Michael H. Warfield [email protected] mhw@wittsend · 2006. 9. 22. · Key is a "shared secret"...

© 2005 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Encrypt This!

Michael H. Warfield

[email protected]

[email protected]

mailto:[email protected]



If you think cryptography can solve your problem, you don’t understand cryptography and you don’t understand your problem.

Bruce Schneier


Outline

• Brief Introduction to Cryptography

• Uses of Cryptography

• Threat Models

• Events in the News

• Encrypting your hard drive

• Conclusion


Quick URLs

• Quick references for those wanting this presentation

• http://www.wittsend.com/mhw/2005/encrypt-this/

• Scripts, utilities, and resources

• http://www.wittsend.com/mhw/crypto-boot/

http://www.wittsend.com/mhw/2005/encrypt-this/

http://www.wittsend.com/mhw/crypto-boot/


Cryptography

● It's the art of "cryptic" or secret writing.

● Encryption is a form of reversible obfuscation.

● It can be used to provide confidentiality.

● It can be used to provide integrity.

● It can be used to provide authenticity.

● It can be used for authentication.

● It can be used for proof of Intent.

● Security must only depend on the secrecy of the "keying material".


Symmetrical Key Cryptography

● Same key used for decrypting and encrypting

● Key is a "shared secret" (oxymoron?)

● Algorithms are very fast even on small CPUs

● Key exchange is notoriously difficult

● Key lengths of 64 bits or less can be broken by brute force (trying all possible combinations)

● Key lengths of 128 bits can not be broken by brute force (reference: Heat Death of Universe)


Symmetrical Key Algorithms

• DES - 56 bit keys – Obsolete and Deprecated

• 3-DES - 112 / 168 bit keys - Generally secure but dated

• Blowfish - Nice algorithm from Bruce Schneier

• Twofish - AES Candidate from Bruce Schneier

• RC4/ARC4 - Stream Cypher from RSA

• Rijndahl / AES - Strong DES Replacement

• ROT-13 - Adobe E-Book Encryption /;-(


Public Key Cryptography

• Also known as Public/Private Key Cryptography

• Uses a pair of keys, one of which is kept private

• Easy to derive the public key from the private key

• Hard to derive the private key from the public key

• Tends to be very slow

• Long complex "trap door" math algorithms

• Depends on very hard to solve problems such as factoring very large numbers or logarithms


Public Key Algorithms

● Knapsack Problem (broken)

● RSA (prime factorization)

● Eliptic Curves

● Diffie Hellman Problem (general crypto problem)

● ElGamal (logarithms and the D-H problem)

● DSA / Digital Signature Algorithm● Signatures Only (sort of)


Cryptography in Communications

• Encrypted Transports - Virtual Private Networks

• Encrypted Application Protocols - SSL/TLS

• Short session key lifetimes

• Interactive key exchanges

• Public Key Cryptography in authentication

• Public Key Cryptography in session setups

• Symmetrical Key Cryptography in data transport


Cryptography in E-Mail

• Long session (message) key lifetimes

• Non-interactive session key setups

• PGP

– Public Key Cryptography for identification and session keys encryption

– RSA or DSA algorithms in PK

• S/MIME

– Public Key Cryptography like PGP

– Uses X.509 certificates like SSL/TLS


Cryptography in Storage

• Encryption keys have a very long lifetime

• No key exchanges

• Mostly symmetrical cryptography (notable exceptions)

• Encryption of persistent objects

– Files

– Directories

– File systems

– Partitions / Drives

– Backups


Encrypting Individual Files

• Fine granularity

• Convenient to back up

• Inconvenient interfacing

– Need transparent encryption desktop?

• Can identify “high profile” files

• Information leakage from file names and sizes

• PGP symmetrical/conventional encryption (-c)

• Threat model – Attacks against live running systems


Encrypting Directories

• CFS / TCFS encrypt entire directories

– CFS – NFS like user space cryptographic file system from Matt Blaze

– TCFS – CFS file system with Linux specific modules and optimizations

• Convenient encrypted backups

• Some (reduced) leakage of information from file sizes

• Directory names and file names encrypted as well

• CFS Available from Fedora Core “extras”

• Threat model – attacks against live running systems


Encrypting Home Directories

• Unlock individual home directories when logged in

• Requires patches and system modifications

• Used with various other crypto systems (such as CFS)

• Protects files when user is not logged in

• Some lack of granularity

• Reasonable ease of backups

• Complicates sharing files

• Threat model – attacks against user data when user is off-line


Encrypting Filesystems

• Encryption of directories on a grand (filesystem) scale

• Less granularity

• All data available when file system is mounted

• Reasonable ease of backup – files still look like files

• Threat model – attacks against systems with unmounted file systems or removable file systems or unpowered systems


Encrypting Partitions or Drives

• Encrypting partitions or whole drives on the device level

• Poor granularity

• Difficult to backup

– Entire device (even unuses disk space)

– Decrypt and backup

• Good performance

• Good transparency

• Threat model – attacks against drives and unpowered systems


Threats

• The Wiley Hacker against live systems

• Lost or Stolen Hard Drives

• Stolen Machines

• The Lost Tapes

• Confiscated Systems

• Returning Devices


Losses

• Loss of system

– Cost of replacing system

– Down time from loss

• Data Destruction

– Cost of replacing data

– You did have backups?

• Compromised Confidentiality

– You can’t get it back

– Notify the victims


Lost or Stolen Computer Systems

• Laptops or Full Systems may be stolen or lost

• Personal Data Stolen in Las Vegas DMV Breakin

– Burglars made off with a computer containing info on 9000 people

• 'Highly classified' State Department computer missing

– “Department officials don't know whether the computer was stolen or simply misplaced”


Stolen / Missing Hard Drives

• Investors Group says customer information on missing hard drive

– Up to 750,000 customer files may have been on the missing drive

– Drive was later recovered. It had been stolen. Can’t assume it was just lost

• A computer hard drive missing from the University of Northern Colorado contained personal information about thousands of employees and their families.

– The missing equipment includes the names, birth dates, Social Security and bank account numbers and other information about employees' beneficiaries as well as about 15,790 current and former workers.

– The total could be more than 30,000 people.


Lost Backup Tapes

• Info on 3.9M Citigroup customers lost

– UPS lost the tapes while shipping

• Bank of America lost tapes contining 1.2 million accounts

• Time Warner lost 40 backup tapes

– Information on 600,000 current and former employees were lost in transit to a storage facility.

• Ameritrade Holding Corp. in Omaha lost a data tape with the names of 200,000 clients.


Confiscated Systems

• On April 19, 2005 Chip Salzenburg notifies his employer about possible ethics violations over web scraping.

• On April 21, 2005 CEO of company files a police complaint against Chip resulting in search warrants and confiscation of all his equipment.

• Company is granted access to all contents of his computers

• Computers still remain in the hands of company analysts even though criminal investigation was dropped.


Erasing / Returning Drives

• Recent ALE discussion (frequent topic of discussion)

• How do I erase my hard drive?

• Overwrite 7 times? More?

• Utilities such as shred?

• Bulk Demagnetize?

• Crush and Destroy?

• If it was encrypted, you could overwrite once and be done


Encrypting a Hard Drive

• Objective: Encrypt all or some of the partitions on a hard drive

• Boot from alternate media

– No boot from a fully encrypted system

– Something physical you carry

– R/W - USB disk / pendrive / flash memory / key

– R/O – CD-Rom / BBC (Bootable Business Card)

• Catch-22 - Encrypting a running system


Design Considerations - 1

• Optionally Encrypt All Partitions

– Boot

– Root

– Swap

• Enter Boot Passphrase Only Once

• Minimize Exposure of Passphrase

• Two Factor – What you have and what you know...

• Ability to add and change passphrases



• Multiple Boot Media

– USB Key

– Hard Drive

– CD-Rom

– Different pass phrases on different media

• Boot consistency checking

• Backups

• Recoverability – Multiple layers of failsafe and error checking



• No patches to existing scripts packages or utilities

– Minimize update headaches

– Modified busybox handled through an additional package

– Scripts should handle all modifications internally

• Minimize number of manual operations

– Adds complexity to scripts

– Minimizes mistakes

• Support scripts (crypto-boot) installed in /boot/crypto/


Requirements

• BIOS Boot from USB (or CD-Rom)

• 2.6 Kernel (or 2.4 with lots of backports)

– dm_mapper

– dm_crypt

– Lvm

– Udev

• Cryptsetup-luks (not installed by default)

• Modified busybox (needs different feature set)


2.6 Kernel

• Many new features in the 2.6 kernel

• In-kernel crypto

– Device Mapper and dm_crypt

– Transport crypto – IPSec

– Crypto algorithms – AES, SHA1, MD5, etc...

• Init-Ramfs


Linux Kernel HD Crypto

• Add on patches for 2.4 and earlier kernel and utilities

– Crypto-loop (Kerneli project)

– Ppdd

– Loop-AES

• Built into 2.6 kernels

– Crypto-loop (for compatibility and transition)

– dm_crypt

¤ None of the Cryto-loop support problems or bugs

¤ Uses the generic device mapper mechanism


Initrd vs Ramfs

• Initrd originally based in Initial “Ramdisks”

– Ramdisk predetermined size and preformated

• Init-Ramfs based on in-core Ramfs

– Initrd image is a cpio image

– No predefined size or initial file system formating

– Multiple images can be specified and stacked

– Initialized earlier in kernel boot sequence

– Used for early initialization of kernel modules and in-kernel code

– File system is in core (no root file system)


Boot Drive Options

• Nice handy utility device (boot and otherwise)

• Basic Crypto Boot

• Adios (or similar) USB bootable Distro

• DOS Boot (maintenance such as BIOS flashing)

• Additional File Systems (ext2/ext3)

• PAM_USB

• Encrypted File Systems

• Forensics Tools (Linux and Windows)


Create USB Boot Key

• Three USB Drive Formats (USB HDD, USB FDD, USB Zip)

• Format under Windows (recommended)

– HP USB Storage Format Tool – USB HD Format (It just works)

– Dos files needed for Dos Boot option (Handy)

• Format under Linux

– No Dos Boot option (AFAICT – FreeDOS, maybe)

– Use MBR images from any of several bootable projects

• Repartition and format additional partitions


Busybox

• Busybox is a multifunction utility for embedded systems

• Busybox from RedHat lacks several features

• Need Ash instead of Msh

• Need losetup

• Need fdisk

• Rebuild or download updated version

– Busybox-ash-losetup

– Available where scripts are available


Cryptsetup

• Basic cryptsetup sets up parameters for dm_crypt

• Takes passphrases from prompt or file or pipe

• Only creates device mappings

• Various algorithms and hashes available

• Encryption may be converted in place for basic mapping

– dd if=/dev/realdev of=/dev/mapper/cryptodev bs=16M

– Do no interrupt or partition will be unrecoverable

– Can take hours on large drives


Luks

• Linux Unified Key Setup

• Installs a key header at head of partition

– ~512K

• Multiple passphrases (key slots) supported

• Passphrases may be changed

• No “in place” conversion possible

• All data must be copied off and then back on

• Integrated into “cryptsetup-luks” on Fedora Core


Keyblob

• A keyblob is a mini encrypted file system with detailed keys

• Using a keyblob gives us the best of all possible worlds

• Use Luks encryption on the keyblob

– Multiple passphrases

– May change passphrases with changing individual keys

• Individual basic AES keys for each partition

• Only requires entering the passphrase once

• Unencrypted keys are only exposed momentarily in cache


Initialize Keyblob

• Script - keyinit.sh

• Creates a 756K Luks image, encrypts, and builds file system

– 256K ext2 file system

– Encrypted to master boot passphrase

– Passphrases in the Luks headers are your access control

• Creates a 256 byte random key for each partition

– Actual partition keys for encryption

– Can not be changed after without re-encrypting impacted drives


Passphrases

• We no longer need “Mickey Mouse” passWORDS

• Use long, strong, passphrases

• Use multiple words

• Misspell one or more words

• Mix capitalization

• Convert letters or words to numbers

• Separate with punctuation

• Make it something mnemonic


Initrd

• Script - cryptodrive-init.sh

• Rebuild initrd / init-ramfs image

– Add USB modules

– Add dm_mapper, dm_crypt, and aes modules

• Add cryptsetup

• Add busybox and links to utility functions

• Add crypto-setup.sh script and hook

• Update initrd in boot and crypto directories


Initializing Crypto USB Drive

• Script – cryptodrive-init.sh (continued)

• Copy syslinux components to drive

• Copy kernel and initrd to drive

• Copy keyblob to drive

• Backup dos.bss (if dos option present)

• Run syslinux (if not previously installed)

• Add optional components manually


Backup and Test

• Boot from either media or HD

• All should prompt for a passphrase

• Should be able to boot to “busybox” prompt

• Should be able to continue boot to unencrypted run mode

• BACK UP ALL DATA BEFORE ENCRYPTING A PARTITION

• Encrypt a few non-critical partitions first

• Do not encrypt boot until multiple boot keys have been built and tested! You have been warned!


Encrypting the Partitions

• Boot from USB or main HD

• Boot to “busybox”

• No drives are encrypted (yet)

• “encrypt-drives.sh [partitions]”

• Encrypting boot prevents booting from Hard Drive

• Additional USB key partitions may be encrypted as well

• SWAP is a special case


Encrypting SWAP

• Encrypting SWAP first time

– Uses the static partition key from keyblob

– Allows for software suspend to swap

• Re-encrypting encrypted SWAP

– Double encryption is a “Magic cookie”

– SWAP now encrypted to a random key

– Each boot results in a new key

– No software suspend to swap possible


Boot of Last Resort

• Recovery using an out-of-date backup boot key

• No matching kernel in root

• BoLR (Boot of Last Resort)

– Boot to busybox

– Decrypt ONLY the boot partition

– Copy MBR from boot partition to drive MBR

– Reboot to Hard Drive

• May still need to decrypt all if crypto is missing from boot


Updating

• Ongoing updates and maintenance

• Yum updates operate on encrypted systems

• Each kernel update requires update to keys

• Rerun cryptodrive-init.sh for each key ASAP

– First time updates initrd on hard drive plus USB drive/key

– Subsequent updates copy files to the USB drive/key

• System upgrades from boot install media require decrypting


CD-Rom Boot

• Crypto-boot works with CDs equally well

• Building CD boot images is currently a semi-manual process

• CD uses isolinux instead of syslinux

– Allows for chainloading

– Avoids problems with “boot image” and floppy sizes

– Most modern BIOS will handle no-emulation boot (isolinux)

– Dos support handled with MEMDISK and a Dos boot image (up to you)


ToDo

• LVM support (should work but make need tweaking)

• XEN (testing – will need mods to update XEN initrds)

• Expanded drive and file system support (raid, reiserfs, etc)

• Get rid of RedHat nash entirely (shrink initrd)

• BoLR integration

• Multiple overwrites when encrypting

• Forensic packages (WOLF)

• Integration with other bootable crypto projects


Conclusion

• Linux 2.6 makes encryption easier than before.

• Communications, E-Mail, files, and drives may be encrypted.

• Multiple layers of encryption may be used to address multiple threat models.

• It is now practical to encrypt entire hard drives.

• Do you need to do this or really want to do this?

– You need to understand your problem to know if this is a solution to it...


References

• http://www.wittsend.com/mhw/2005/encrypt-this/

• http://www.wittsend.com/mhw/crypto-boot/

• http://www.saout.de/misc/dm-crypt/

• http://luks.endorphin.org/

• http://www.cpqlinux.com/bootable-usb.html

• http://advancemame.sourceforge.net/boot-readme.html

• http://h18007.www1.hp.com/support/files/hpcpqdt/us/download/20306.html

• http://syslinux.zytor.com/

• http://www.busybox.net/

http://www.wittsend.com/mhw/2005/encrypt-this/

http://www.wittsend.com/mhw/crypto-boot/

http://www.saout.de/misc/dm-crypt/

http://luks.endorphin.org/

http://www.cpqlinux.com/bootable-usb.html

http://advancemame.sourceforge.net/boot-readme.html

http://h18007.www1.hp.com/support/files/hpcpqdt/us/download/20306.html

http://syslinux.zytor.com/

http://www.busybox.net/


Encrypt This!

Michael H. Warfield

[email protected]

[email protected]



Michael H. Warfield [email protected] mhw@wittsend · 2006. 9. 22. · Key is a "shared secret"...

Documents

Transcript of Michael H. Warfield [email protected] mhw@wittsend · 2006. 9. 22. · Key is a "shared secret"...