect.com/johnk/
Footnote [10]: Why are you reading this footnote? Nowhere in the text is there
a [10] referring you to this note. Go back to the start, and
don't read this footnote again!
Data Security
-------------
This section presents an overview of a range of security problems which are, in
general, outside the reach of SFS. These include relatively simple problems
such as not-quite-deleted files and general computer security, through to
sophisticated electronic monitoring and surveillance of a location in order to
recover confidential data or encryption keys. The coverage is by no means
complete, and anyone seriously concerned about the possibility of such an
attack should consult a qualified security expert for further advice. You
should remember when seeking advice about security that an attacker will use
any available means of compromising the security of your data, and will attack
areas other than those for which the strongest defense mechanisms have been
installed. For this reason you should consider all possible means of attack,
since strengthening one area may merely make another area more appealing to an
opponent.
Information Leakage
There are several ways in which information can leak from an encrypted SFS
volume onto other media. The simplest kind of information leakage is in the
form of temporary files maintained by application software and operating
systems, which are usually stored in a specific location and which, when
recovered, may contain file fragments or entire files from an encrypted volume.
This is true not only for the traditional word processors, spreadsheets,
editors, graphics packages, and so on which create temporary files on disk in
which to save data, but also for operating systems such as OS/2, Windows NT,
and Unix, which reserve a special area of a disk to store data which is swapped
in and out of memory when more room is needed.
This information is usually deleted by the application after use, so that the
you won't even be aware that it exists. Unfortunately "deletion" generally
consists of setting a flag which indicates that the file has been deleted,
rather than overwriting the data in any secure way. Any information which is
"deleted" in this manner can be trivially recovered using a wide variety of
tools[1]. In the case of a swap file there is no explicit deletion as the swap
area is invisible to the user anyway. On a lightly-loaded system, data may
linger in a swap area for a considerable amount of time.
The only real solution to this problem is to redirect all temporary files and
swap files either to an encrypted volume or to a RAM disk whose contents will
be lost when power is removed. Most programs allow this redirection, either as
part of the program configuration options or by setting the TMP or TEMP
environment variables to point to the encrypted volume or RAM disk.
Unfortunately moving the swap area and temporary files to an encrypted volume
results in a slowdown in speed as all data must now be encrypted. One of the
basic premises behind swapping data to disk is that very fast disk access is
available. By slowing down the speed of swapping, the overall speed of the
system (once swapping becomes necessary) is reduced. However once a system
starts swapping there is a significant slowdown anyway (with or without
encryption), so the tradeoff between encrypting the swap file for added
security or not encrypting it for added speed is up to you.
The other major form of information leakage with encrypted volumes is when
backing up the data contained on them. Currently there is no generally
available secure backup software (the few applications which offer "security"
features are generally ridiculously easy to circumvent), so that all data
stored on an encrypted volume will generally need to be backed up in
unencrypted form. Like the decision on where to store temporary data and swap
files, this is a tradeoff between security and convenience. If it were
possible to back up an encrypted volume in its encrypted form, the entire
volume would have to be backed up as one solid block every time a backup was
made. This could mean a daily backup of five hundred megabytes instead of the
half megabyte which has changed recently. Incremental backups would be
impossible. Backing up or restoring individual files would be impossible. Any
data loss or errors in the middle of a large encrypted block could be
catastrophic (in fact the encryption method used in SFS has been carefully
selected to ensure that even a single encrypted data bit changed by an attacker
will be noticeable when the data is decrypted[2]).
Since SFS volumes in their encrypted form are usually invisible to the
operating system anyway, the only way in which an encrypted volume can be
backed up is by accessing it through the SFS driver, which means the data is
stored in its unencrypted form. This has the advantage of allowing standard
backup software and schedules to be used, and the disadvantage of making the
unencrypted data available to anyone who has access to the backups. User
discretion is advised.
If you regard it as absolutely essential that backups be encrypted, and have
the time and storage space to back up an entire encrypted volume, then the
Rawdisk 1.1 driver, available as ftp.uni-duisburg.de:/pub/pc/misc/rawdsk11.zip,
can be used to make the entire encrypted SFS volume appear as a file on a DOS
drive which can be backed up using standard DOS backup software. The
instructions which come with Rawdisk give details on setting the driver up to
allow non-DOS volumes to be backed up as standard DOS drives. The SFS volume
will appear as a single enormous file RAWDISK.DAT which entirely fills the DOS
volume.
Another possibility for encrypted backups involves using Windows, DesqView, or
some other task switcher, in conjunction with a floppy backup program. By
switching to another task window and mounting a new SFS volume when the current
one has been filled up, and then switching back to the task window in which the
backup program is running, the need to re-mount volumes when a disk swap takes
place can be hidden from the backup program. The exact sequence of steps for
performing a backup to SFS-encrypted floppy disks is as follows:
1. Mount an SFS volume in a floppy drive
2. Using the backup program, fill the volume in the floppy drive
3. Switch to another task window
4. Unmount the SFS volume in the floppy drive
5. Mount a new SFS volume in the floppy drive
6. Switch back to the original task window
7. Go to step 2.
Unfortunately, this method will only work for floppy backups and is really best
suited to small amounts of data. Where larger amounts of data are involved and
tape backup units are available, the first method for obtaining encrypted
backups is preferred.
Footnote [1]: For example, more recent versions of MSDOS and DRDOS come with an
"undelete" program which will perform this task.
Footnote [2]: This is not a serious limitation, since it will only affect
deliberate changes in the data. Any accidental corruption due to
disk errors will result in the drive hardware reporting the whole
sector the data is on as being unreadable. If the data is
deliberately changed, the sector will be readable without errors,
but won't be able to be decrypted.
Eavesdropping
The simplest form of eavesdropping consists of directly overwiewing the system
on which confidential data is being processed. The easiest defence is to
ensure that no direct line-of-sight path exists from devices such as computer
monitors and printers to any location from which an eavesdropper can view the
equipment in question. Copying of documents and the contents of computer
monitors is generally possible at up to around 100 metres (300 feet) with
relatively unsophisticated equipment, but is technically possible at greater
distances. You should also consider the possibility of monitoring from
locations such as office-corridor windows and nearby rooms. This problem is
particularly acute in open-plan offices and homes.
The next simplest form of eavesdropping is remote eavesdropping, which does not
require access to the building but uses techniques for information collection
at a distance. The techniques used include taking advantage of open windows or
other noise conveying ducts such as air conditioning and chimneys, using
long-range directional microphones, and using equipment capable of sensing
vibrations from surfaces such as windows which are modulated by sound from the
room they enclose. By recording the sound of keystrokes when a password or
sensitive data is entered, an attacker can later recreate the password or data,
given either access to the keyboard itself or enough recorded keystrokes to
reconstruct the individual key sound patterns. Similar attacks are possible
with some output devices such as impact printers.
Another form of eavesdropping involves the exploitation of existing equipment
such as telephones and intercoms for audio monitoring purposes. In general any
device which handles audio signals and which can allow speech or other sounds
to be transmitted from the place of interest, which can be modified to perform
this task, or which can be used as a host to conceal a monitoring device and
provide power and possibly microphone and transmission capabilites to it (such
as, for example, a radio) can be the target for an attacker. These devices can
include closed-circuit television systems (which can allow direct overviewing
of confidential information displayed on monitors and printers), office
communication systems such as public address systems, telephones, and intercoms
(which can either be used directly or modified to transmit sound from the
location to be monitored), radios and televisions (which can be easily adapted
to act as transmitters and which already contain power supplies, speakers (to
act as microphones), and antennae), and general electrical and electronic
equipment which can harbour a range of electronic eavesdropping devices and
feed them with their own power[1].
Another eavesdropping possibility is the recovery of information from hardcopy
and printing equipment. The simplest form of this consists of searching
through discarded printouts and other rubbish for information. Even shredding
a document offers only moderate protection against a determined enough
attacker, especially if a low-cost shredder which may perform an inadequate job
of shredding the paper is employed. The recovery of text from the one-pass
ribbon used in high-quality impact printers is relatively simple. Recovery of
text from multipass ribbons is also possible, albeit with somewhat more
difficulty. The last few pages printed on a laser printer can also be
recovered from the drum used to transfer the image onto the paper.
Possibly the ultimate form of eavesdropping currently available, usually
referred to as TEMPEST (or occasionally van Eck) monitoring, consists of
monitoring the signals generated by all electrically-powered equipment. These
signals can be radiated in the same way as standard radio and television
transmissions, or conducted along wiring or other metal work. Some of these
signals will be related to information being processed by the equipment, and
can be easily intercepted (even at a significant distance) and used to
reconstruct the information in question. For example, the radiation from a
typical VDU can be used to recover data with only a receiver at up to 25m (75
feet), with a TV antenna at up to 40m (120 feet), with an antenna and
amplification equipment at up to 80m (240 feet), and at even greater distances
with the use of more specialised equipment[2]. Information can also be
transmitted back through the power lines used to drive the equipment in
question, with transmission distances of up to 100m (300 feet) being possible.
TEMPEST monitoring is usually relatively expensive in terms of the resources
required, difficult to mount, and unpredictable in outcome. It is most likely
to be carried out where other methods of eavesdropping are impractical and
where general security measures are effective in stopping monitoring. However,
once in place, the amount of information available through this form of
eavesdropping is immense. In general it allows the almost complete recovery of
all data being processed by a certain device such as a monitor or printer,
almost undetectably, and over a long period of time[3][4][5]. Protection
against TEMPEST monitoring is difficult and expensive, and is best left to
computer security experts[6][7].
However, some simple measures are still possible, such as paying attention to
the orientation of VDU's (most of the signal radiated from a VDU is towards the
sides, with very little being emitted to the front and rear), chosing equipment
which already meets standards for low emissions (for example in the US the
"quietest" standard for computers and peripherals is know as the FCC Class B
standard), using well-shielded cable for all system interconnections
(unshielded cable such as ribbon cable acts as an antenna for broadcasting
computer signals), using high-quality power line filters which block signals
into the high radio frequency range, and other methods generally used to reduce
or eliminate EMI (electromagnetic interference) from electronic equipment.
Footnote [1]: For an example of a device which needs no special modifications
to allow remote monitoring, the Drake intercom system can be used
to listen to any other unit on the system by pressing soft, dir,
down (to the desired address), rtn, soft assn, attr, t+fl (the
addresses will start to flash, the desired address can now be
selected), at which point the selected address will be bugged
without the other end being aware of this. The bugging can be
turned off again by pressing exit, t+l, selecting the flashing
address as before, exit, soft. This capability is built into the
system and requires no special modifications. Similar "features"
are also present in a number of other intercom and PABX systems.
Footnote [2]: These figures are taken from "Schutzmassnahmen Gegen
Kompromittierende Elektromagnetische Emissionen von
Bildschirmsichtgeraeten", Erhard Moeller and Lutz Bernstein,
Labor fuer Nachrichtentechnik, Fachhochschule Aachen.
Footnote [3]: An example of the kind of equipment used for TEMPEST monitoring
is the NSA's F-3 ASCII code receiving antenna. When used with a
portable receiver, the F-3 system allows an agent to record data
as it is entered from a computer keyboard. The F-3
receiver/recorder is hand held and can detect transmissions at
some distance through a 25cm (10 inch) thick concrete wall.
Footnote [4]: A demonstration of this form of eavesdropping was done in the
1988 BBC program "High Tech Spies", in which a van containing
detection equipment drove around London reading data off the
screens of computers located in law offices and brokerage firms.
The results were then shown to executives of the firms.
Footnote [5]: Another demonstration was done by Winn Schwartau on Geraldo
Riviera's "Now! It Can Be Told" TV show, broadcast on 30
September 1991.
Footnote [6]: TEMPEST informatiom and shielding measures for protection against
TEMPEST monitoring are specified in standards like "Tempest
Fundamentals", NSA-82-89, NACSIM 5000, National Security Agency,
February 1, 1982, "Tempest Countermeasures for Facilities Within
the United States", National COMSEC Instruction, NACSI 5004,
January 1984, "Tempest Countermeasures for Facilities Outside the
United States", National COMSEC Instruction, NACSI 5005, January
1985, and MIL-STD 285 and 461B. Unfortunately these
specifications have been classified by the organisations who are
most likely to make use of TEMPEST eavesdropping, and are not
available to the public.
Footnote [7]: A computer centre in Moscow had all its windows shielded with
reflective aluminium film which was supposed to provide enough
protection to stop most forms of TEMPEST eavesdropping. The
technique seems to have worked, because a KGB monitoring van
parked outside apparently didn't notice the fact that the
equipment had been diverted to the task of printing out
Strugatsky's novels.
Trojan Horses
It may be possible for an attacker to replace the SFS software with a copy
which seems to be identical but which has major weaknesses in it which make an
attack much easier, for example by using only a few characters of the password
to encrypt the disk. The least likely target is mksfs, since changing the way
this operates would require a similar change to mountsfs and the SFS driver
which would be easily detectable by comparing them with and independant,
original copy. Since a changed mksfs would require the long-term use of a
similarly changed mountsfs and driver, the chances of detection are greatly
increased.
A much more subtle attack involves changing mountsfs. By substituting a
version which saves your password or encryption key to an unused portion of the
disk and then replaces itself with an unmodified, original copy, an attacker
can return at their leisure and read the password or key off the disk, leaving
you none the wiser that your encryption key has been compromised. The SFS
driver may be modified to do this as well, although the task is slighly more
difficult than changing mountsfs.
Detecting this type of attack is very difficult, since although it is possible
to use security software which detects changes, this itself might be modified
to give a false reading. Software which checks the checking software may in
turn be modified, and so on ad infinitum. In general someone who is determined
enough can plant an undetectable trojan[1], although precautions like using
modification-detection programs, keeping physically separate copies of the SFS
software, and occasionally checking the installed versions against other,
original copies, may help reduce the risk somewhat. Booting into an encrypted
partition, as described in the section "Advanced SFS Driver Options" above,
which contains "clean" copies of the SFS software, and comparing the clean
driver with the one used to boot into the encrypted partition, reduces the risk
further. Finally, the eventual creation of a hardware SFS encryption card will
reduce the risk even further, although it would still be possible for an
attacker to substitute their own fake encryption card[2].
Another attack possibility is the creation of a program unrelated to SFS which
monitors the BIOS character write routines for the printing of the password
prompt, or video RAM for the appearance of the prompt, or the BIOS keyboard
handler, or any number of other possibilities, and then reads the password as
it is typed in[3][4][5][6]. This is a generic attack against all types of
encryption software, and doesn't rely on a compromised copy of the software
itself. It isn't even necessary for the captured information to be recorded
anywhere, since the trojan can transmit it over a network which the computer
may be attached to, or simply send it to any convenient (but not necessarily
active) output device external to the computer in order to make a TEMPEST
attack easier to mount.
The stealth features in SFS are one way of making this kind of monitoring much
more difficult (none of the keyboard-monitoring programs mentioned are
effective against the SFS software), and are explained in more detail in the
section "Security Analysis" below. However the only really failsafe way to
defeat this kind of attack is to use custom hardware which performs its task
before any user software has time to run, such as the hardware SFS version
currently under development.
Footnote [1]: An attacker could employ, for example, what David Farber has
described as "supplemental functionality in the keyboard driver".
Footnote [2]: An attack of this kind was carried out in 1989 at Cambridge
University, when students dismantled public-access terminals and
replaced the firmware with a newer version which captured
passwords for later replay. This attack was documented in D.
Harriman's article "Password Fishing on Public Terminals" in the
January 1990 Computer Fraud and Security Bulletin, p.12.
Footnote [3]: One program which performs the task of caturing keystrokes is
Phantom 2.29i, available from wuarchive.wustl.edu in the
directory /pub/msdos/keyboard as ptm229i.zip, or from P2
Enterprises, P.O. Box 25, Ben Lomond, California 95005-0025.
This program not only allows the recording of all keystrokes but
provides timing information down to fractions of a second,
allowing for detailed typing pattern analysis by an attacker.
There also exists a modified version of Phantom distributed as
dos.zip which adds various stealth features to make it harder to
detect.
Two more keystroke-capturing programs are Encore, also available
from wuarchive.wustl.edu in the directory /pub/msdos/keyboard as
encore.zip, and KeyCopy, available from ftp.clark.net in the
directory /pub/jcase as keycopy.zip.
Another keystroke grabber, distibuted as depl.zip, runs a target
program inside a shell which saves all keystrokes in scrambled
form to a hidden file for later retrieval. DEPL can remove
itself after use, and is customizable via a simple script file.
Footnote [4]: A program specifically created for this purpose is keytrap, which
is distributed as File 26 of Phrack Volume 5, Issue 46 (20
September 1994) and is available from freeside.com in the
directory /pub/phrack as phrack46.zip. keytrap is a
memory-resident program which logs keystrokes to a hidden data
file for later recovery, and comes with source code allowing it
to be easily customized for a particular purpose. A slightly
improved version is available as keytrap2.zip.
Footnote [5]: A program which watches for a certain event before activating
itself is Thief (originally called Getit), written by someone at
George Washington High School in Denver, Colorado to capture
Novell logon ID's and passwords. The program hooks the DOS int
21h interrupt and waits for EXEC (program execute) calls. It
then checks to see if the program being executed is the Novell
LOGIN program. If it is, it captures subsequent keystrokes to a
hidden file for later perusal. Thief comes with source code and
can be modified to check for other programs or perform other
monitoring functions if required.
Footnote [6]: PC-Sentry, available in the Compuserve NOVUSER forum as
sentry.zip, can secretly monitor and log all computer activity
such as files accessed or deleted, command-line activity,
programs run, and so on. A network version is also available.
Activity Monitor, available in the Compuserve IBMSYS forum as
actmon.zip, can monitor all activity under Windows 3.1 or above,
and has a stealth mode of operation for unobtrusive use.
Dangers of Encryption
The use of very secure encryption is not without its downsides. Making the
data completely inaccessible to anyone but the holder of the correct password
can be hazardous if the data being protected consists of essential information
such as the business records for a company which are needed in its day-to-day
operation. If the holder of the encryption password is killed in an accident
(or even just rendered unconscious for a time), the potential complete loss of
all business records is a serious concern.
Another problem is the question of who the holder of the password(s) should be.
If the system administrator at a particular site routinely encrypts all the
data held there for security purposes, then later access to the entire
encrypted dataset is dependant on the administrator, who may forget the
password, or die suddenly, or move on to another job and have little incentive
to inform their previous employer of the encryption password (for example if
they were fired from the previous job). It could even occur that the
ex-administrator has forgotten the password used at his previous place of
employment and might require a small, five-figure consideration to help jog his
memory. The difficulty in prosecuting such a case would be rather high, as
proving that the encryption system wasn't really installed in good faith by the
well-intentioned administrator to protect the company data and that the
password wasn't genuinely forgotten would be well nigh impossible.