home *** CD-ROM | disk | FTP | other *** search
- The Care and Feeding of Passwords
- ---------------------------------
-
- With the inherent strength of an encryption system like the one used by SFS,
- the password used for encryption is becoming more the focus of attack than the
- encryption system itself. The reason for this is that trying to guess an
- encryption password is far simpler than trying to break the encryption system.
-
- SFS allows keys of up to 100 characters in length. These keys can contain
- letters, numbers, spaces, punctuation, and most control and extended characters
- except backspace (which is used for editing), escape (which is used to abort
- the password entry), and carriage return or newline, which are used to signify
- the end of the password. You should try and take advantage of this fact as
- much as possible, with preferred passwords being entire phrases rather than
- individual words (in fact since very few words are longer than the SFS absolute
- minimum password length of 10 characters, the complete set of these words can
- be checked in moments). There exist programs designed to allow high-speed
- password cracking of standard encryption algorithms which can, in a matter of
- hours (sometimes minutes, even seconds in the case of very weak algorithms),
- attempt to use the contents of a number of very large and complete dictionaries
- as sample passwords [1][2][3][4][5]. For example one recent study of passwords
- used on Unix systems[6] found 25% of all passwords simply by using
- sophisticated guessing techniques. Of the 25% total, nearly 21% (or around
- 3,000 passwords) were found within the first week using only the spare
- processing power of a few low-end workstations. 368 were found within the
- first few minutes. On an average system with 50 users, the first password
- could be found in under 2 minutes, with 5-15 passwords being found by the end
- of the first day[7].
-
- Virtually all passwords composed of single words can be broken with ease in
- this manner, even in the case of encryption methods like the one which is used
- by SFS, which has been specially designed to be resistant to this form of
- attack (doing a test of all possible 10-letter passwords assuming a worst-case
- situation in which the password contains lowercase letters only, can be
- accomplished in 450,000 years on a fast workstation (DEC Alpha) if the attacker
- knows the contents of the encrypted volume in advance - or about 4 1/2 years on
- a network of 100,000 of these machines). Of course no attacker would use this
- approach, as few people will use every possible combination of 10 letter
- passwords. By using an intelligent dictionary-based cracking program, this
- time can be reduced to only a few months. Complete programs which perform this
- task and libraries for incorporation into other software are already widely
- available[8]. This problem is especially apparent if the encryption algorithm
- used is very weak - the encryption used by the popular Pkzip archiver, for
- example, can usually be broken in this manner in a few seconds on a cheap
- personal computer using the standard wordlist supplied with all Unix
- systems[9].
-
- You shouldn't rely on simple modifications to passwords for security.
- Capitalizing some letters, spelling the words backwards, adding one or two
- digits to the end, and so on, increase the amount of work which needs to be
- done by the average password-cracker by only a small amount over that needed
- for plain unadorned passwords. You should avoid any phrase which could be
- present in any kind of list (song lyrics, movie scripts, books, plays, poetry,
- famous sayings, and so on) - again, these can be easily and automatically
- checked by computers. Using foreign languages offers no extra security, since
- it means an attacker merely has to switch to using foreign-language
- dictionaries (or phrase lists, song lyrics, and so on). Relying on an attacker
- not knowing that a foreign language is being used ("If I use Swahili they'll
- never think of checking for it" - the so-called "Security through obscurity"
- technique) offers no extra security, since the few extra days or months it will
- take to check every known language are only a minor inconvenience.
-
- Probably the most difficult passwords to crack are ones comprising unusual
- phrases or sentences, since instead of searching a small body of text like the
- contents of a dictionary, book, or phrase list, the cracker must search a much
- larger corpus of data, namely all possible phrases in the language being used.
- Needless to say, the use of common phrases should be avoided, since these will
- be an obvious target for crackers.
-
- Some examples of bad passwords are:
-
- misconception Found in a standard dictionary
- noitpecnocsim Reversed standard dictionary word
- miskonseption Simple misspelling of a standard word
- m1skon53pshun Not-so-simple misspelling of a standard word
- MiScONcepTiON Standard word with strange capitalization
- misconception1234 Standard word with simple numeric code appended
- 3016886726 Simple numeric code, probably a US phone number
- YKYBHTLWYS Simple mnemonic
-
- In general coming up with a secure single-word password is virtually impossible
- unless you have a very good memory for things like unique 20-digit numbers.
-
- Some examples of bad passphrases are:
-
- What has it got in its
- pocketses? Found in a common book
- Ph'n-glui mgl'w naf'h
- Cthulhu R'yleh w'gah Found in a somewhat less common book
- For yesterday the word of
- Caesar might have stood Found in a theatrical work
- modify the characteristics
- of a directory Found in a technical manual
- T'was brillig, and the
- slithy toves Found in a book of poetry
- I've travelled roads that
- lead to wonder Found in a list of music lyrics
- azetylenoszilliert in
- phaenomenaler kugelform Found in an obscure foreign journal
- Arl be back Found in several films
- I don't recall Associated with a famous person (although
- it does make a good answer to the question
- "What's the password?" during an
- interrogation)
-
- Needless to say, you should never write a passphrase down or record it in any
- other way, or communicate it to anyone else.
-
- Footnote [1]: A large collection of word lists suitable for this kind of attack
- can be found on ftp.ox.ac.uk in directories below the
- /pub/wordlists directory, and total about 15MB of compressed
- data. These dictionaries contain, among other things, 2MB of
- Dutch words, 2MB of German words, 600KB of Italian words, 600KB
- of Norwegian words, 200KB of Swedish words, 3.3MB of Finnish
- words, 1MB of Japanese words, 1.1MB of Polish words, 700KB of
- assorted names, and a very large collection of assorted wordlists
- covering technical terms, jargon, hostnames, internet machine
- names, login ID's, usenet sites, computer languages, computer
- companies, the Koran, the Bible, the works of Lewis Carrol,
- Shakespeare, acronyms, characters from books, plays and films,
- actors given names, actors surnames, titles from movies, plays,
- and television, Monty Python, Star Trek, US politics, US postal
- areas, US counties, the CIA world fact book, the contents of
- several large standard dictionaries and thesaurii, and common
- terms from Australian, Chinese, Croatian, Danish, Dutch, English,
- Finnish, French, German, Hindi, Hungarian, Italian, Japanese,
- Latin, Norwegian, Polish, Russian, Spanish, Swahili, Swedish,
- Yiddish, computers, literature, places, religion, and scientific
- terms.
-
- The ftp.ox.ac.uk site also contains, in the directory
- /src/security, the file cracklib25.tar.Z, a word dictionary of
- around 10MB, stored as a 6.4MB compressed tar file.
-
- Footnote [2]: A large dictionary of English words which also contains
- abbreviations, hyphenations, and misspelled words, is available
- from wocket.vantage.gte.com (131.131.98.182) in the
- /pub/standard_dictionary directory as dic-0594.tar, an
- uncompressed 16.1MB file, dic-0594.tar.Z, a compressed 7.6MB
- file, dic-0594.tar.gz, a Gzip'ed 5.9MB file, and dic-0594.zip, a
- Zipped 5.8MB file. This contains around 1,520,000 entries. In
- combination with a Markov model for the English language built
- from commonly-available texts, this wordlist provides a powerful
- tool for attacking even full passphrases.
-
- Footnote [3]: A Unix password dictionary is available from ftp.spc.edu as
- .unix/password-dictionary.txt.
-
- Footnote [4]: Grady Ward <grady@netcom.com> has collected very large
- collections of words, phrases, and other items suitable for
- dictionary attacks on cryptosystems. Even the NSA has used his
- lists in their work. Of particular interest are Moby Words,
- which contains 610,000 English entries including Scrabble(tm)
- compatible words, baby names, word frequencies, special subsets
- for spelling checkers and more, Moby Part-of-Speech, which
- contains 230,000 words and phrases marked with full
- part-of-speech data (in priority order for those words having
- more than one part-of-speech), Moby Pronunciator with 175,000
- words and phrases fully coded with International Phonetic
- Alphabet (IPA) ASCII symbols including up to three levels of
- emphasis (stress), and Moby Thesaurus with 30,000 root words and
- more than 2.5 million synonyms and related words. Samples of
- each of the lexical databases are available from ftp.netcom.com
- (192.100.81.100) in the /pub/grady directory as
- Moby-Sampler.tar.Z. A Postscript brochure describing the lists
- is available from the same location as Moby_Brochure8.5x14.ps.Z,
- the full datasets can be obtained from Grady Ward, 3449 Martha
- Ct., Arcata, CA 95521-4884, ph/fax 1-707-826-7715
-
- Footnote [5]: A number of CDROM's are available which contain information
- useful for password-cracking. Two of these are the Chestnut
- "Dictionaries and Languages" CDROM and the Walnut Creek "Project
- Gutenberg" CDROM.
-
- Footnote [6]: Daniel Klein, "Foiling the Cracker: A Survey of, and Improvements
- to, Password Security", Software Engineering Institute, Carnegie
- Mellon University.
-
- Footnote [7]: An improved implementation is approximately 3 times faster on an
- entry-level 386 system, 4 times faster on an entry-level 486
- system, and up to 10 times faster on a more powerful workstation
- such as a Sparcstation 10 or DEC 5000/260, meaning that the first
- password would be found in just over 10 seconds on such a
- machine.
-
- Footnote [8]: One such program is "crack", currently at version 4.1 and
- available from ftp.ox.ac.uk in the directory /src/security as
- crack41.tar.Z.
-
- Footnote [9]: Actual cryptanalysis of the algorithm, rather than just trying
- passwords, takes a little longer, usually on the order of a few
- hours with a low-end workstation. However this method will
- (after a little work) break all encrypted zip files, not just the
- ones for which the password can be guessed.
-
-
- Other Software
- --------------
-
- There are a small number of other programs available which claim to provide
- disk security of the kind provided by SFS. However by and large these tend to
- use badly or incorrectly implemented algorithms, or algorithms which are known
- to offer very little security. One such example is Norton's Diskreet, which
- encrypts disks using either a fast proprietary cipher or the US Data Encryption
- Standard (DES). The fast proprietary cipher is very simple to break (it can be
- done with pencil and paper), and offers protection only against a casual
- browser. Certainly anyone with any programming or puzzle-solving skills won't
- be stopped for long by a system as simple as this[1].
-
- The more secure DES algorithm is also available in Diskreet, but there are
- quite a number of implementation errors which greatly reduce the security it
- should provide. Although accepting a password of up to 40 characters, it then
- converts this to uppercase-only characters and then reduces the total size to 8
- characters of which only a small portion are used for the encryption itself.
- This leads to a huge reduction in the number of possible encryption keys, so
- that not only are there a finite (and rather small) total number of possible
- passwords, there are also a large number of equivalent keys, any of which will
- decrypt a file (for example a file encrypted with the key 'xxxxxx' can be
- decrypted with 'xxxxxx', 'xxxxyy', 'yyyyxx', and a large collection of other
- keys, too many to list here).
-
- These fatal flaws mean that a fast dictionary-based attack can be used to check
- virtually all possible passwords in a matter of hours on a standard PC. In
- addition the CBC (cipher block chaining) encryption mode used employs a known,
- fixed initialisation vector (IV) and restarts the chaining every 512 bytes,
- which means that patterns in the encrypted data are not hidden by the
- encryption. Using these two implementation errors, a program can be
- constructed which will examine a Diskreet-encrypted disk and produce the
- password used to encrypt it (or at least one of the many, many passwords
- capable of decrypting it) within moments. In fact, for any data it encrypts,
- Diskreet writes a number of constant, fixed data blocks (one of which contains
- the name of the programmer who wrote the code, many others are simply runs of
- zero bytes) which can be used as the basis of an attack on the encryption.
- Even worse, the very weak proprietary scheme used by Diskreet gives away the
- encryption key used so that if any two pieces of data are encrypted with the
- same password, one with the proprietary scheme and the other with Diskreet's
- DES implementation, the proprietary-encrypted data will reveal the encryption
- key used for the DES-encrypted data[1].
-
- These problems are in fact explicitly warned against in any of the documents
- covering DES and its modes of operation, such as ISO Standards 10116 and
- 10126-2, US Government FIPS Publication 81, or basic texts like Denning's
- "Cryptography and Data Security". It appears that the authors of Diskreet
- never bothered to read any of the standard texts on encryption to make sure
- they were doing things right, or never really tested the finished version. In
- addition the Diskreet encryption code is taken from a code library provided by
- another company rather than the people who sell Diskreet, with implementation
- problems in both the encryption code and the rest of Diskreet.
-
- The DES routines used in Da Vinci, a popular groupware product, are similarly
- poorly implemented. Not only is an 8-character password used directly as the
- DES key, but the DES encryption method used is the electronic codebook (ECB)
- mode, whose use is warned against in even the most basic cryptography texts
- and, in a milder form, in various international encryption standards. For
- example, Annex A.1 of ISO 10116:1991 states "The ECB mode is in general not
- recommended". ISO 10126-2:1991 doesn't even mention ECB as being useful for
- message encryption. The combination of Da Vinci's very regular file structure
- (which provides an attacker with a large amount of known data in very file),
- the weak ECB encryption mode, and the extremely limited password range, makes a
- precomputed dictionary attack (which involves a single lookup in a pre-set
- table of plaintext-ciphertext pairs) very easy (even easier, in fact, than the
- previously-discussed attack on Unix system passwords). In fact, as ECB mode
- has no pattern hiding ability whatsoever, all that is necessary is to encrypt a
- common pattern (such as a string of spaces) with all possible dictionary
- password values, and sort and store the result in a table. Any password in the
- dictionary can then be broken just as fast as the value can be read out of the
- table.
-
- PC Tools is another example of a software package which offers highly insecure
- encryption. The DES implementation used in this package has had the number of
- rounds reduced from the normal 16 to a mere 2, making it trivial to break on
- any cheap personal computer. This very weak implementation is distributed
- despite a wide body of research which documents just how insecure 2-round DES
- really is[2].
-
- Even a correctly-implemented and applied DES encryption system offers only
- marginal security against a determined attacker. It has long been rumoured
- that certain government agencies and large corporations (and, no doubt,
- criminal organizations) possessed specialized hardware which allowed them to
- break the DES encryption. However only in August of 1993 have complete
- constructional details for such a device been published. This device, for
- which the budget version can be built for around $100,000, can find a DES key
- in 3.5 hours for the somewhat more ambitious $1 million version (the budget
- version takes 1 1/2 days to perform the same task). The speed of this device
- scales linearly with cost, so that the time taken can be reduced to minutes or
- even seconds if enough money is invested. This is a one-off cost, and once a
- DES-breaking machine of this type is built it can sit there day and night
- churning out a new DES key every few minutes, hours, or days (depending on the
- budget of the attacker).
-
- In the 1980's, the East German company Robotron manufactured hundreds of
- thousands of DES chips for the former Soviet Union. This means one of two
- things: Either the Soviet Union used the chips to build a DES cracker, or they
- used DES to encrypt their own communications, which means that the US built
- one.
-
- The only way around the problem of fast DES crackers is to run DES more than
- once over the data to be encrypted, using so-called triple DES (using DES twice
- is as easy to attack as single DES, so in practice three iterations must be
- used). DES is inherently slow. Triple DES is twice as slow[3]. A hard drive
- which performs like a large-capacity floppy drive may give users a sense of
- security, but won't do much for their patience.
-
- The continued use of DES, mainly in the US, has been due more to a lack of any
- replacement than to an ongoing belief in its security. The National Bureau of
- Standards (now National Institute of Standards and Technology) has only
- relucatantly re-certified DES for further use every five years. Interestingly
- enough, the Australian government, which recently developed its own replacement
- for DES called SENECA, now rates DES as being "inappropriate for protecting
- government and privacy information" (this includes things like taxation
- information and social security and other personal data). Now that an
- alternative is available, the Australian government seems unwilling to certify
- DES even for information given under an "in confidence" classification, which
- is a relatively low security rating[4].
-
- In comparison, the RC4 encryption used in Lotus Notes has been deliberately
- designed to offer only a certain level of security which means it is exportable
- under the US crypto export restrictions. The key length is limited to 40 bits,
- making it possible to mount a brute-force attack against it in a reasonable
- amount of time[5]. A similar measure is used in IBM's Commercial Data Masking
- Facility, which uses a DES implementation limited to a 40-bit key. Although
- the RC4 algorithm has a number of interesting properties which make it less
- than perfect, the simplest attack is still a brute-force check of all possible
- 40-bit key combinations[6]. Both RC4 and the CDMF are properly designed and
- implemented, but have been weakened somewhat by the need to satisfy the US
- governments restrictions on the use of strong cryptography.
-
- Finally, the add-on "encryption" capabilities offered by general software
- packages are usually laughable. Various programs exist which will
- automatically break the "encryption" offered by software such as Ami Pro, Arc,
- Arj, Lotus 123, the "improved encryption" in Lotus 123 3.x and 4.x, Lotus
- Symphony, Microsoft Excel, Microsoft Word, Novell Netware, Paradox, Pkzip 1.x,
- the "improved encryption" in Pkzip 2.x, Quattro Pro, Unix crypt(1), Wordperfect
- 5.x and ealier, the "improved" encryption in Wordperfect 6.x, and many
- others[7][8][9]. Indeed, these systems are often so simple to break that at
- least one package which does so adds several delay loops simply to make it look
- as if there were actually some work involved in the process. Although the
- manuals for these programs make claims such as "If you forget the password,
- there is absolutely no way to retrieve the document", the "encryption" used can
- often be broken with such time-honoured tools as a piece of paper, a pencil,
- and a small amount of thought. Some programs which offer "password protection
- security" don't even try to perform any encryption, but simply do a password
- check to allow access to the data. Three examples of this are Stacker,
- Fastback, and Norton's partition security system, all three of which can either
- have their code patched or have a few bytes of data changed to ignore any
- password check before granting access to data.
-
- Footnote [1]: There are at least three products available which will break both
- the proprietary and DES encryption used in Diskreet. One
- publicly-available program which will perform this task is sold
- by a company called AccessData. More information on their
- encryption-breaking software can be found a few paragraphs down.
-
- Footnote [2]: A 2-round version is in fact so weak that most attackers never
- bother with it. Biham and Shamirs "Differential Cryptanalysis of
- the Data Encryption Standard" only starts at 4 rounds, for which
- 16 encrypted data blocks are needed for a chosen-plaintext
- attack. A non-differential, ciphertext-only attack on a 3-round
- version requires 20 encrypted data blocks. A known-plaintext
- attack requires "several" encrypted data blocks. A 2-round
- version will be significantly weaker than the 3-round version.
- It has been reported that a university lecturer once gave his
- students 2-round DES to break as a homework exercise.
-
- Footnote [3]: There are some clever tricks which can be used to make a triple
- DES implementation only twice as slow as single DES, rather than
- three times as slow as would be expected.
-
- Footnote [4]: The Commonwealth of Australia Protective Security Manual (PSM)
- defines two classes of material, National Security Material and
- Sensitive Material. Sensitive Material is the lower
- classification category, and the "In-Confidence" category is the
- lowest sub-category for Sensitive Material, being defined in the
- PSM as "Material which requires a limited degree of protection.
- Unauthorised disclosure, loss, compromise, misuse of which, or
- damage to in-confidence data might possibly cause harm to the
- country, Government, or give unfair advantage to any entity". In
- addition "information considered private that needs some degree
- of protection should normally be categorised as In-Confidence".
-
- Footnote [5]: A sieve array populated by single-bit boolean processors running
- at 40 MIPS would produce one trial per cycle, with the average
- time to break a 40 bit key by brute force (.5x10^12) being a
- little over three hours. There are inexpensive DSP's (digital
- signal processors) available which can be used for this purpose,
- in a device costing a few tens of thousands of dollars.
-
- Footnote [6]: RC4 has two parts, the initialization phase, and the random
- number generation phase used for the encryption itself. An array
- is initialized with the user's key to be a random permutation.
- The random number generator then mixes the permutation and
- reports values looked up pseudorandomly in that permutation.
-
- Among the weaknesses in RC4 are that there is too high a
- likelihood during the initialization phase that small values
- will remain in small positions in the initial permutation; user
- keys are repeated to fill 256 bytes, so 'aaaa' and 'aaaaa'
- produce the same permutation; results are looked up at
- pseudorandom positions in the array, and if some internal state
- causes a certain sequence of positions to be looked up, there are
- 255 similar internal states that will look up values in the same
- sequence of positions (although the values in those positions
- will be different), from which it can be shown that cycles come
- in groups of 2^n, where all cycles in a group have the same
- length, and all cycles are of an odd length * 256 unless they are
- in a group of 256; there is a bias in the results so that, for
- example, the pattern "a a" is too likely and the pattern "a b a"
- is too unlikely, which can be detected only after examining about
- 8 trillion bytes; the internal state is not independent of the
- results, so that with a given result there are two patterns in
- the internal state that appear 1/256 times more often than they
- ought to; and at least two seperate methods exist for deducing
- the internal state from the results in around 2^900 steps.
-
- In none of these cases do they reduce the complexity of an attack
- to anywhere near the level of simply trying all 2^40 keys - like
- the differential and linear cryptanalysis results for DES, they
- serve more as an indication of how strong the cipher is than how
- weak it is.
-
- Footnote [7]: A package which will break many of these schemes is sold by
- AccessData, 560 South State, Suite J-1, Orem, Utah 84058, ph.
- 1-801-224-6970, fax 1-801-224-6009, email support@accessdata.com.
- Access Data's main European distributor, Key Exchange, is based
- in London, ph. +44-81-744-1551. They provide software which will
- break WordPerfect (versions 4.2-6.1, regular or enhanced
- encryption), Microsoft Word (versions 2.0-6.1), Microsoft Excel
- (all versions including the Macintosh one), Lotus 1-2-3 (all
- versions), Quattro Pro, Paradox, Pkzip, Norton's Diskreet (both
- DES and proprietary encryption), Novell NetWare (versions
- 3.x-4.x), and others. All the programs come with a 100%
- guarantee. AccessData also offers to its customers free inhouse
- recovery of data created with applications like Quicken,
- Microsoft Money, and other simple (non-encryption based) password
- systems.
-
- AccessData provide a free demonstration disk which will decrypt
- files that have a password of 10 characters in length. The
- lengths of passwords other than 10 characters in length will be
- displayed, but not the password itself. They also make demo
- versions of their software available on their FTP site
- ftp.accessdata.com in the directory /pub/demo, and have a Web
- page at http://www.accessdata.com. As an example, a demo of
- their WordPerfect 6.0b encryption breaker is available from the
- FTP site as wrpassd.exe. More information on the contents of the
- directory is present in the directory itself.
-
- Footnote [8]: A number of programs (too many to list here) which will break the
- encryption of all manner of software packages are freely
- available via the internet. For example, a WordPerfect
- encryption cracker is available from garbo.uwasa.fi in the
- directory /pc/util as wppass2.zip. The Pkzip 1.x and 2.x
- encryption was first publicly broken by Paul Kocher in August
- 1994 (although the NSA must have broken it much earlier, as they
- allowed it to be exported from the US). His method works
- regardless of the password size or file content. The Ami Pro
- encryption was also first publicly broken by Paul Kocher in
- February 1995 (although again it was rumoured that private
- organisations had broken it much earlier). The method of
- breaking Ami Pro also works regardless of password size or file
- content.
-
- Footnote [9]: CRAK Software produce encryption breaking software for a wide
- variety of popular word processor, spreadsheet, and financial
- programs including MS Excel 5.0, Lotus 123 version 4.0, Quattro
- Pro 6.0, MS Word 6.0, Wordperfect through to version 5.2, and
- Quicken through to version 4.0, with software to handle earlier
- versions of these programs available on request. Demo versions
- of some of these programs are available from ftp.indirect.com in
- the directory /www as excrak.zip, locrak.zip, qpcrak.zip,
- wdcrak.zip, and wpcrak.zip respectively. CRAK Software can be
- contacted at 1-800-484-9628 ext.7584 or through their WWW home
- page at http://www.indirect.com/johnk/
-
- Footnote [10]: Why are you reading this footnote? Nowhere in the text is there
- a [10] referring you to this note. Go back to the start, and
- don't read this footnote again!
-
-
- Data Security
- -------------
-
- This section presents an overview of a range of security problems which are, in
- general, outside the reach of SFS. These include relatively simple problems
- such as not-quite-deleted files and general computer security, through to
- sophisticated electronic monitoring and surveillance of a location in order to
- recover confidential data or encryption keys. The coverage is by no means
- complete, and anyone seriously concerned about the possibility of such an
- attack should consult a qualified security expert for further advice. You
- should remember when seeking advice about security that an attacker will use
- any available means of compromising the security of your data, and will attack
- areas other than those for which the strongest defense mechanisms have been
- installed. For this reason you should consider all possible means of attack,
- since strengthening one area may merely make another area more appealing to an
- opponent.
-
-
- Information Leakage
-
- There are several ways in which information can leak from an encrypted SFS
- volume onto other media. The simplest kind of information leakage is in the
- form of temporary files maintained by application software and operating
- systems, which are usually stored in a specific location and which, when
- recovered, may contain file fragments or entire files from an encrypted volume.
- This is true not only for the traditional word processors, spreadsheets,
- editors, graphics packages, and so on which create temporary files on disk in
- which to save data, but also for operating systems such as OS/2, Windows NT,
- and Unix, which reserve a special area of a disk to store data which is swapped
- in and out of memory when more room is needed.
-
- This information is usually deleted by the application after use, so that the
- you won't even be aware that it exists. Unfortunately "deletion" generally
- consists of setting a flag which indicates that the file has been deleted,
- rather than overwriting the data in any secure way. Any information which is
- "deleted" in this manner can be trivially recovered using a wide variety of
- tools[1]. In the case of a swap file there is no explicit deletion as the swap
- area is invisible to the user anyway. On a lightly-loaded system, data may
- linger in a swap area for a considerable amount of time.
-
- The only real solution to this problem is to redirect all temporary files and
- swap files either to an encrypted volume or to a RAM disk whose contents will
- be lost when power is removed. Most programs allow this redirection, either as
- part of the program configuration options or by setting the TMP or TEMP
- environment variables to point to the encrypted volume or RAM disk.
-
- Unfortunately moving the swap area and temporary files to an encrypted volume
- results in a slowdown in speed as all data must now be encrypted. One of the
- basic premises behind swapping data to disk is that very fast disk access is
- available. By slowing down the speed of swapping, the overall speed of the
- system (once swapping becomes necessary) is reduced. However once a system
- starts swapping there is a significant slowdown anyway (with or without
- encryption), so the tradeoff between encrypting the swap file for added
- security or not encrypting it for added speed is up to you.
-
- The other major form of information leakage with encrypted volumes is when
- backing up the data contained on them. Currently there is no generally
- available secure backup software (the few applications which offer "security"
- features are generally ridiculously easy to circumvent), so that all data
- stored on an encrypted volume will generally need to be backed up in
- unencrypted form. Like the decision on where to store temporary data and swap
- files, this is a tradeoff between security and convenience. If it were
- possible to back up an encrypted volume in its encrypted form, the entire
- volume would have to be backed up as one solid block every time a backup was
- made. This could mean a daily backup of five hundred megabytes instead of the
- half megabyte which has changed recently. Incremental backups would be
- impossible. Backing up or restoring individual files would be impossible. Any
- data loss or errors in the middle of a large encrypted block could be
- catastrophic (in fact the encryption method used in SFS has been carefully
- selected to ensure that even a single encrypted data bit changed by an attacker
- will be noticeable when the data is decrypted[2]).
-
- Since SFS volumes in their encrypted form are usually invisible to the
- operating system anyway, the only way in which an encrypted volume can be
- backed up is by accessing it through the SFS driver, which means the data is
- stored in its unencrypted form. This has the advantage of allowing standard
- backup software and schedules to be used, and the disadvantage of making the
- unencrypted data available to anyone who has access to the backups. User
- discretion is advised.
-
- If you regard it as absolutely essential that backups be encrypted, and have
- the time and storage space to back up an entire encrypted volume, then the
- Rawdisk 1.1 driver, available as ftp.uni-duisburg.de:/pub/pc/misc/rawdsk11.zip,
- can be used to make the entire encrypted SFS volume appear as a file on a DOS
- drive which can be backed up using standard DOS backup software. The
- instructions which come with Rawdisk give details on setting the driver up to
- allow non-DOS volumes to be backed up as standard DOS drives. The SFS volume
- will appear as a single enormous file RAWDISK.DAT which entirely fills the DOS
- volume.
-
- Another possibility for encrypted backups involves using Windows, DesqView, or
- some other task switcher, in conjunction with a floppy backup program. By
- switching to another task window and mounting a new SFS volume when the current
- one has been filled up, and then switching back to the task window in which the
- backup program is running, the need to re-mount volumes when a disk swap takes
- place can be hidden from the backup program. The exact sequence of steps for
- performing a backup to SFS-encrypted floppy disks is as follows:
-
- 1. Mount an SFS volume in a floppy drive
- 2. Using the backup program, fill the volume in the floppy drive
- 3. Switch to another task window
- 4. Unmount the SFS volume in the floppy drive
- 5. Mount a new SFS volume in the floppy drive
- 6. Switch back to the original task window
- 7. Go to step 2.
-
- Unfortunately, this method will only work for floppy backups and is really best
- suited to small amounts of data. Where larger amounts of data are involved and
- tape backup units are available, the first method for obtaining encrypted
- backups is preferred.
-
- Footnote [1]: For example, more recent versions of MSDOS and DRDOS come with an
- "undelete" program which will perform this task.
-
- Footnote [2]: This is not a serious limitation, since it will only affect
- deliberate changes in the data. Any accidental corruption due to
- disk errors will result in the drive hardware reporting the whole
- sector the data is on as being unreadable. If the data is
- deliberately changed, the sector will be readable without errors,
- but won't be able to be decrypted.
-
-
- Eavesdropping
-
- The simplest form of eavesdropping consists of directly overwiewing the system
- on which confidential data is being processed. The easiest defence is to
- ensure that no direct line-of-sight path exists from devices such as computer
- monitors and printers to any location from which an eavesdropper can view the
- equipment in question. Copying of documents and the contents of computer
- monitors is generally possible at up to around 100 metres (300 feet) with
- relatively unsophisticated equipment, but is technically possible at greater
- distances. You should also consider the possibility of monitoring from
- locations such as office-corridor windows and nearby rooms. This problem is
- particularly acute in open-plan offices and homes.
-
- The next simplest form of eavesdropping is remote eavesdropping, which does not
- require access to the building but uses techniques for information collection
- at a distance. The techniques used include taking advantage of open windows or
- other noise conveying ducts such as air conditioning and chimneys, using
- long-range directional microphones, and using equipment capable of sensing
- vibrations from surfaces such as windows which are modulated by sound from the
- room they enclose. By recording the sound of keystrokes when a password or
- sensitive data is entered, an attacker can later recreate the password or data,
- given either access to the keyboard itself or enough recorded keystrokes to
- reconstruct the individual key sound patterns. Similar attacks are possible
- with some output devices such as impact printers.
-
- Another form of eavesdropping involves the exploitation of existing equipment
- such as telephones and intercoms for audio monitoring purposes. In general any
- device which handles audio signals and which can allow speech or other sounds
- to be transmitted from the place of interest, which can be modified to perform
- this task, or which can be used as a host to conceal a monitoring device and
- provide power and possibly microphone and transmission capabilites to it (such
- as, for example, a radio) can be the target for an attacker. These devices can
- include closed-circuit television systems (which can allow direct overviewing
- of confidential information displayed on monitors and printers), office
- communication systems such as public address systems, telephones, and intercoms
- (which can either be used directly or modified to transmit sound from the
- location to be monitored), radios and televisions (which can be easily adapted
- to act as transmitters and which already contain power supplies, speakers (to
- act as microphones), and antennae), and general electrical and electronic
- equipment which can harbour a range of electronic eavesdropping devices and
- feed them with their own power[1].
-
- Another eavesdropping possibility is the recovery of information from hardcopy
- and printing equipment. The simplest form of this consists of searching
- through discarded printouts and other rubbish for information. Even shredding
- a document offers only moderate protection against a determined enough
- attacker, especially if a low-cost shredder which may perform an inadequate job
- of shredding the paper is employed. The recovery of text from the one-pass
- ribbon used in high-quality impact printers is relatively simple. Recovery of
- text from multipass ribbons is also possible, albeit with somewhat more
- difficulty. The last few pages printed on a laser printer can also be
- recovered from the drum used to transfer the image onto the paper.
-
- Possibly the ultimate form of eavesdropping currently available, usually
- referred to as TEMPEST (or occasionally van Eck) monitoring, consists of
- monitoring the signals generated by all electrically-powered equipment. These
- signals can be radiated in the same way as standard radio and television
- transmissions, or conducted along wiring or other metal work. Some of these
- signals will be related to information being processed by the equipment, and
- can be easily intercepted (even at a significant distance) and used to
- reconstruct the information in question. For example, the radiation from a
- typical VDU can be used to recover data with only a receiver at up to 25m (75
- feet), with a TV antenna at up to 40m (120 feet), with an antenna and
- amplification equipment at up to 80m (240 feet), and at even greater distances
- with the use of more specialised equipment[2]. Information can also be
- transmitted back through the power lines used to drive the equipment in
- question, with transmission distances of up to 100m (300 feet) being possible.
-
- TEMPEST monitoring is usually relatively expensive in terms of the resources
- required, difficult to mount, and unpredictable in outcome. It is most likely
- to be carried out where other methods of eavesdropping are impractical and
- where general security measures are effective in stopping monitoring. However,
- once in place, the amount of information available through this form of
- eavesdropping is immense. In general it allows the almost complete recovery of
- all data being processed by a certain device such as a monitor or printer,
- almost undetectably, and over a long period of time[3][4][5]. Protection
- against TEMPEST monitoring is difficult and expensive, and is best left to
- computer security experts[6][7].
-
- However, some simple measures are still possible, such as paying attention to
- the orientation of VDU's (most of the signal radiated from a VDU is towards the
- sides, with very little being emitted to the front and rear), chosing equipment
- which already meets standards for low emissions (for example in the US the
- "quietest" standard for computers and peripherals is know as the FCC Class B
- standard), using well-shielded cable for all system interconnections
- (unshielded cable such as ribbon cable acts as an antenna for broadcasting
- computer signals), using high-quality power line filters which block signals
- into the high radio frequency range, and other methods generally used to reduce
- or eliminate EMI (electromagnetic interference) from electronic equipment.
-
- Footnote [1]: For an example of a device which needs no special modifications
- to allow remote monitoring, the Drake intercom system can be used
- to listen to any other unit on the system by pressing soft, dir,
- down (to the desired address), rtn, soft assn, attr, t+fl (the
- addresses will start to flash, the desired address can now be
- selected), at which point the selected address will be bugged
- without the other end being aware of this. The bugging can be
- turned off again by pressing exit, t+l, selecting the flashing
- address as before, exit, soft. This capability is built into the
- system and requires no special modifications. Similar "features"
- are also present in a number of other intercom and PABX systems.
-
- Footnote [2]: These figures are taken from "Schutzmassnahmen Gegen
- Kompromittierende Elektromagnetische Emissionen von
- Bildschirmsichtgeraeten", Erhard Moeller and Lutz Bernstein,
- Labor fuer Nachrichtentechnik, Fachhochschule Aachen.
-
- Footnote [3]: An example of the kind of equipment used for TEMPEST monitoring
- is the NSA's F-3 ASCII code receiving antenna. When used with a
- portable receiver, the F-3 system allows an agent to record data
- as it is entered from a computer keyboard. The F-3
- receiver/recorder is hand held and can detect transmissions at
- some distance through a 25cm (10 inch) thick concrete wall.
-
- Footnote [4]: A demonstration of this form of eavesdropping was done in the
- 1988 BBC program "High Tech Spies", in which a van containing
- detection equipment drove around London reading data off the
- screens of computers located in law offices and brokerage firms.
- The results were then shown to executives of the firms.
-
- Footnote [5]: Another demonstration was done by Winn Schwartau on Geraldo
- Riviera's "Now! It Can Be Told" TV show, broadcast on 30
- September 1991.
-
- Footnote [6]: TEMPEST informatiom and shielding measures for protection against
- TEMPEST monitoring are specified in standards like "Tempest
- Fundamentals", NSA-82-89, NACSIM 5000, National Security Agency,
- February 1, 1982, "Tempest Countermeasures for Facilities Within
- the United States", National COMSEC Instruction, NACSI 5004,
- January 1984, "Tempest Countermeasures for Facilities Outside the
- United States", National COMSEC Instruction, NACSI 5005, January
- 1985, and MIL-STD 285 and 461B. Unfortunately these
- specifications have been classified by the organisations who are
- most likely to make use of TEMPEST eavesdropping, and are not
- available to the public.
-
- Footnote [7]: A computer centre in Moscow had all its windows shielded with
- reflective aluminium film which was supposed to provide enough
- protection to stop most forms of TEMPEST eavesdropping. The
- technique seems to have worked, because a KGB monitoring van
- parked outside apparently didn't notice the fact that the
- equipment had been diverted to the task of printing out
- Strugatsky's novels.
-
-
- Trojan Horses
-
- It may be possible for an attacker to replace the SFS software with a copy
- which seems to be identical but which has major weaknesses in it which make an
- attack much easier, for example by using only a few characters of the password
- to encrypt the disk. The least likely target is mksfs, since changing the way
- this operates would require a similar change to mountsfs and the SFS driver
- which would be easily detectable by comparing them with and independant,
- original copy. Since a changed mksfs would require the long-term use of a
- similarly changed mountsfs and driver, the chances of detection are greatly
- increased.
-
- A much more subtle attack involves changing mountsfs. By substituting a
- version which saves your password or encryption key to an unused portion of the
- disk and then replaces itself with an unmodified, original copy, an attacker
- can return at their leisure and read the password or key off the disk, leaving
- you none the wiser that your encryption key has been compromised. The SFS
- driver may be modified to do this as well, although the task is slighly more
- difficult than changing mountsfs.
-
- Detecting this type of attack is very difficult, since although it is possible
- to use security software which detects changes, this itself might be modified
- to give a false reading. Software which checks the checking software may in
- turn be modified, and so on ad infinitum. In general someone who is determined
- enough can plant an undetectable trojan[1], although precautions like using
- modification-detection programs, keeping physically separate copies of the SFS
- software, and occasionally checking the installed versions against other,
- original copies, may help reduce the risk somewhat. Booting into an encrypted
- partition, as described in the section "Advanced SFS Driver Options" above,
- which contains "clean" copies of the SFS software, and comparing the clean
- driver with the one used to boot into the encrypted partition, reduces the risk
- further. Finally, the eventual creation of a hardware SFS encryption card will
- reduce the risk even further, although it would still be possible for an
- attacker to substitute their own fake encryption card[2].
-
- Another attack possibility is the creation of a program unrelated to SFS which
- monitors the BIOS character write routines for the printing of the password
- prompt, or video RAM for the appearance of the prompt, or the BIOS keyboard
- handler, or any number of other possibilities, and then reads the password as
- it is typed in[3][4][5][6]. This is a generic attack against all types of
- encryption software, and doesn't rely on a compromised copy of the software
- itself. It isn't even necessary for the captured information to be recorded
- anywhere, since the trojan can transmit it over a network which the computer
- may be attached to, or simply send it to any convenient (but not necessarily
- active) output device external to the computer in order to make a TEMPEST
- attack easier to mount.
-
- The stealth features in SFS are one way of making this kind of monitoring much
- more difficult (none of the keyboard-monitoring programs mentioned are
- effective against the SFS software), and are explained in more detail in the
- section "Security Analysis" below. However the only really failsafe way to
- defeat this kind of attack is to use custom hardware which performs its task
- before any user software has time to run, such as the hardware SFS version
- currently under development.
-
- Footnote [1]: An attacker could employ, for example, what David Farber has
- described as "supplemental functionality in the keyboard driver".
-
- Footnote [2]: An attack of this kind was carried out in 1989 at Cambridge
- University, when students dismantled public-access terminals and
- replaced the firmware with a newer version which captured
- passwords for later replay. This attack was documented in D.
- Harriman's article "Password Fishing on Public Terminals" in the
- January 1990 Computer Fraud and Security Bulletin, p.12.
-
- Footnote [3]: One program which performs the task of caturing keystrokes is
- Phantom 2.29i, available from wuarchive.wustl.edu in the
- directory /pub/msdos/keyboard as ptm229i.zip, or from P2
- Enterprises, P.O. Box 25, Ben Lomond, California 95005-0025.
- This program not only allows the recording of all keystrokes but
- provides timing information down to fractions of a second,
- allowing for detailed typing pattern analysis by an attacker.
- There also exists a modified version of Phantom distributed as
- dos.zip which adds various stealth features to make it harder to
- detect.
-
- Two more keystroke-capturing programs are Encore, also available
- from wuarchive.wustl.edu in the directory /pub/msdos/keyboard as
- encore.zip, and KeyCopy, available from ftp.clark.net in the
- directory /pub/jcase as keycopy.zip.
-
- Another keystroke grabber, distibuted as depl.zip, runs a target
- program inside a shell which saves all keystrokes in scrambled
- form to a hidden file for later retrieval. DEPL can remove
- itself after use, and is customizable via a simple script file.
-
- Footnote [4]: A program specifically created for this purpose is keytrap, which
- is distributed as File 26 of Phrack Volume 5, Issue 46 (20
- September 1994) and is available from freeside.com in the
- directory /pub/phrack as phrack46.zip. keytrap is a
- memory-resident program which logs keystrokes to a hidden data
- file for later recovery, and comes with source code allowing it
- to be easily customized for a particular purpose. A slightly
- improved version is available as keytrap2.zip.
-
- Footnote [5]: A program which watches for a certain event before activating
- itself is Thief (originally called Getit), written by someone at
- George Washington High School in Denver, Colorado to capture
- Novell logon ID's and passwords. The program hooks the DOS int
- 21h interrupt and waits for EXEC (program execute) calls. It
- then checks to see if the program being executed is the Novell
- LOGIN program. If it is, it captures subsequent keystrokes to a
- hidden file for later perusal. Thief comes with source code and
- can be modified to check for other programs or perform other
- monitoring functions if required.
-
- Footnote [6]: PC-Sentry, available in the Compuserve NOVUSER forum as
- sentry.zip, can secretly monitor and log all computer activity
- such as files accessed or deleted, command-line activity,
- programs run, and so on. A network version is also available.
- Activity Monitor, available in the Compuserve IBMSYS forum as
- actmon.zip, can monitor all activity under Windows 3.1 or above,
- and has a stealth mode of operation for unobtrusive use.
-
-
- Dangers of Encryption
-
- The use of very secure encryption is not without its downsides. Making the
- data completely inaccessible to anyone but the holder of the correct password
- can be hazardous if the data being protected consists of essential information
- such as the business records for a company which are needed in its day-to-day
- operation. If the holder of the encryption password is killed in an accident
- (or even just rendered unconscious for a time), the potential complete loss of
- all business records is a serious concern.
-
- Another problem is the question of who the holder of the password(s) should be.
- If the system administrator at a particular site routinely encrypts all the
- data held there for security purposes, then later access to the entire
- encrypted dataset is dependant on the administrator, who may forget the
- password, or die suddenly, or move on to another job and have little incentive
- to inform their previous employer of the encryption password (for example if
- they were fired from the previous job). It could even occur that the
- ex-administrator has forgotten the password used at his previous place of
- employment and might require a small, five-figure consideration to help jog his
- memory. The difficulty in prosecuting such a case would be rather high, as
- proving that the encryption system wasn't really installed in good faith by the
- well-intentioned administrator to protect the company data and that the
- password wasn't genuinely forgotten would be well nigh impossible.
-