Sysadmin Sunday: Encrypted Swap Space in FreeBSD

New research shows that cold boot attacks can compromise encryption by giving you access to the RAM's contents. This even applies to full-disk encryption that encrypts swap space and whatnot. We'll probably talk more about that in our podcast.

Physical access almost always means that a total compromise of security is somehow possible. Sensitive data could be at risk long after the data in RAM decays into oblivion. Encryption keys, large documents, and other files containing data you don't want falling into the wrong hands will almost certainly see their fair share of time in virtual memory. That means pages of RAM will be written, for better or worse, to the hard drive.

Encrypting just your swap space can be easier than switching to full-disk encryption and makes it more difficult for an attacker to obtain sensitive data as it gets shuffled in and out of RAM.

OpenBSD encrypts swap by default without any further action. To the best of my knowledge it's alone in that fact. I can't outline how to encrypt swap space in every operating system, but since FreeBSD's the flavor-du-jour, I'll show you how easy it can be.

First, disable swap:

[axon@floaty-fbsd ~]$ sudo swapoff -a
swapoff: /dev/ad0s1b: Cannot allocate memory

Whoops! If there's too much stuff running to fit in RAM without swap, you'll need to cut back. Close your applications, stop the X Window system or whatever you have to do. Let's try that again.

[axon@floaty-fbsd ~]$ sudo swapoff -a

Now, find the swap partition and over-write it using dd(1) to stream /dev/urandom to it. It could take a while depending on the size of the swap partition. Yes, this is a paranoia countermeasure and nothing more. Keep in mind that only freshly-used parts of swap will be encrypted once we're finished. Right now, there could be (ab)usable data out there. Not for long!

[axon@floaty-fbsd ~]$ grep swap /etc/fstab
/dev/ad0s1b none swap sw 0 0
[axon@floaty-fbsd ~]$ sudo dd if=/dev/urandom of=/dev/ad0s1b
dd: /dev/ad0s1b: end of device
464657+0 records in
464656+0 records out
237903872 bytes transferred in 88.835558 secs (2678025 bytes/sec)

To enable GEOM ELI on your swap partition, edit /etc/fstab and add ".eli" to the end of the swap device.

[axon@floaty-fbsd ~]$ sudo vi /etc/fstab
change this line:
/dev/ad0s1b none swap sw 0 0
to this:
/dev/ad0s1b.eli none swap sw 0 0

You have to reboot for this to take effect. Once it comes back online, use kldstat and swapinfo to verify that the geom_eli.ko module is loaded and that the new swap device is being used.

[axon@floaty-fbsd ~]$ kldstat
Id Refs Address Size Name
1 10 0xc0400000 7b2d2c kernel
2 1 0xc0bb3000 6974 snd_ich.ko
3 2 0xc0bba000 239a8 sound.ko
4 1 0xc0bde000 5c304 acpi.ko
5 1 0xc1f19000 e000 geom_eli.ko
6 1 0xc1f27000 19000 crypto.ko
7 1 0xc1f40000 a000 zlib.ko
8 1 0xc21ec000 2000 warp_saver.ko
[axon@floaty-fbsd ~]$ swapinfo
Device 1K-blocks Used Avail Capacity
/dev/ad0s1b.eli 232328 0 232328 0%

Voila!

Sysadmin Sunday: Quick & Dirty SSH Tunneling

Occasionally, you might need to tunnel some other traffic over SSH. This could be to get access to an external web proxy, to get a remote X display up, or to get around a firewall-blocked port that you must access.

The syntax (on the command-line OpenSSH client) for a Local forward is like this:

# ssh remote-example.h-i-r.net -L 3128:localhost:3128

This tells my SSH client to tunnel traffic to port 3128 on my workstation to port 3128 on my DMZ box. Port 3128 isn't accessible because of a firewall, but tunnelled over SSH it works fine. In this case, I'm running squid on the remote example host. Telling Firefox to use http://localhost:3128 as the proxy will now tunnel all of my web traffic over the SSH tunnel to the squid proxy behind the firewall. The reason it's called a local forward because it forwards a local port over the SSH connection.

A remote forward will open up a port on the remote machine and connect it to a port on the client's network. The syntax is similar:

# ssh remote-example.h-i-r.net -R 3306:dbserver:3306

This would open up port 3306 (the MySQL server port) on the remote host and tunnel it to the MySQL service on the host named dbserver on my local network.

While running forwarding of either type, you can enter the hotkey sequence "~#" to see all the open connections through the forwarded ports.

TrueCrypt 5.0 Released

TrueCrypt 5.0 , a Free, Open-Source On-the-fly encryption tool came out this week.

Highlights from the release notes:

• Mac OS X Support (Tiger and Leopard on both Intel and PPC architectures)
• Windows performance enhancements
• Pre-boot authentication and system drive encryption for Windows
• Enhancements to the Linux version

This tool is fast becoming a favorite among security professionals, privacy advocates and the paranoid.

Stegnagraphy overview

-Stegnagraphy Introduction-

I think we’re all guilty of drawing up the plans in our heads, with the thermite charge on your hard drive and the big red panic button. But all of these plans essentially have the problem of having to detect a breach of security. An interested party need only be just as creative to detect and thwart your carefully laid booby trap. Nothing quite says "I contain incriminating information" like a booby-trapped PC.

There are some classical methods of hiding communication in plain sight using pre-arranged coded speech an writing patterns which at first look appear as mundane however in actuality the people as saying something completely different. The Russian black market and crime syndicates developed a language using certain chess movements. Prison detainees used vulcanized rubber and crude utensils to draw elaborate tattoo’s denoting rank and other qualities.

By itself stegnagraphy is only good for covert communications to one or more parties. Much has been said about the presence of stegnagraphy laced content in news groups and other public content. Granted the amount of actual covert communications is very exaggerated. The difficulty in using stegnagraphy is that many stegnagraphy techniques can be scanned for just like you would scan for a virus or malware. The very presence of a stegnagraphic utility on your computer or some one accessing a known security website or downloading a known utility can raise a flag to a security analyst that covert communication is likely occurring.

When addressing the topic of including stegnagraphy into freenet (an open source anonymous network) "...Steganography is an ongoing battle of attrition, obscurity and constantly updating are sadly the best defenses in it. Again it's down to `better
the way we do it than the way you don't...' " Basically, the same defenses that viruses use to avoid detection are the only strengths that stegnagraphy by itself has. Another strength it has is that it is not part of the popular user-land security dogma which states that firewall + anti virus + anti spy ware == secure. (which is like saying that its okay not to wear a seat belt in a car because your wearing a condom). So it is only effective against passive detection but thats about it.

-=- TABLE OF CONTENTS -=-
x .......... Introduction
1 .......... Use and purpose
2 .......... Mediums and How it works
3 .......... Utilities currently available
A .......... Works Cited

=======================
1 .......... Use and purpose
=======================
Covert communication is where bandwidth is stolen from a legitimate communication to create a secret channel of communication. So the purpose of stegnagraphy is to create a parasitic hidden communication, carried by a legitimate communication. This is done so that communication can be made in a public space with out drawing attention to it self.

A person who would want to make use of this would be a human rights violation observer who is passing information to an international human rights advocacy group like Amnesty International or the UN. The local authorities would very likely be suppressing information of that sort. If the local authorities would catch a communication a report on an incident, its very likely the reporter would be silenced in one way or another.

(rant)
In the US we enjoy freedom of speech, these rights are being whittled away at under the guise of national security. In other countries, un-censored speech has dire and deadly consequences. Just because what I write may be unpopular, that is not a valid excuse for killing or torturing me. Yet untold numbers of people suffer those consequences daily just because they say something not deemed acceptable by their locality/nation/culture. Development of covert communications and cryptography may seem trivial to us now, but development of these tools can save lives. Allowing the public the use of these tools may have serious consequences for law enforcement, but criminalizing their use and possession has vast and horrible consequences for us as society.
(/rant)
=======================
2 .......... Mediums and How it works
=======================

A good example is a chess game, in the previous example of criminal elements use of coded speech and mannerisms, a chess game is interpreted in a different game, certain reactions to moves are communications, the moves are all valid moves, only their context has changed. This is a high bandwidth covert channel, it uses a lot of the bandwidth of the communication. High bandwidth is where the legitimate communication itself is placed into a different context and interpreted to mean something else. If one of the players affixed a microdot containing private information and affixed it on to the other players chess board then this would be low bandwidth.

The Trusted Computer Security Evaluation Criteria (aka TCSEC) is a set of criteria established by the National Computer Security Center which is managed by the NSA. According to TCSEC there are two types of covert communications. The first is a storage channel, which modifies a stored object into something else less sensitive. The second is a timing channel which manipulates the timing in a communication to transmit the sensitive information.

An example of the two is Jsteg and tcp/ip timing. Jsteg hides information in an existing jpeg in the formatting of the picture which does not significantly change the original picture. Tcp/IP timing is where a normal mundane tcpip request is carried out but it is delayed in a pre-determined fashion which the timing of the transmition of the packets is the medium of communication. A less technical example would be the chess example where the microdot would be the storage channel and the timing of chess movements would be the timing channel.

Another example of using a parasitic medium is communicating using stegnagraphy using what is called chaffing and winnowing. This sends out multiple hidden communications using a secondary channel to provide a key to identify which communication is correct. This method utilizes the previous forms and adds in a code which authenticates the communication.

Lastly, the weakness of stegnagraphy is that it relies on constant change to maintain the communications secrecy. Companies like SARC are using watermarking technologies which are similar to anti-virus technologies to detect both stegnagraphic content and utilities, it is vital that cryptography be used in order to maintain the secrecy of the information within the hidden communication.

=======================
3 .......... Utilities currently available
=======================
From Wikipedia (http://en.wikipedia.org/wiki/Steganography#Implementations)

Online (Hiding text)

* mozaiq Has a large library of stock photos it provides if you can't supply a photo of your own. A good starting point for creating simple steganographic examples.
* spammimic.com will take a sentence that you provide and turn it into text that looks to all the world like spam.
* Hide text in a PNG or BMP image and its corresponding decoder.

** Online (Hiding files)

* Stegger, PHP Steganography—PHPClasses Repository—An open source, feature rich, secure implementation of image steganography written in PHP.

** Downloadable (Hiding text)

* Concealar ...coz a picture speaks a thousand words! The software "Concealar" hides text into images & pictures by a password using cryptographic and steganographic techniques. Encryption algorithm used for text is AES (Rijndael) and the password is hashed with SHA512. The software don't create any noise in the resultant image so pattern-finding & pixel-mapping techniques of steganalysis don't work on this software.
* Bapuli Online—implementing steganography using Visual Basic.
* BitCrypt BitCrypt is one of the easiest to use encryption tools which at the same time provide ultra-strong encryption. It uses up to 8192 long bit key ciphers to encrypt the text, and then stores the encrypted text within bitmap images.

** Downloadable (Hiding files)

* Hiding Glyph: Bytewise Image Steganography: Hides any file (or folder) into any losslessly compressed image (BMP, PNG, etc…). (freeware)
* BestCrypt Commercial Windows/Linux disk encryption software that supports hiding one encrypted volume inside another
* Crypto-Stego Utility for the Zillions of Games program.
* Digital Invisible Ink Toolkit An open-source cross-platform image steganography suite that includes both steganography and steganalysis implementations.
* FreeOTFE Free, open-source Windows/PocketPC/Linux disk encryption software that supports hiding one encrypted volume inside another, without leaving any evidence that the second encrypted volume exists. This probably resists any statistical analysis (as opposed to tools that conceal data within images or sound files, which is relatively easy to detect).
* MP3 Steganographic File System, a description of an approach to create a file system which is implemeted over MP3 files.
* OutGuess A steganography application to find data in Jpeg images.
* PCopy A steganography commandline tool with a userfriendly wizard which can produce lossless images like PNG and BMP. Special features are RLE, Huffman compression, strong XOR encryption and the Hive archiving format which enables the injection of entire directories.
* Phonebook FS protects your disks with Deniable Encryption
* RevelationA platform independent tool created in Java that can hide any data file within a 24-bit bitmap image. Features a unique wizard style interface in the encoding and decoding process.
* stego and winstego Steganography by justified plain text.
* Stego-0.5, a GNOME/GTK+ based GUI for LSB algorithm. License (GPL)
* Stego Archive Source for a large variety of steganography software.
* Steghide Free .jpeg and .wav encryption for Linux and other operating systems.
* SteGUI Free GUI for Steghide for Linux.
* TrueCrypt Free, open-source Windows/Linux disk encryption software that supports hiding one encrypted volume inside another, without leaving any evidence that the second encrypted volume exists. This probably resists any statistical analysis (as opposed to tools that conceal data within images or sound files, which is relatively easy to detect).
* Peter Wayner's website—sample implementations of steganographic techniques, by the author of Disappearing Cryptography.
* NetTools Steganography by hiding data in pictures, archives, sounds, text files, html, and lists.
* Qtech Hide & View v.01 is the newest BPCS-Steganography program for Windows. This is an image steganography. (Free to use)
* ZebDisk ZebDisk is a free software, and you can store, and share your files on the internet with it using Google’s Picasa service.
* SteganoG a simple program to hide a text file in a .bmp file.
(Wikipedia, on Implemenataions of Stegnagraphy, Dec 2007)

We also mentioned Jsteg which can be found at "http://www.theargon.com/achilles/steganography/jpeg-steg/"

=======================
A. .......... Works cited
=======================
Sarc Website. Accessed March 2007
http://www.sarc-wv.com/default.aspxn-

Toad "Attacks and weaknesses." Accessed March 2007
http://www.freenethelp.org/html/AttacksAndWeaknesses.html

Engle, Sophie. (Viewed March 2007). "CURRENT STATE OF STEGANOGRAPHY:
USES, LIMITS, & IMPLICATIONS"
http://wwwcsif.cs.ucdavis.edu/~engle/stego.pdf

Wikipedia.org (Accessed March 2007). "Steganography"
http://en.wikipedia.org/wiki/Steganography

Wikipedia.org (Accessed March 2007). "Covert Channel"
http://en.wikipedia.org/wiki/Covert_channel

Wikipedia.com (Accessed March 2007). "Russian Criminal Tatoos."
http://en.wikipedia.org/wiki/Criminal_tattoo#Russian

http://www.theargon.com/ (Accessed December 2007). "theargon stegnagraphy web archives."
http://www.theargon.com/achilles/steganography/jpeg-steg/

MS EFS and Vista security *features*

Everybody and their brother have commented on the chatty-ness on MS Vista. My one note on this is that the administrative dialog that appears whenever any one accesses an item that requires administrative privileges is that the solution is a dialog level. This is similar to debians DPKG prompt level setting which sets the dialogs between only serious messages (something which has the capacity to brick the computer if not answered) to trivial (Everything, no matter how trivial.)

Microsoft’s choice to do this method of alerting users is pointless clutter. It trains the user to press "OK" on everything, which is a terrible idea that is the root cause behavior to the MS in security problem. This behavior is caused by how they are handling authentication tokens. A second token is created carrying administrative privileges and adds to the users current authentication token for the purpose of using administrative functions.

We all some times say something like "... "What they ought to have done is ..." I remember saying it a lot in middle and high school, hence my concern about saying it too often. But creating a utility witch catalogs all apps, control panels requiring admin privileges which limits its access to the rest of the system. Take for instance an old version of a children’s learning software. Many schools must run the software from the server and it requires admin privileges to run. why not put it in a root jail?

The dirty solution is to use MS's virtualization software to run it on a virtual machine. Which is inelegant but it works I guess.

*SIGH*

On another note, I got some more information on MS's Bit blocker.

Bit blocker uses ether Microsoft’s TPM (Trusted Platform Module) to store an encryption key to unlock the disk at boot time.
Alternatively you can use a USB key drive to store the key. What this does is prevent some one from yanking the hard drive and digging out your data. The info is fair game once it is started, but you have server 2003 and Vista's security to contend with at that point.

Bit blocker creates a backup key when you setup the disk so that’s your only alternative if you lose the login key.
EFS which is encrypted files on the NTFS file system are encrypted with the users personal certificate AND their local administrator (if a stand alone machine) or the network administrators certificate (if in a domain). Given the reports that The federal government required MS to include keys for their own use I wouldn't put it past them to have included that too though I don’t have any evidence confirming my suspicions.

Bit blocker seems like a neat idea, it relies on the physical security of the TPM or a USB keychain. Another layer of security for physical protection cant hurt I guess. EFS I find useful only for keeping small children out of files they ought not be seeing. It has way too much big brother entwined within it to be of use to me.

Neocrypt or GPG or anything else for that matter is still the best option for WINTEL data security in my book.

Outlaw information security tools and only the outlaws will have the security tools

While doing research into Steganography I looked at a couple of sources on wikipedia on organized crime and some of their applied uses. Organized crime still hasn’t fully adopted technology but is slowly getting there. Phishing scams and other online fraud schemes are netting a pretty penny now a day.

My point is not to illustrate organized crime as a "good" example of how to do things. My point IS to illustrate how an organization that relies on absolute secrecy to exist applies the principals that we have discussed in theory into practice.

Wikipedia has a prison tattoo section explaining prison tattoos and their meaning. Prison Tattoo’s in this context are a means to communicate social status and other intentions or proclamations. Tattooed illustrations containing metaphors such as status in a criminal gang or their intention to escape is one example. Japanese Yakuza publicly display the name of their gang on their storefront and on their clothing to identify themselves as a part of a gang.

La Cosa Nostra utilized a form of slang that baffled the FBI for a long time until the full lexicon of mafia terms was eventually discovered.

These examples show how Steganography was applied to mundane speech, body art and clothing styles that in the criminal context had a different meaning. The problem with this secret communication is that though the medium was secret, the information was not and thus vulnerable to discovery and interpretation by a third party.

It also illustrated to me the fatal flaw in Steganography which is security by obscurity which is a mantra often chanted by security guru's when addressing insecure weak proprietary security systems. However this being said, Steganography DOES buy time and help overcome passive discovery so when combined with good crypto it can be a part of a balanced communication strategy. Kind of like buying a box of SUPER ULTRA SUGAR SMACKS for your kid because its the only way you can get them to have milk in their diet.

http://en.wikipedia.org/wiki/Criminal_organization
http://en.wikipedia.org/wiki/Criminal_tattoo
http://en.wikipedia.org/wiki/Steganography

Encrypted filesystem images

Introduction:
Hola boys and girls, in this article I will speak a bit about encrypted file system images. There are many different utilities out there and each modern operating system has some kind of encryption scheme for either all or parts of their file system.
This is a short list of utilities that are available to the general public. Ill cover the basics of what an encrypted file system image is and list a few publicly available implementations for your information.

This article is intended for advanced users with a well-rounded understanding of how a computer and operating systems work.

-=- ToC -=-
x.......... Introduction
1.......... What is an encrypted file system
2.......... Uses of encrypted storage
3.......... Implementations of note with feature breakdown
4.......... Summary
5.......... Works cited

-=-=-=-=-=-=-=-=-=-=-=-=-=-
1.......... What is an encrypted file system
An encrypted file system consists of two parts, the file system (an organized system of storing binary data in an organized fashion). The other part being encryption, which is scrambling data in an organized fashion so that only designated parties may view it. In this article I am speaking about a file with in a file complete with its own file system and not dependant on the file system which the physical media that the file resides on.

-=-=-=-=-=-=-=-=-=-=-=-=-=-
2.......... Uses of encrypted storage
Secret codes as a concept are well known, it allows you to speak in a public area with out the information being revealed to un-intended recipients. The Internets data privacy is only safe because no one cares to dig through the deluge of information to figure out what your doing. In the novel "Takedown" regarding the capture of Kevin Mitnick, the authorities and two over zealous private citizens proceeded to track a persons activities via packet sniffing an entire ISP. This was done transparently so no one knew his or her privacy has been violated all to hell.

Encryption has become necessary as the medium of the Internet and computers in general have been under attack by governments, multinational corporations and criminal institutions.

Encryption is not the ENTIRE answer to these threats though. Being proactive about your computer usage routines so that you minimize communicating in an un-secure fashion is very important. Protecting your computer from rogue programs and un-trusted software is also important. All this while asking yourself, "what is this information worth." If the answer is ever your life, then you have best be prepared to dedicate a sizable portion of your life to servicing the protection of that information. Security is about setting the bar for your would be intruder. Basic security keeps the honest people honest, medium security keeps the burglar at bay, and comprehensive security keeps the bogyman out. Encryption can be very effective as an effort multiplier when used correctly.

-=-=-=-=-=-=-=-=-=-=-=-=-=-
3.......... Implementations of note with feature breakdown
- 3.1 Integrated encrypted file systems (OSS/Un*x):
Native utilities within most of the free Un*x like os's have included crypto.
Most of which have the capacity to create "memory disks" or "looped file systems". The utilities typically have the option for encrypting the data.
---LINUX---
In Linux in the 2.4 series and greater a person can do the following command:
$ dd if=/dev/zero of=enc_vol.img bs=1k count=4096
$ losetup -e 3des /dev/loop0 enc_vol.img
$ mkdosfs /dev/loop0
$ mount /dev/loop0 /mnt/

This system can use XOR and DES encryption by itself, if additional encryption algorithms are compiled into the kernel then you can make use of those too. The files created in this format are compatible with FreeOTFE, which is also available on windows and some mobile devices.

*** A side note -there was a paper which was written by Jerome Etienne titled "Vulnerability in encrypted loop device for Linux". In short, this is not a problem getting access to encrypted data, but making educated guesses and moving encrypted data around in the encrypted file. Since the file system doesn’t care about what data is where so long it’s in accordance with the file system structure the changes would not be detectable to the system. This attack is classified as a Denial of service attack but could be also classified as a kind of instant replay attack. The suggestion by the author is to authenticate to each data block or authenticate the integrity of the entire file system at boot time. The truly paranoid may want to perform a hash on the encrypted file system image via a mounting and unmounting script. This is a minor issue because the integrity of the information is controlled more by safe computing practices and physical security than encryption (Etinne, 2001).

In light of the looped file system and its shortcomings dm-crypt and LUKS have been developed as an alternative.

Prerequisites: A Linux 2.6 kernel with device mapper and dm-crypt support is needed. Also install cryptsetup-luks the package and util-linux package (g-loaded, 2005).

# cryptsetup --verbose --cipher "aes-cbc-essiv:sha256" --key-size 256 \
> --verify-passphrase luksFormat /dev/mydev/zipdisk
# cryptsetup luksOpen /dev/mydev/zipdisk encr-zipdisk
# mkdosfs -v -F 16 -n "ENCR1" /dev/mapper/encr-zipdisk
# mount -t vfat -o rw /dev/mapper/encr-zipdisk /mnt/tmp/

---OPENBSD---
OpenBSD supports memory disks or Virtual Nodes and this is done by:
$ vnconfig -k svnd0 /tmp/cryptimg
Encryption key:
$ mount /dev/svnd0c /mnt
This uses the blowfish algorithm for encryption (OpenBSD, 2007).

- 3.2 Encrypted Volume Utilities for commercially desktop systems:
---Ms Windows---
NTFS file encryption is available on Microsoft Windows XP Professional and supposedly Vista Business, Premium and Ultimate on a per file basis. Ultimate supposedly has full disk encryption utilizing their trusted computing hardware (Microsoft 2007).

Typically with the standard NTFS crypto you need to be using their latest version of the NTFS file system.
-Right click on the files you intend to encrypt.
-Select advanced
-Click on the encrypt check box.

Alternatively you can use the cipher command.
c:\echo "HiR" > example.txt
c:\cipher -e c:\example.txt

Encryption in windows this way is transparent to the user, it looks to them like any other file, however its encrypted on the disk so recovery by a third party person who has direct access to the file system is unlikely.

The file system will then enable the "encrypt" attribute which keys off of your account login info. So in order to access the content you will need the person's login info.

---Apple Mac OS 10---
Mac OS 10 has encrypted volume file creation available with AES encryption (Apple, 2007).

Select Macintosh HD -> Applications -> Utilities -> Disk Utility -> File -> New -> Blank Disk image
... Then put in the file name (ex. file)
-> select encryption -> AES-128 -> put in the password -> DONE!

Whenever you click on the image it will mount and ask for your password (assuming you don't put it in your keychain).

Of course this can be done in the command shell too.
$ hdiutil create -size 10m -encryption AES-128 -stdinpass test
Enter disk image passphrase:
...............................................................................
created: /Users/jkershner/Desktop/test.dmg
$ hdiutil attach test

- 3.3 Third Party disk encryption systems:
http://www.truecrypt.org/
Can create layered encrypted file systems images with a form of segnagraphy which a user can use a panic password to display the outer non-sensitive disk image, and a normal password for normal access to the disk image. It also can use file keys, which are existing files located anywhere on the computer, which the program uses as part of the authentication process. It can either use files on the hard drive or it can directly access devices such as hard drive partitions, entire disks or jump drives. In addition to secure file access by reading encrypted data in packets and keeping it in memory so that it does not hit the disk in unencrypted form. This is a free utility available on Windows and Linux platforms (TrueCrypt Foundation, 2007).

http://www.freeotfe.org/
Operates under both PC (MS Windows 2000/XP) and PDA (Windows Mobile 2003/2005) platforms Linux compatibility (Crypto loop "losetup", dm-crypt and LUKS supported) "Hidden" volumes may be concealed within other FreeOTFE volumes, providing "plausible deniability" FreeOTFE volumes have no "signature" to allow them to be identified as such Encrypted volumes can be either file or partition based (Dean, 2007).

- 3.4 Steganographic features
The most compelling features are the features offered in some of the 3rd party utilities which use a false nested file system image which is accessible with a panic password incase you are cohersed into giving the password so that at this first glance there would be plausible deniability (Dean, 2007)(TrueCrypt Foundation, 2007).

Simply renaming the encrypted volume file to appear as something else (such as an MP3 or a JPEG) requires the use of a 3rd party stegnagraphy utility such as Jsteg(Guillermito, 2004). Unfortunately there are ways of detecting this kind of embedding in images and possibly in other kinds of stegnagraphic containers formats (Raggo, 2007)(Fridrich, Goljan and Hogea 2006).
-=-=-=-=-=-=-=-=-=-=-=-=-=-
4.......... Summary

We have glossed over several methods of securely storing sensitive information. Combining these methods with other methods of securing information physically, electronically (through ciphering) and through safe computing practices you should have a fighting chance at keeping your data from prying eyes. Granted the data we are protecting is usually not as valuable as we think nor so worthless as to not disserve our attention to keeping it safe. A little paranoia can be healthy.

-=-=-=-=-=-=-=-=-=-=-=-=-=-
5.......... Works cited

Jessica Fridrich, Miroslav Goljan, Dorin Hogea. "Steganalysis of JPEG Images: Breaking the F5
Algorithm." (April 2006)
http://www.ws.binghamton.edu/fridrich/Research/f5.pdf

Guillermito. "Extracting data embedded with JSteg." (February 2004)
http://www.guillermito2.net/stegano/jsteg/index.html

Raggo, Michael. (Accessed February 2007)
http://www.spy-hunter.com/stego.html

Etienne, Jerome ".Vulnerability in encrypted loop device for Linux" (December 2001)
http://www.off.net/~jme/loopdev_vul.html

Shimomura, Tsutomu and Markoff, John. "Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It." Warner Books Inc (December 1996). ISBN-13: 978-0786889136

-3rd Party Security Products
Dean, Sarah "Free OTFE." (Accessed February 2007)
http://www.freeotfe.org/

TrueCrypt Foundation websirte. (Accessed February 2007)
http://www.truecrypt.org/

-Opperating systems, security feature implementation and howto's

Microsoft Inc. "Encrypting File System overview." (Accessed February 2007)
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/encrypt_overview.mspx?mfr=true

Apple Corp. "Mac OS X: How to create a password-protected (encrypted) disk image." (Accessed February 2007)
http://docs.info.apple.com/article.html?artnum=107333

g-loaded.eu, "Encrypt devices using dm-crypt and LUKS." (November 2005)
http://www.g-loaded.eu/2005/11/10/encrypt-devices-using-dm-crypt-and-luks/

OpenBSD foundation. (Accessed 2007)
http://www.openbsd.org

-=-=-=-=-=-=-=-=-=-=-=-=-=-EOF-=-=-=-=-=-=-=-=-=-=-=-=-=-

newLISP OTP implementation

I had some free time, so I came up with something fun to play with.

I can't stress enough the importance of protocol when dealing with cryptography. Leaving no trace of the used portion of the pad nor the cleartext file is essential to maintaining the secrecy of your messages.

Some operating systems let you set flags or attributes on files so that they're automatically secure-erased when deleted. Other operating systems require a tool such as "wipe" or "shred" to completely destroy the files. The "leftover" pad can be re-used for future communications. You can make the pad as large or as small as you wish, but it must be larger than the file you wish to encrypt, and it's up to all parties to keep their pads "in sync" with the others. I didn't say OTP was practical, it's just really good when implemented correctly.

I advocate keeping ALL sensitive files (the pad and cleartext) on a USB flash drive along with a secure-erase tool. If the risk of compromise exists, 5-10 seconds in a microwave will render it and all contents completely useless. Although USB flash drives are solid state, given the nature of their construction, it's been proven that some information may be retrievable from them even after a secure erase. Always use your head.

Now that the formalities are out of the way, let's get started!

First, I created a 5kB file of pseudo-random data to use for my pad, and made a copy of the pad for the recipient.

Chimera:~/test ax0n$ dd if=/dev/urandom of=pad bs=1k count=5
5+0 records in
5+0 records out
5120 bytes transferred in 0.001332 secs (3843715 bytes/sec)

Chimera:~/test ax0n$ cp pad receiver-pad

Next, I launched my script. It requires 4 pieces of information. The pad file, the file to encrypt or decrypt, the output file, and the file to write the leftover portion of the pad to. After running it, you can see the script, the leftover pad, the original pad (which should be secure-erased immediately after use), the encrypted target file (in this case, my /etc/passwd file) and the pristine copy of the original pad which should have been handed (never transmitted!) to my recipient.

Chimera:~/test ax0n$ ./crypt.lsp pad /etc/passwd passwd.crypt leftover-pad

Chimera:~/test ax0n$ ls -la
total 56
drwxr-xr-x    7 ax0n  ax0n   238 Feb  7 22:36 .
drwx------   55 ax0n  ax0n  1870 Feb  7 22:33 ..
-rwxr-xr-x    1 ax0n  ax0n   675 Feb  7 22:33 crypt.lsp
-rw-r--r--    1 ax0n  ax0n  3188 Feb  7 22:36 leftover-pad
-rw-r--r--    1 ax0n  ax0n  5120 Feb  7 22:36 pad
-rw-r--r--    1 ax0n  ax0n  1932 Feb  7 22:36 passwd.crypt
-rw-r--r--    1 ax0n  ax0n  5120 Feb  7 22:36 receiver-pad

Here's part of the hexdump from the encrypted password file. It's very, very random.

Chimera:~/test ax0n$ hexdump -C passwd.crypt
00000000  d3 17 89 23 2f 51 bc 9c  c2 3d d3 b3 fb e0 5c 4b  |...#/Q...=....\K|
00000010  43 8e 4f e7 71 53 c7 fd  2b b2 ff 37 32 64 3a 2d  |C.O.qS..+..72d:-|
00000020  df 8e 19 fa 64 07 c9 8d  f2 36 f0 41 e6 ca 65 67  |....d....6.A..eg|
00000030  a3 a4 e6 b0 dc 48 14 08  12 0d c4 72 1a 18 c6 bc  |.....H.....r....|
00000040  0a cd 79 69 2b f2 62 15  63 48 da f5 3d 36 41 e8  |..yi+.b.cH..=6A.|

...

00000730  4c 71 17 04 13 50 d2 e0  ab 3a 2d 44 16 0d 72 cf  |Lq...P...:-D..r.|
00000740  60 47 16 43 8a 1f 73 03  e8 e9 b8 71 d6 ee fd 68  |`G.C..s....q...h|
00000750  09 dd 81 60 35 65 0b 8f  66 03 97 f4 96 39 78 44  |...`5e..f....9xD|
00000760  f8 24 99 bc 68 6e 28 14  f3 2f fc 0a a3 68 47 70  |.$..hn(../...hGp|
00000770  fd 41 fc 51 e2 c2 0c de  07 be 40 ce 6c a8 bb 5b  |.A.Q......@.l..[|
00000780  88 4b 52 50 a4 95 b5 37  71 12 12 76              |.KRP...7q..v|

On the receiving end, we use the receiver-pad file against the encrypted password file, then we can see the new files with ls.

Chimera:~/test ax0n$ ./crypt.lsp receiver-pad  passwd.crypt passwd.clear reciever-leftover-pad

Chimera:~/test ax0n$ ls -la
total 72
drwxr-xr-x    9 ax0n  ax0n   306 Feb  7 22:38 .
drwx------   55 ax0n  ax0n  1870 Feb  7 22:33 ..
-rwxr-xr-x    1 ax0n  ax0n   675 Feb  7 22:33 crypt.lsp
-rw-r--r--    1 ax0n  ax0n  3188 Feb  7 22:36 leftover-pad
-rw-r--r--    1 ax0n  ax0n  5120 Feb  7 22:36 pad
-rw-r--r--    1 ax0n  ax0n  1932 Feb  7 22:38 passwd.clear
-rw-r--r--    1 ax0n  ax0n  1932 Feb  7 22:36 passwd.crypt
-rw-r--r--    1 ax0n  ax0n  3188 Feb  7 22:38 receiver-leftover-pad
-rw-r--r--    1 ax0n  ax0n  5120 Feb  7 22:36 receiver-pad

Let's see if the decrypted file is legible...

Chimera:~/test ax0n$ cat passwd.clear
##
# User Database
#
# Note that this file is consulted when the system is running in single-user
# mode.  At other times this information is handled by one or more of:
# lookupd DirectoryServices
# By default, lookupd gets information from NetInfo, so this file will
# not be consulted unless you have changed lookupd's configuration.
# This file is used while in single user mode.
#
# To use this file for normal authentication, you may enable it with
# /Applications/Utilities/Directory Access.
##
nobody:*:-2:-2:Unprivileged User:/:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false

...

tokend:*:91:91:Token Daemon:/var/empty:/usr/bin/false
securityagent:*:92:92:SecurityAgent:/var/empty:/usr/bin/false
unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false

Yep, it worked!

Let's look at the newLISP code for this project. On the newLISP discussion boards, cormullion and Lutz (the founder of newLISP) reminded me of the beauty of the "cond" command, which works a little bit like "case" except it evaluates whole expressions, not just one variable. I added a bit of whitespace into the code to show how "cond" works. They also helped me re-factor my argument assignment statements down to one line with "map".

#!/usr/bin/newlisp
(cond(
  (< (length (main-args)) 5)
      (println "USAGE: crypt.lsp [pad] [file] [output] [pad-remainder]")
  )    
  (true
    (map set '(pad target output remainder) (rest (rest (main-args))))      
    (write-file output (encrypt (read-file target) (read-file pad))) 
    (write-file remainder (slice (read-file pad) (length (read-file target))))
  )
) 
(exit) 

Instead of taking the painstaking route of stepping through all the logic to show how XOR encryption works like I did in my cryptography example a few days ago, I am using as many newLISP shortcuts as I know how to while maintaining the feature set I want. For instance, newLISP has the "encrypt" function which is exactly what I was using in my original example. It runs a bitwise XOR of the contents of two variables, even if those variables contain the entire contents of files! There's no need to explode strings, map the char command, or anything like that. In the above example, newLISP essentially handles all the core logic in this single line:

(write-file output (encrypt (read-file target) (read-file pad)))

It single-handedly reads the pad and target file, XORs them with the encrypt function and writes the resulting garble to the output file.

The line below it figures the length of the target file, skips over that many bytes of the pad file and writes the remaining bytes in the pad out to the remainder file.

Look for more articles like this as I keep playing with newLISP and learning more about it.

Cryptanalysis and histograms

I've been interested in cryptanalysis and encryption for a long time. I can remember using PGP in the early 90's, my little Zenith laptop taking literally hours to create puny 256-bit keys, and being utterly fascinated by the whole process.

One way that cryptography is analyzed is letter frequency counting. There are certain characters that show up more frequently than others depending on what natural language is used. In letter substitution and other simple encryption schemes, creating a histogram of some random samples of that language (for my sake, we'll assume this is English), one can take that and lay it over the histogram of ciphertext, finding letters that are more common in the ciphertext and in the language sample. Analysts begin substituting letters that peak the charts, and eventually may come up with a partial decryption that's complete enough to go trial-and-error.

Histograms are just neat, though. Histograms of color data in photos are cool, too. Loosely speaking, histograms are bar graphs of frequency data.

Here is a histogram of the first chapter of Genesis (KJV):


On the far right are control characters such as carriage returns. The big vertical bar is the frequency count of spaces. To the left of that are numbers, then capital letters, punctuation, and finally lowercase letters toward the middle of the histogram. It's easy to tell that this is a text file from the histogram.

Next I'll show you a binary executable file, next to a GIF image. You can see these are binary files with a lot of "nulls" on the far right, and lots of high-bit characters on the left. They look nothing like a text file.



The beauty of a really good random one-time pad as I'd discussed in Wednesday's post becomes evident. On the left is a histogram of a really good random pad file. On the right is the first chapter of genesis (used in our first example) XORed against the random pad.



The entropy is evident!

I have an implementation of the newLISP one-time pad tool that I'll write about this weekend.

I used PHP/GD to create the histograms used in this article. Here's the quick-and-dirty histogram generator code I made:

<?php
####
# 256x256 byte frequency histogram maker
# by ax0n
###
header("Content-type: image/png"); // Tell browser to expect a PNG
if(! isset($_GET['file'])){
$filename="data";
}else{
$filename=$_GET['file'];
}
$im=imagecreate(256,256); // allocate image resource
$background_color = imagecolorallocate($im, 0, 0, 0);
$text_color = imagecolorallocate($im, 233, 14, 91);
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
$histarray=(count_chars($contents, 1)); // built the frequency array
foreach ($histarray as $i => $val) {
$graph=($val/max($histarray))*256; // Normalize the values
imageline($im,$i,1,$i,$graph,$text_color); // Draw chart
}
$im=imagerotate($im, 180, 0); // make bars go from down to up (cheap hack)
imagepng($im); // dump image to browser
imagedestroy($im); // release image resource
?>

Cryptography fun with newLISP

Some of you may have seen my article in the latest 2600 magazine about newLISP, a very fast scripting language based on LISP.

Well, the HiR crew has, for the better part of a year, been kicking around cryptography concepts. We keep coming back to one-time pad cryptography. It's fascinating in its simplicity. It's so computationally trivial that a human can quickly encrypt or decrypt a simple modular addition one-time pad scheme with nothing but a pencil and paper. The other thing is that, when implemented properly, OTP is perfectly secret and highly resistant to all forms of cryptanalysis. To this day, OTP is one of the most powerful and feared crypto schemes in existance.

Back here in computer world, we do a comparison on two numeric values assigned to the "cleartext" message. Since all ASCII characters have a decimal value in an 8-bit character space (256 distinct combinations), it's very easy to perform a bitwise Exclusive Or (XOR) on the cleartext and the key. XOR is simply "one or the other but not both". Let's try a cleartext of the letter A (binary 01000001) XOR against a key of "q" (binary 01110001). Comparing the bits vertically, the result will only have a "1" wherever either A or q have a differing bit at that location, but will have a "0" wherever both bits are the same.

"A"=01000001
"q"=01110001
-----00110000 (as it turns out, this is an ASCII uppercase "O")

newLISP, like all LISP based languages, handles lists and symbols very well. I just played around with this concept on the newLISP command line, and the result was fun, but not very practical as executed. I'll discuss ways to make this tinkering session a little more practical at the end of the article.

Ideally, the key would not be a string, but a very solid random set of characters known by the parties who are encrypting messages to one another. This doesn't even need to be a string, it may be binary random data...

A few things about this code. First, I'm a newbie at newLISP. Let me describe how some of this stuff works. The "explode" command turns a string variable into a list of characters. "char" turns a character into its ASCII decimal equivalent, or an ASCII decimal number back into a character. "map" simply takes the operation (such as "char") and uses that operation on a list. So (map char (explode cleartext)) would return the output of "char" for each individual character in the contents of the "cleartext" variable. Confusing enough? Okay, awesome!

---

newLISP code that I type will be in bold, red italics.
newLISP output will be in bold.
My comments will be in italics.

---

# newlisp
newLISP v.9.0 on OSX UTF-8, execute 'newlisp -h' for more info.

#first, I'll assign a key and convert it to a list of ascii numbers.
> (set 'key "Pa5$w0rd!")
"Pa5$w0rd!"

> (set 'kcharlist (map char (explode key)))
(80 97 53 36 119 48 114 100 33)

#Then, I'll assign a cleartext string and convert it to a list of ascii numbers as well.
> (set 'cleartext "HiR ownz.")
"HiR ownz."

> (set 'ccharlist (map char (explode cleartext)))
(72 105 82 32 111 119 110 122 46)

#In many languages, newLISP included, the carat "^" is the symbol for XOR. This line outputs the XOR values for each character compared between the cleartext and key)
> (set 'cryptcharlist (map ^ ccharlist kcharlist))
(24 8 103 4 24 71 28 30 15)

#Note that some of the characters from the XOR operation are non-printable, so their ASCII string notation /nnn is used instead.
> (set 'cryptostring (join (map char cryptcharlist)))
"\024\008g\004\024G\028\030\015"

#Now on the receiving end, we take the known key character list and we XOR the crypto character list. In reality we'd have to generate these again but we'd already set the variables above. No sense repeating the process here.
> (set 'decryptcharlist (map ^ cryptcharlist kcharlist))
(72 105 82 32 111 119 110 122 46)

#Finally, we take that string of numbers and join them after converting them from ASCII Decimal to characters again.
> (set 'decryptstring (join (map char decryptcharlist)))
"HiR ownz."

---

Now, as I'd mentioned before, in order to be really practical, you'd need an actual one-time pad that was very random. What I made above was a variant of Vernam cipher to give you a taste of how simple XOR based encryption is, not a genuine one-time pad. A few things that would make the above more practical:

• A lot of the steps could have been consolidated. I broke it down to show how things worked. I could have simply put all of the logic in one line, but it would have been confusing.
• The key and cleartext should be able to be read from a file. As implemented above, this should work with binary data (executables, images, etc) and with a very random binary key (pad) file.
• In the code above, the key needs to be the exact same number of characters as the cleartext. If implemented practically, the program should read the length of the cleartext and use that many bytes of the random pad.
• In a true one-time pad scheme, the sender and recipient both possess the same random key data, but the sender must destroy the part of the key that was used as soon as the encryption is performed. That way, only the recipient(s) may decrypt the message, as they have the only existing copy of the key. In turn, the recipient must destroy the part of the key used to decrypt the message so that in the event the encrypted message was compromised, there is no existing copy of the key available to aid in decryption.
• The above inconveniences have been the main downfall to widespread use of OTP.
• OTP's strength relies heavily on protocol, not technology.

As I get more free time, I will write a quick one-time pad newLISP script that can do most of the above things. I just got the craving to tinker and write a little bit, and thought I'd share it here.

--Ax0n