The Care and Feeding of Passwords --------------------------------- With the inherent strength of an encryption system like the one used by SFS, the password used for encryption is becoming more the focus of attack than the encryption system itself. The reason for this is that trying to guess an encryption password is far simpler than trying to break the encryption system. SFS allows keys of up to 100 characters in length. These keys can contain letters, numbers, spaces, punctuation, and most control and extended characters except backspace (which is used for editing), escape (which is used to abort the password entry), and carriage return or newline, which are used to signify the end of the password. You should try and take advantage of this fact as much as possible, with preferred passwords being entire phrases rather than individual words (in fact since very few words are longer than the SFS absolute minimum password length of 10 characters, the complete set of these words can be checked in moments). There exist programs designed to allow high-speed password cracking of standard encryption algorithms which can, in a matter of hours (sometimes minutes, even seconds in the case of very weak algorithms), attempt to use the contents of a number of very large and complete dictionaries as sample passwords [1][2][3][4][5]. For example one recent study of passwords used on Unix systems[6] found 25% of all passwords simply by using sophisticated guessing techniques. Of the 25% total, nearly 21% (or around 3,000 passwords) were found within the first week using only the spare processing power of a few low-end workstations. 368 were found within the first few minutes. On an average system with 50 users, the first password could be found in under 2 minutes, with 5-15 passwords being found by the end of the first day[7]. Virtually all passwords composed of single words can be broken with ease in this manner, even in the case of encryption methods like the one which is used by SFS, which has been specially designed to be resistant to this form of attack (doing a test of all possible 10-letter passwords assuming a worst-case situation in which the password contains lowercase letters only, can be accomplished in 450,000 years on a fast workstation (DEC Alpha) if the attacker knows the contents of the encrypted volume in advance - or about 4 1/2 years on a network of 100,000 of these machines). Of course no attacker would use this approach, as few people will use every possible combination of 10 letter passwords. By using an intelligent dictionary-based cracking program, this time can be reduced to only a few months. Complete programs which perform this task and libraries for incorporation into other software are already widely available[8]. This problem is especially apparent if the encryption algorithm used is very weak - the encryption used by the popular Pkzip archiver, for example, can usually be broken in this manner in a few seconds on a cheap personal computer using the standard wordlist supplied with all Unix systems[9]. You shouldn't rely on simple modifications to passwords for security. Capitalizing some letters, spelling the words backwards, adding one or two digits to the end, and so on, increase the amount of work which needs to be done by the average password-cracker by only a small amount over that needed for plain unadorned passwords. You should avoid any phrase which could be present in any kind of list (song lyrics, movie scripts, books, plays, poetry, famous sayings, and so on) - again, these can be easily and automatically checked by computers. Using foreign languages offers no extra security, since it means an attacker merely has to switch to using foreign-language dictionaries (or phrase lists, song lyrics, and so on). Relying on an attacker not knowing that a foreign language is being used ("If I use Swahili they'll never think of checking for it" - the so-called "Security through obscurity" technique) offers no extra security, since the few extra days or months it will take to check every known language are only a minor inconvenience. Probably the most difficult passwords to crack are ones comprising unusual phrases or sentences, since instead of searching a small body of text like the contents of a dictionary, book, or phrase list, the cracker must search a much larger corpus of data, namely all possible phrases in the language being used. Needless to say, the use of common phrases should be avoided, since these will be an obvious target for crackers. Some examples of bad passwords are: misconception Found in a standard dictionary noitpecnocsim Reversed standard dictionary word miskonseption Simple misspelling of a standard word m1skon53pshun Not-so-simple misspelling of a standard word MiScONcepTiON Standard word with strange capitalization misconception1234 Standard word with simple numeric code appended 3016886726 Simple numeric code, probably a US phone number YKYBHTLWYS Simple mnemonic In general coming up with a secure single-word password is virtually impossible unless you have a very good memory for things like unique 20-digit numbers. Some examples of bad passphrases are: What has it got in its pocketses? Found in a common book Ph'n-glui mgl'w naf'h Cthulhu R'yleh w'gah Found in a somewhat less common book For yesterday the word of Caesar might have stood Found in a theatrical work modify the characteristics of a directory Found in a technical manual T'was brillig, and the slithy toves Found in a book of poetry I've travelled roads that lead to wonder Found in a list of music lyrics azetylenoszilliert in phaenomenaler kugelform Found in an obscure foreign journal Arl be back Found in several films I don't recall Associated with a famous person (although it does make a good answer to the question "What's the password?" during an interrogation) Needless to say, you should never write a passphrase down or record it in any other way, or communicate it to anyone else. Footnote [1]: A large collection of word lists suitable for this kind of attack can be found on ftp.ox.ac.uk in directories below the /pub/wordlists directory, and total about 15MB of compressed data. These dictionaries contain, among other things, 2MB of Dutch words, 2MB of German words, 600KB of Italian words, 600KB of Norwegian words, 200KB of Swedish words, 3.3MB of Finnish words, 1MB of Japanese words, 1.1MB of Polish words, 700KB of assorted names, and a very large collection of assorted wordlists covering technical terms, jargon, hostnames, internet machine names, login ID's, usenet sites, computer languages, computer companies, the Koran, the Bible, the works of Lewis Carrol, Shakespeare, acronyms, characters from books, plays and films, actors given names, actors surnames, titles from movies, plays, and television, Monty Python, Star Trek, US politics, US postal areas, US counties, the CIA world fact book, the contents of several large standard dictionaries and thesaurii, and common terms from Australian, Chinese, Croatian, Danish, Dutch, English, Finnish, French, German, Hindi, Hungarian, Italian, Japanese, Latin, Norwegian, Polish, Russian, Spanish, Swahili, Swedish, Yiddish, computers, literature, places, religion, and scientific terms. The ftp.ox.ac.uk site also contains, in the directory /src/security, the file cracklib25.tar.Z, a word dictionary of around 10MB, stored as a 6.4MB compressed tar file. Footnote [2]: A large dictionary of English words which also contains abbreviations, hyphenations, and misspelled words, is available from wocket.vantage.gte.com (131.131.98.182) in the /pub/standard_dictionary directory as dic-0594.tar, an uncompressed 16.1MB file, dic-0594.tar.Z, a compressed 7.6MB file, dic-0594.tar.gz, a Gzip'ed 5.9MB file, and dic-0594.zip, a Zipped 5.8MB file. This contains around 1,520,000 entries. In combination with a Markov model for the English language built from commonly-available texts, this wordlist provides a powerful tool for attacking even full passphrases. Footnote [3]: A Unix password dictionary is available from ftp.spc.edu as .unix/password-dictionary.txt. Footnote [4]: Grady Ward has collected very large collections of words, phrases, and other items suitable for dictionary attacks on cryptosystems. Even the NSA has used his lists in their work. Of particular interest are Moby Words, which contains 610,000 English entries including Scrabble(tm) compatible words, baby names, word frequencies, special subsets for spelling checkers and more, Moby Part-of-Speech, which contains 230,000 words and phrases marked with full part-of-speech data (in priority order for those words having more than one part-of-speech), Moby Pronunciator with 175,000 words and phrases fully coded with International Phonetic Alphabet (IPA) ASCII symbols including up to three levels of emphasis (stress), and Moby Thesaurus with 30,000 root words and more than 2.5 million synonyms and related words. Samples of each of the lexical databases are available from ftp.netcom.com (192.100.81.100) in the /pub/grady directory as Moby-Sampler.tar.Z. A Postscript brochure describing the lists is available from the same location as Moby_Brochure8.5x14.ps.Z, the full datasets can be obtained from Grady Ward, 3449 Martha Ct., Arcata, CA 95521-4884, ph/fax 1-707-826-7715 Footnote [5]: A number of CDROM's are available which contain information useful for password-cracking. Two of these are the Chestnut "Dictionaries and Languages" CDROM and the Walnut Creek "Project Gutenberg" CDROM. Footnote [6]: Daniel Klein, "Foiling the Cracker: A Survey of, and Improvements to, Password Security", Software Engineering Institute, Carnegie Mellon University. Footnote [7]: An improved implementation is approximately 3 times faster on an entry-level 386 system, 4 times faster on an entry-level 486 system, and up to 10 times faster on a more powerful workstation such as a Sparcstation 10 or DEC 5000/260, meaning that the first password would be found in just over 10 seconds on such a machine. Footnote [8]: One such program is "crack", currently at version 4.1 and available from ftp.ox.ac.uk in the directory /src/security as crack41.tar.Z. Footnote [9]: Actual cryptanalysis of the algorithm, rather than just trying passwords, takes a little longer, usually on the order of a few hours with a low-end workstation. However this method will (after a little work) break all encrypted zip files, not just the ones for which the password can be guessed. Other Software -------------- There are a small number of other programs available which claim to provide disk security of the kind provided by SFS. However by and large these tend to use badly or incorrectly implemented algorithms, or algorithms which are known to offer very little security. One such example is Norton's Diskreet, which encrypts disks using either a fast proprietary cipher or the US Data Encryption Standard (DES). The fast proprietary cipher is very simple to break (it can be done with pencil and paper), and offers protection only against a casual browser. Certainly anyone with any programming or puzzle-solving skills won't be stopped for long by a system as simple as this[1]. The more secure DES algorithm is also available in Diskreet, but there are quite a number of implementation errors which greatly reduce the security it should provide. Although accepting a password of up to 40 characters, it then converts this to uppercase-only characters and then reduces the total size to 8 characters of which only a small portion are used for the encryption itself. This leads to a huge reduction in the number of possible encryption keys, so that not only are there a finite (and rather small) total number of possible passwords, there are also a large number of equivalent keys, any of which will decrypt a file (for example a file encrypted with the key 'xxxxxx' can be decrypted with 'xxxxxx', 'xxxxyy', 'yyyyxx', and a large collection of other keys, too many to list here). These fatal flaws mean that a fast dictionary-based attack can be used to check virtually all possible passwords in a matter of hours on a standard PC. In addition the CBC (cipher block chaining) encryption mode used employs a known, fixed initialisation vector (IV) and restarts the chaining every 512 bytes, which means that patterns in the encrypted data are not hidden by the encryption. Using these two implementation errors, a program can be constructed which will examine a Diskreet-encrypted disk and produce the password used to encrypt it (or at least one of the many, many passwords capable of decrypting it) within moments. In fact, for any data it encrypts, Diskreet writes a number of constant, fixed data blocks (one of which contains the name of the programmer who wrote the code, many others are simply runs of zero bytes) which can be used as the basis of an attack on the encryption. Even worse, the very weak proprietary scheme used by Diskreet gives away the encryption key used so that if any two pieces of data are encrypted with the same password, one with the proprietary scheme and the other with Diskreet's DES implementation, the proprietary-encrypted data will reveal the encryption key used for the DES-encrypted data[1]. These problems are in fact explicitly warned against in any of the documents covering DES and its modes of operation, such as ISO Standards 10116 and 10126-2, US Government FIPS Publication 81, or basic texts like Denning's "Cryptography and Data Security". It appears that the authors of Diskreet never bothered to read any of the standard texts on encryption to make sure they were doing things right, or never really tested the finished version. In addition the Diskreet encryption code is taken from a code library provided by another company rather than the people who sell Diskreet, with implementation problems in both the encryption code and the rest of Diskreet. The DES routines used in Da Vinci, a popular groupware product, are similarly poorly implemented. Not only is an 8-character password used directly as the DES key, but the DES encryption method used is the electronic codebook (ECB) mode, whose use is warned against in even the most basic cryptography texts and, in a milder form, in various international encryption standards. For example, Annex A.1 of ISO 10116:1991 states "The ECB mode is in general not recommended". ISO 10126-2:1991 doesn't even mention ECB as being useful for message encryption. The combination of Da Vinci's very regular file structure (which provides an attacker with a large amount of known data in very file), the weak ECB encryption mode, and the extremely limited password range, makes a precomputed dictionary attack (which involves a single lookup in a pre-set table of plaintext-ciphertext pairs) very easy (even easier, in fact, than the previously-discussed attack on Unix system passwords). In fact, as ECB mode has no pattern hiding ability whatsoever, all that is necessary is to encrypt a common pattern (such as a string of spaces) with all possible dictionary password values, and sort and store the result in a table. Any password in the dictionary can then be broken just as fast as the value can be read out of the table. PC Tools is another example of a software package which offers highly insecure encryption. The DES implementation used in this package has had the number of rounds reduced from the normal 16 to a mere 2, making it trivial to break on any cheap personal computer. This very weak implementation is distributed despite a wide body of research which documents just how insecure 2-round DES really is[2]. Even a correctly-implemented and applied DES encryption system offers only marginal security against a determined attacker. It has long been rumoured that certain government agencies and large corporations (and, no doubt, criminal organizations) possessed specialized hardware which allowed them to break the DES encryption. However only in August of 1993 have complete constructional details for such a device been published. This device, for which the budget version can be built for around $100,000, can find a DES key in 3.5 hours for the somewhat more ambitious $1 million version (the budget version takes 1 1/2 days to perform the same task). The speed of this device scales linearly with cost, so that the time taken can be reduced to minutes or even seconds if enough money is invested. This is a one-off cost, and once a DES-breaking machine of this type is built it can sit there day and night churning out a new DES key every few minutes, hours, or days (depending on the budget of the attacker). In the 1980's, the East German company Robotron manufactured hundreds of thousands of DES chips for the former Soviet Union. This means one of two things: Either the Soviet Union used the chips to build a DES cracker, or they used DES to encrypt their own communications, which means that the US built one. The only way around the problem of fast DES crackers is to run DES more than once over the data to be encrypted, using so-called triple DES (using DES twice is as easy to attack as single DES, so in practice three iterations must be used). DES is inherently slow. Triple DES is twice as slow[3]. A hard drive which performs like a large-capacity floppy drive may give users a sense of security, but won't do much for their patience. The continued use of DES, mainly in the US, has been due more to a lack of any replacement than to an ongoing belief in its security. The National Bureau of Standards (now National Institute of Standards and Technology) has only relucatantly re-certified DES for further use every five years. Interestingly enough, the Australian government, which recently developed its own replacement for DES called SENECA, now rates DES as being "inappropriate for protecting government and privacy information" (this includes things like taxation information and social security and other personal data). Now that an alternative is available, the Australian government seems unwilling to certify DES even for information given under an "in confidence" classification, which is a relatively low security rating[4]. In comparison, the RC4 encryption used in Lotus Notes has been deliberately designed to offer only a certain level of security which means it is exportable under the US crypto export restrictions. The key length is limited to 40 bits, making it possible to mount a brute-force attack against it in a reasonable amount of time[5]. A similar measure is used in IBM's Commercial Data Masking Facility, which uses a DES implementation limited to a 40-bit key. Although the RC4 algorithm has a number of interesting properties which make it less than perfect, the simplest attack is still a brute-force check of all possible 40-bit key combinations[6]. Both RC4 and the CDMF are properly designed and implemented, but have been weakened somewhat by the need to satisfy the US governments restrictions on the use of strong cryptography. Finally, the add-on "encryption" capabilities offered by general software packages are usually laughable. Various programs exist which will automatically break the "encryption" offered by software such as Ami Pro, Arc, Arj, Lotus 123, the "improved encryption" in Lotus 123 3.x and 4.x, Lotus Symphony, Microsoft Excel, Microsoft Word, Novell Netware, Paradox, Pkzip 1.x, the "improved encryption" in Pkzip 2.x, Quattro Pro, Unix crypt(1), Wordperfect 5.x and ealier, the "improved" encryption in Wordperfect 6.x, and many others[7][8][9]. Indeed, these systems are often so simple to break that at least one package which does so adds several delay loops simply to make it look as if there were actually some work involved in the process. Although the manuals for these programs make claims such as "If you forget the password, there is absolutely no way to retrieve the document", the "encryption" used can often be broken with such time-honoured tools as a piece of paper, a pencil, and a small amount of thought. Some programs which offer "password protection security" don't even try to perform any encryption, but simply do a password check to allow access to the data. Three examples of this are Stacker, Fastback, and Norton's partition security system, all three of which can either have their code patched or have a few bytes of data changed to ignore any password check before granting access to data. Footnote [1]: There are at least three products available which will break both the proprietary and DES encryption used in Diskreet. One publicly-available program which will perform this task is sold by a company called AccessData. More information on their encryption-breaking software can be found a few paragraphs down. Footnote [2]: A 2-round version is in fact so weak that most attackers never bother with it. Biham and Shamirs "Differential Cryptanalysis of the Data Encryption Standard" only starts at 4 rounds, for which 16 encrypted data blocks are needed for a chosen-plaintext attack. A non-differential, ciphertext-only attack on a 3-round version requires 20 encrypted data blocks. A known-plaintext attack requires "several" encrypted data blocks. A 2-round version will be significantly weaker than the 3-round version. It has been reported that a university lecturer once gave his students 2-round DES to break as a homework exercise. Footnote [3]: There are some clever tricks which can be used to make a triple DES implementation only twice as slow as single DES, rather than three times as slow as would be expected. Footnote [4]: The Commonwealth of Australia Protective Security Manual (PSM) defines two classes of material, National Security Material and Sensitive Material. Sensitive Material is the lower classification category, and the "In-Confidence" category is the lowest sub-category for Sensitive Material, being defined in the PSM as "Material which requires a limited degree of protection. Unauthorised disclosure, loss, compromise, misuse of which, or damage to in-confidence data might possibly cause harm to the country, Government, or give unfair advantage to any entity". In addition "information considered private that needs some degree of protection should normally be categorised as In-Confidence". Footnote [5]: A sieve array populated by single-bit boolean processors running at 40 MIPS would produce one trial per cycle, with the average time to break a 40 bit key by brute force (.5x10^12) being a little over three hours. There are inexpensive DSP's (digital signal processors) available which can be used for this purpose, in a device costing a few tens of thousands of dollars. Footnote [6]: RC4 has two parts, the initialization phase, and the random number generation phase used for the encryption itself. An array is initialized with the user's key to be a random permutation. The random number generator then mixes the permutation and reports values looked up pseudorandomly in that permutation. Among the weaknesses in RC4 are that there is too high a likelihood during the initialization phase that small values will remain in small positions in the initial permutation; user keys are repeated to fill 256 bytes, so 'aaaa' and 'aaaaa' produce the same permutation; results are looked up at pseudorandom positions in the array, and if some internal state causes a certain sequence of positions to be looked up, there are 255 similar internal states that will look up values in the same sequence of positions (although the values in those positions will be different), from which it can be shown that cycles come in groups of 2^n, where all cycles in a group have the same length, and all cycles are of an odd length * 256 unless they are in a group of 256; there is a bias in the results so that, for example, the pattern "a a" is too likely and the pattern "a b a" is too unlikely, which can be detected only after examining about 8 trillion bytes; the internal state is not independent of the results, so that with a given result there are two patterns in the internal state that appear 1/256 times more often than they ought to; and at least two seperate methods exist for deducing the internal state from the results in around 2^900 steps. In none of these cases do they reduce the complexity of an attack to anywhere near the level of simply trying all 2^40 keys - like the differential and linear cryptanalysis results for DES, they serve more as an indication of how strong the cipher is than how weak it is. Footnote [7]: A package which will break many of these schemes is sold by AccessData, 560 South State, Suite J-1, Orem, Utah 84058, ph. 1-801-224-6970, fax 1-801-224-6009, email support@accessdata.com. Access Data's main European distributor, Key Exchange, is based in London, ph. +44-81-744-1551. They provide software which will break WordPerfect (versions 4.2-6.1, regular or enhanced encryption), Microsoft Word (versions 2.0-6.1), Microsoft Excel (all versions including the Macintosh one), Lotus 1-2-3 (all versions), Quattro Pro, Paradox, Pkzip, Norton's Diskreet (both DES and proprietary encryption), Novell NetWare (versions 3.x-4.x), and others. All the programs come with a 100% guarantee. AccessData also offers to its customers free inhouse recovery of data created with applications like Quicken, Microsoft Money, and other simple (non-encryption based) password systems. AccessData provide a free demonstration disk which will decrypt files that have a password of 10 characters in length. The lengths of passwords other than 10 characters in length will be displayed, but not the password itself. They also make demo versions of their software available on their FTP site ftp.accessdata.com in the directory /pub/demo, and have a Web page at http://www.accessdata.com. As an example, a demo of their WordPerfect 6.0b encryption breaker is available from the FTP site as wrpassd.exe. More information on the contents of the directory is present in the directory itself. Footnote [8]: A number of programs (too many to list here) which will break the encryption of all manner of software packages are freely available via the internet. For example, a WordPerfect encryption cracker is available from garbo.uwasa.fi in the directory /pc/util as wppass2.zip. The Pkzip 1.x and 2.x encryption was first publicly broken by Paul Kocher in August 1994 (although the NSA must have broken it much earlier, as they allowed it to be exported from the US). His method works regardless of the password size or file content. The Ami Pro encryption was also first publicly broken by Paul Kocher in February 1995 (although again it was rumoured that private organisations had broken it much earlier). The method of breaking Ami Pro also works regardless of password size or file content. Footnote [9]: CRAK Software produce encryption breaking software for a wide variety of popular word processor, spreadsheet, and financial programs including MS Excel 5.0, Lotus 123 version 4.0, Quattro Pro 6.0, MS Word 6.0, Wordperfect through to version 5.2, and Quicken through to version 4.0, with software to handle earlier versions of these programs available on request. Demo versions of some of these programs are available from ftp.indirect.com in the directory /www as excrak.zip, locrak.zip, qpcrak.zip, wdcrak.zip, and wpcrak.zip respectively. CRAK Software can be contacted at 1-800-484-9628 ext.7584 or through their WWW home page at http://www.indirect.com/johnk/ Footnote [10]: Why are you reading this footnote? Nowhere in the text is there a [10] referring you to this note. Go back to the start, and don't read this footnote again! Data Security ------------- This section presents an overview of a range of security problems which are, in general, outside the reach of SFS. These include relatively simple problems such as not-quite-deleted files and general computer security, through to sophisticated electronic monitoring and surveillance of a location in order to recover confidential data or encryption keys. The coverage is by no means complete, and anyone seriously concerned about the possibility of such an attack should consult a qualified security expert for further advice. You should remember when seeking advice about security that an attacker will use any available means of compromising the security of your data, and will attack areas other than those for which the strongest defense mechanisms have been installed. For this reason you should consider all possible means of attack, since strengthening one area may merely make another area more appealing to an opponent. Information Leakage There are several ways in which information can leak from an encrypted SFS volume onto other media. The simplest kind of information leakage is in the form of temporary files maintained by application software and operating systems, which are usually stored in a specific location and which, when recovered, may contain file fragments or entire files from an encrypted volume. This is true not only for the traditional word processors, spreadsheets, editors, graphics packages, and so on which create temporary files on disk in which to save data, but also for operating systems such as OS/2, Windows NT, and Unix, which reserve a special area of a disk to store data which is swapped in and out of memory when more room is needed. This information is usually deleted by the application after use, so that the you won't even be aware that it exists. Unfortunately "deletion" generally consists of setting a flag which indicates that the file has been deleted, rather than overwriting the data in any secure way. Any information which is "deleted" in this manner can be trivially recovered using a wide variety of tools[1]. In the case of a swap file there is no explicit deletion as the swap area is invisible to the user anyway. On a lightly-loaded system, data may linger in a swap area for a considerable amount of time. The only real solution to this problem is to redirect all temporary files and swap files either to an encrypted volume or to a RAM disk whose contents will be lost when power is removed. Most programs allow this redirection, either as part of the program configuration options or by setting the TMP or TEMP environment variables to point to the encrypted volume or RAM disk. Unfortunately moving the swap area and temporary files to an encrypted volume results in a slowdown in speed as all data must now be encrypted. One of the basic premises behind swapping data to disk is that very fast disk access is available. By slowing down the speed of swapping, the overall speed of the system (once swapping becomes necessary) is reduced. However once a system starts swapping there is a significant slowdown anyway (with or without encryption), so the tradeoff between encrypting the swap file for added security or not encrypting it for added speed is up to you. The other major form of information leakage with encrypted volumes is when backing up the data contained on them. Currently there is no generally available secure backup software (the few applications which offer "security" features are generally ridiculously easy to circumvent), so that all data stored on an encrypted volume will generally need to be backed up in unencrypted form. Like the decision on where to store temporary data and swap files, this is a tradeoff between security and convenience. If it were possible to back up an encrypted volume in its encrypted form, the entire volume would have to be backed up as one solid block every time a backup was made. This could mean a daily backup of five hundred megabytes instead of the half megabyte which has changed recently. Incremental backups would be impossible. Backing up or restoring individual files would be impossible. Any data loss or errors in the middle of a large encrypted block could be catastrophic (in fact the encryption method used in SFS has been carefully selected to ensure that even a single encrypted data bit changed by an attacker will be noticeable when the data is decrypted[2]). Since SFS volumes in their encrypted form are usually invisible to the operating system anyway, the only way in which an encrypted volume can be backed up is by accessing it through the SFS driver, which means the data is stored in its unencrypted form. This has the advantage of allowing standard backup software and schedules to be used, and the disadvantage of making the unencrypted data available to anyone who has access to the backups. User discretion is advised. If you regard it as absolutely essential that backups be encrypted, and have the time and storage space to back up an entire encrypted volume, then the Rawdisk 1.1 driver, available as ftp.uni-duisburg.de:/pub/pc/misc/rawdsk11.zip, can be used to make the entire encrypted SFS volume appear as a file on a DOS drive which can be backed up using standard DOS backup software. The instructions which come with Rawdisk give details on setting the driver up to allow non-DOS volumes to be backed up as standard DOS drives. The SFS volume will appear as a single enormous file RAWDISK.DAT which entirely fills the DOS volume. Another possibility for encrypted backups involves using Windows, DesqView, or some other task switcher, in conjunction with a floppy backup program. By switching to another task window and mounting a new SFS volume when the current one has been filled up, and then switching back to the task window in which the backup program is running, the need to re-mount volumes when a disk swap takes place can be hidden from the backup program. The exact sequence of steps for performing a backup to SFS-encrypted floppy disks is as follows: 1. Mount an SFS volume in a floppy drive 2. Using the backup program, fill the volume in the floppy drive 3. Switch to another task window 4. Unmount the SFS volume in the floppy drive 5. Mount a new SFS volume in the floppy drive 6. Switch back to the original task window 7. Go to step 2. Unfortunately, this method will only work for floppy backups and is really best suited to small amounts of data. Where larger amounts of data are involved and tape backup units are available, the first method for obtaining encrypted backups is preferred. Footnote [1]: For example, more recent versions of MSDOS and DRDOS come with an "undelete" program which will perform this task. Footnote [2]: This is not a serious limitation, since it will only affect deliberate changes in the data. Any accidental corruption due to disk errors will result in the drive hardware reporting the whole sector the data is on as being unreadable. If the data is deliberately changed, the sector will be readable without errors, but won't be able to be decrypted. Eavesdropping The simplest form of eavesdropping consists of directly overwiewing the system on which confidential data is being processed. The easiest defence is to ensure that no direct line-of-sight path exists from devices such as computer monitors and printers to any location from which an eavesdropper can view the equipment in question. Copying of documents and the contents of computer monitors is generally possible at up to around 100 metres (300 feet) with relatively unsophisticated equipment, but is technically possible at greater distances. You should also consider the possibility of monitoring from locations such as office-corridor windows and nearby rooms. This problem is particularly acute in open-plan offices and homes. The next simplest form of eavesdropping is remote eavesdropping, which does not require access to the building but uses techniques for information collection at a distance. The techniques used include taking advantage of open windows or other noise conveying ducts such as air conditioning and chimneys, using long-range directional microphones, and using equipment capable of sensing vibrations from surfaces such as windows which are modulated by sound from the room they enclose. By recording the sound of keystrokes when a password or sensitive data is entered, an attacker can later recreate the password or data, given either access to the keyboard itself or enough recorded keystrokes to reconstruct the individual key sound patterns. Similar attacks are possible with some output devices such as impact printers. Another form of eavesdropping involves the exploitation of existing equipment such as telephones and intercoms for audio monitoring purposes. In general any device which handles audio signals and which can allow speech or other sounds to be transmitted from the place of interest, which can be modified to perform this task, or which can be used as a host to conceal a monitoring device and provide power and possibly microphone and transmission capabilites to it (such as, for example, a radio) can be the target for an attacker. These devices can include closed-circuit television systems (which can allow direct overviewing of confidential information displayed on monitors and printers), office communication systems such as public address systems, telephones, and intercoms (which can either be used directly or modified to transmit sound from the location to be monitored), radios and televisions (which can be easily adapted to act as transmitters and which already contain power supplies, speakers (to act as microphones), and antennae), and general electrical and electronic equipment which can harbour a range of electronic eavesdropping devices and feed them with their own power[1]. Another eavesdropping possibility is the recovery of information from hardcopy and printing equipment. The simplest form of this consists of searching through discarded printouts and other rubbish for information. Even shredding a document offers only moderate protection against a determined enough attacker, especially if a low-cost shredder which may perform an inadequate job of shredding the paper is employed. The recovery of text from the one-pass ribbon used in high-quality impact printers is relatively simple. Recovery of text from multipass ribbons is also possible, albeit with somewhat more difficulty. The last few pages printed on a laser printer can also be recovered from the drum used to transfer the image onto the paper. Possibly the ultimate form of eavesdropping currently available, usually referred to as TEMPEST (or occasionally van Eck) monitoring, consists of monitoring the signals generated by all electrically-powered equipment. These signals can be radiated in the same way as standard radio and television transmissions, or conducted along wiring or other metal work. Some of these signals will be related to information being processed by the equipment, and can be easily intercepted (even at a significant distance) and used to reconstruct the information in question. For example, the radiation from a typical VDU can be used to recover data with only a receiver at up to 25m (75 feet), with a TV antenna at up to 40m (120 feet), with an antenna and amplification equipment at up to 80m (240 feet), and at even greater distances with the use of more specialised equipment[2]. Information can also be transmitted back through the power lines used to drive the equipment in question, with transmission distances of up to 100m (300 feet) being possible. TEMPEST monitoring is usually relatively expensive in terms of the resources required, difficult to mount, and unpredictable in outcome. It is most likely to be carried out where other methods of eavesdropping are impractical and where general security measures are effective in stopping monitoring. However, once in place, the amount of information available through this form of eavesdropping is immense. In general it allows the almost complete recovery of all data being processed by a certain device such as a monitor or printer, almost undetectably, and over a long period of time[3][4][5]. Protection against TEMPEST monitoring is difficult and expensive, and is best left to computer security experts[6][7]. However, some simple measures are still possible, such as paying attention to the orientation of VDU's (most of the signal radiated from a VDU is towards the sides, with very little being emitted to the front and rear), chosing equipment which already meets standards for low emissions (for example in the US the "quietest" standard for computers and peripherals is know as the FCC Class B standard), using well-shielded cable for all system interconnections (unshielded cable such as ribbon cable acts as an antenna for broadcasting computer signals), using high-quality power line filters which block signals into the high radio frequency range, and other methods generally used to reduce or eliminate EMI (electromagnetic interference) from electronic equipment. Footnote [1]: For an example of a device which needs no special modifications to allow remote monitoring, the Drake intercom system can be used to listen to any other unit on the system by pressing soft, dir, down (to the desired address), rtn, soft assn, attr, t+fl (the addresses will start to flash, the desired address can now be selected), at which point the selected address will be bugged without the other end being aware of this. The bugging can be turned off again by pressing exit, t+l, selecting the flashing address as before, exit, soft. This capability is built into the system and requires no special modifications. Similar "features" are also present in a number of other intercom and PABX systems. Footnote [2]: These figures are taken from "Schutzmassnahmen Gegen Kompromittierende Elektromagnetische Emissionen von Bildschirmsichtgeraeten", Erhard Moeller and Lutz Bernstein, Labor fuer Nachrichtentechnik, Fachhochschule Aachen. Footnote [3]: An example of the kind of equipment used for TEMPEST monitoring is the NSA's F-3 ASCII code receiving antenna. When used with a portable receiver, the F-3 system allows an agent to record data as it is entered from a computer keyboard. The F-3 receiver/recorder is hand held and can detect transmissions at some distance through a 25cm (10 inch) thick concrete wall. Footnote [4]: A demonstration of this form of eavesdropping was done in the 1988 BBC program "High Tech Spies", in which a van containing detection equipment drove around London reading data off the screens of computers located in law offices and brokerage firms. The results were then shown to executives of the firms. Footnote [5]: Another demonstration was done by Winn Schwartau on Geraldo Riviera's "Now! It Can Be Told" TV show, broadcast on 30 September 1991. Footnote [6]: TEMPEST informatiom and shielding measures for protection against TEMPEST monitoring are specified in standards like "Tempest Fundamentals", NSA-82-89, NACSIM 5000, National Security Agency, February 1, 1982, "Tempest Countermeasures for Facilities Within the United States", National COMSEC Instruction, NACSI 5004, January 1984, "Tempest Countermeasures for Facilities Outside the United States", National COMSEC Instruction, NACSI 5005, January 1985, and MIL-STD 285 and 461B. Unfortunately these specifications have been classified by the organisations who are most likely to make use of TEMPEST eavesdropping, and are not available to the public. Footnote [7]: A computer centre in Moscow had all its windows shielded with reflective aluminium film which was supposed to provide enough protection to stop most forms of TEMPEST eavesdropping. The technique seems to have worked, because a KGB monitoring van parked outside apparently didn't notice the fact that the equipment had been diverted to the task of printing out Strugatsky's novels. Trojan Horses It may be possible for an attacker to replace the SFS software with a copy which seems to be identical but which has major weaknesses in it which make an attack much easier, for example by using only a few characters of the password to encrypt the disk. The least likely target is mksfs, since changing the way this operates would require a similar change to mountsfs and the SFS driver which would be easily detectable by comparing them with and independant, original copy. Since a changed mksfs would require the long-term use of a similarly changed mountsfs and driver, the chances of detection are greatly increased. A much more subtle attack involves changing mountsfs. By substituting a version which saves your password or encryption key to an unused portion of the disk and then replaces itself with an unmodified, original copy, an attacker can return at their leisure and read the password or key off the disk, leaving you none the wiser that your encryption key has been compromised. The SFS driver may be modified to do this as well, although the task is slighly more difficult than changing mountsfs. Detecting this type of attack is very difficult, since although it is possible to use security software which detects changes, this itself might be modified to give a false reading. Software which checks the checking software may in turn be modified, and so on ad infinitum. In general someone who is determined enough can plant an undetectable trojan[1], although precautions like using modification-detection programs, keeping physically separate copies of the SFS software, and occasionally checking the installed versions against other, original copies, may help reduce the risk somewhat. Booting into an encrypted partition, as described in the section "Advanced SFS Driver Options" above, which contains "clean" copies of the SFS software, and comparing the clean driver with the one used to boot into the encrypted partition, reduces the risk further. Finally, the eventual creation of a hardware SFS encryption card will reduce the risk even further, although it would still be possible for an attacker to substitute their own fake encryption card[2]. Another attack possibility is the creation of a program unrelated to SFS which monitors the BIOS character write routines for the printing of the password prompt, or video RAM for the appearance of the prompt, or the BIOS keyboard handler, or any number of other possibilities, and then reads the password as it is typed in[3][4][5][6]. This is a generic attack against all types of encryption software, and doesn't rely on a compromised copy of the software itself. It isn't even necessary for the captured information to be recorded anywhere, since the trojan can transmit it over a network which the computer may be attached to, or simply send it to any convenient (but not necessarily active) output device external to the computer in order to make a TEMPEST attack easier to mount. The stealth features in SFS are one way of making this kind of monitoring much more difficult (none of the keyboard-monitoring programs mentioned are effective against the SFS software), and are explained in more detail in the section "Security Analysis" below. However the only really failsafe way to defeat this kind of attack is to use custom hardware which performs its task before any user software has time to run, such as the hardware SFS version currently under development. Footnote [1]: An attacker could employ, for example, what David Farber has described as "supplemental functionality in the keyboard driver". Footnote [2]: An attack of this kind was carried out in 1989 at Cambridge University, when students dismantled public-access terminals and replaced the firmware with a newer version which captured passwords for later replay. This attack was documented in D. Harriman's article "Password Fishing on Public Terminals" in the January 1990 Computer Fraud and Security Bulletin, p.12. Footnote [3]: One program which performs the task of caturing keystrokes is Phantom 2.29i, available from wuarchive.wustl.edu in the directory /pub/msdos/keyboard as ptm229i.zip, or from P2 Enterprises, P.O. Box 25, Ben Lomond, California 95005-0025. This program not only allows the recording of all keystrokes but provides timing information down to fractions of a second, allowing for detailed typing pattern analysis by an attacker. There also exists a modified version of Phantom distributed as dos.zip which adds various stealth features to make it harder to detect. Two more keystroke-capturing programs are Encore, also available from wuarchive.wustl.edu in the directory /pub/msdos/keyboard as encore.zip, and KeyCopy, available from ftp.clark.net in the directory /pub/jcase as keycopy.zip. Another keystroke grabber, distibuted as depl.zip, runs a target program inside a shell which saves all keystrokes in scrambled form to a hidden file for later retrieval. DEPL can remove itself after use, and is customizable via a simple script file. Footnote [4]: A program specifically created for this purpose is keytrap, which is distributed as File 26 of Phrack Volume 5, Issue 46 (20 September 1994) and is available from freeside.com in the directory /pub/phrack as phrack46.zip. keytrap is a memory-resident program which logs keystrokes to a hidden data file for later recovery, and comes with source code allowing it to be easily customized for a particular purpose. A slightly improved version is available as keytrap2.zip. Footnote [5]: A program which watches for a certain event before activating itself is Thief (originally called Getit), written by someone at George Washington High School in Denver, Colorado to capture Novell logon ID's and passwords. The program hooks the DOS int 21h interrupt and waits for EXEC (program execute) calls. It then checks to see if the program being executed is the Novell LOGIN program. If it is, it captures subsequent keystrokes to a hidden file for later perusal. Thief comes with source code and can be modified to check for other programs or perform other monitoring functions if required. Footnote [6]: PC-Sentry, available in the Compuserve NOVUSER forum as sentry.zip, can secretly monitor and log all computer activity such as files accessed or deleted, command-line activity, programs run, and so on. A network version is also available. Activity Monitor, available in the Compuserve IBMSYS forum as actmon.zip, can monitor all activity under Windows 3.1 or above, and has a stealth mode of operation for unobtrusive use. Dangers of Encryption The use of very secure encryption is not without its downsides. Making the data completely inaccessible to anyone but the holder of the correct password can be hazardous if the data being protected consists of essential information such as the business records for a company which are needed in its day-to-day operation. If the holder of the encryption password is killed in an accident (or even just rendered unconscious for a time), the potential complete loss of all business records is a serious concern. Another problem is the question of who the holder of the password(s) should be. If the system administrator at a particular site routinely encrypts all the data held there for security purposes, then later access to the entire encrypted dataset is dependant on the administrator, who may forget the password, or die suddenly, or move on to another job and have little incentive to inform their previous employer of the encryption password (for example if they were fired from the previous job). It could even occur that the ex-administrator has forgotten the password used at his previous place of employment and might require a small, five-figure consideration to help jog his memory. The difficulty in prosecuting such a case would be rather high, as proving that the encryption system wasn't really installed in good faith by the well-intentioned administrator to protect the company data and that the password wasn't genuinely forgotten would be well nigh impossible.