Schneier on Security

Clive Robinson • December 1, 2011 5:21 PM

The big problem with most FDE is where the encryption key is stored and how.

We have discussed this one or two times in the past, but people realy need to realise that the key cannot be stored in memory…

And yes as I’ve said before there are ways to do this efficiently but you have to know how to do it.

Oh and sadly I don’t expect MS or Apple or Oracle OS’s supporting it any time ever let alone soon.

The way the NSA tends to do FDE is with an In-Line Media Encryptor, which is basicaly a box that sits between the disk and the computer and has appropriate key handeling and managment built in from the start not as an “after sales market add on”.

Which brings me onto another issue, although FDE appears to be hampering some forensic investigators, they don’t have the resources that some commercial let alone govenment organisations have. What is noticable about some FDE systems is that they might have “encryption” but the do not have the right “modes” of usage.

The result is in some cases the potential to have two pieces of known plaintext (ie headers to just about any MS Office file) stored under what is effectivly the same or only slightly different keymat… Which can leave a gaping hole…

Then again you also. have to think not in terms of “plaintext recovery” but “traffic analysis”, in a lot of cases you don’t need the plaintext, only to know when and what size of activity has occured, some FDE systems still give fairly easy access to file meta data which makes this sort of analysis quite easy.

Disk Encryption is not a simple problem to solve and has lots of “gotchas” for the unwary, at the moment forensic examiners are realy at the bottom of the food chain on extraction of information from encrypted media…

Clive Robinson • December 2, 2011 1:22 PM

@ Bob T,

“They’ll get my hard drive when they pry it from my cold dead fingers.”

Hmm more likely “cold wet fingers” these days after you’ve had a few lessons in “Faceup Facecloth Surfing”…

Which by the way is why “deniable encryption” was invented to keep you safe, warm and dry 😉

Clive Robinson • December 2, 2011 2:09 PM

@ Dr. I. Needtob Athe,

“… past the Windows password to get access. Would there be a way for him to do that?”

Simple answer is once they have the hardware with ease.

Like most comercial OS’s it is not setup with regard to physical security. As RobertT has outlined there are various ways. And as Nick P has pointed out in the past certain standard I/O ports prevalent on some systems that have DMA are almost custom made to “image memory” easily.

Thus you cannot store the encryption or decryption key in memory in “plaintext form” without it being vulnerable.

Supprisingly this is not a difficult problem to overcome when you actually look at how most block ciphers work.

Since DES put in an appearance the “Fiestel Round” has been the most favourd method of thoroughly mixing the key material and plaintext to produce robust ciphertext.

If you look at most block ciphers they have two main parts “the rounds” and “the round subkey scheduling” which expands the N bit key upto M bit round keys. So once the key has been expanded there is no requirment to keep the original key in memory and it can be deleted.

However storring the round sub key’s does not get you much more security, the trick is to store them in a differential format where a sub key is split into a number of parts that have to be reconstructed to get the round sub-key.

Now if you have a CPU which has sufficient registers then the round sub-key can be constructed as required inside the CPU as it is performing the round function.

The trick is how to store the differential keys in a random way that varies each and every time a sub key is constructed, such that getting access to the memory where the sub-keys are stored does not realy help an attacker.

The details of how to do this are not difficult to work out but they are tedious to explain in full, so a simple (but not very secure) example will suffice.

You have the valid round sub-key in a CPU register and a truly randomly generated number (TRGN) in another register, by using the TRGN in some way you can split the round sub-key into two or more parts (for simplicities of explination you use ADD mod N to reconstruct). You save the two parts in memory and throw away the TRGN without it ever appearing outside the CPU.

However the places the round sub key parts are stored are moved round something akin to a circular buffer where the pointers remain in the CPU along with another TRGN which is used to derive the actuall locations in the buffer (this is the bit that is very very tedious to explain so I won’t bother).

The result is provided you know the pointers and their TRNG then you can reconstruct the round sub-keys, without you have the tedious task of trying to reconstruct the keys in the right way in the right order which would be hard work at best. With a further minor twiddle you can make it a long long way from hardwork.

So provided you have a method by which the critical CPU registers cannot be accessed by manipulating the memory you have a system that is a starting point towards being more secure.

Sadly this last constraint is not present in most commodity CPU’s.

Clive Robinson • December 3, 2011 1:47 PM

@ NobodySpecial,

“The bigger worry these days is probably smartphones”

It would appear that the worry goes on…

In the case of Android,

http://phandroid.com/2011/11/30/more-android-security-issues-exposed-this-time-from-apps-already-installed-on-your-device/

http://securitywatch.pcmag.com/google/291249-serious-new-android-privacy-leak-demonstrated

It appears that although the android sandbox on paper atleast is superior to Apples iOS, as always the devil is in the details.

Not that this is any real surprise if you have a hunt around for a copy of the book by Bruce and Niels Ferguson (“Practical Cryptography” 1st edition “Cryptography Engineering” 2nd edition http://www.schneier.com/book-practical.html ) you will find the main theme is avoiding implementation errors.

Clive Robinson • December 6, 2011 7:52 AM

@ Jonathan Wilson,

“One idea I had for data storage requirements where the device doesn’t move would be to build (or have built) a special safe.”

Been there done that and know the recipe, and have mentioned on this blog before.

With regards to what you are thinking,

“It would contain special air vents/fan built into the safe (designed so they don’t allow access to the inside of the safe but do allow airflow for cooling the device inside).”

Not a good idea, you’d be surprised just how small and flexible tools are these days, if you know what to buy and have the funds much of the stuff you need can be got out of a surgical devices catalog for the likes of key hole and other minimal incision medical/surgical procedure.

The way to do it is with two blocks of high thermal conductivity metal (copper aluminium etc ) that you mount on the safe back wall one inside and one outside with thermal paste to ensure good thermal conductivity through the safe wall from one to the other. The one on the outside you mount suitable cooling equipment (fans etc etc) the one inside you use thermal pipes to the heat generating parts (just as you see in a number of PC products).

Oh and don’t forget to add thermal activated shutdown etc.

The next bit is the hard bit,

“I would also contain a power socket and Ethernet port on the inside of the safe wired through the safe (again in a way that doesn’t compromise the safe)”

The way I’ve done it is not perhaps the way most people would do it and not easy as it involves molten glass and welding steel plates to the inside and outside of the safe. You can get acceptable results using short lengths of “pyro cable” and solder/weld the glands in place.

Having done that you then need to deal with the issues of isolating the power supplies. The simplest way is to go out and buy an “online” UPS strip the bits out and add appropriate isolating and filtering components on the inside, specificaly to stop HiPot, HiJoule Impulse and RF based EM attacks (hopefully the metal of the safe will stop most magnetic field attacks). Pay very very carefull attention to how you do the earthing etc, which is why full galvanic issolation is helpful.

Having done this you need to add other features to prevent unwanted ingress via cutting torch, grinding cutters and drills. I won’t go into the specifics but a nice 1cm lining between the safe walls and the inner EMC sleave of thermite based around copper (not iron) oxide and with added flare material (fine particulate PTFE etc) and appropriate detection/ignition takes care of that job. The quantity of thermite is important, too little wont destroy the chips and platters in the drives and control circuitry, too much will melt the safe wall and alow it to run out before it has destroyed the drives and chips etc. Back in the good old days to much was easily solved with an asbestos lining between the thermite and the safe wall, these days you have to make up a custom “fire clay” liner, but carefully cut plain ceramic tiles and thermal grout (as used in the construction of small furnaces) will do the job.

Now we get to the weak bit of all safes the door and it’s furniture,

“Depending on the situation the locking mechanism for the safe could be a double combination (with multiple people safe could be a double combination (with multiple people having parts of the combination required to open the safe), a combination combined with a high-security key (the kind that are very hard to pick) stored offsite or some other mechanism.”

Forget the use of mechanical locks it’s what most safe crackers go after for good reason, that is they are very much the weakest link in the chain. You need to go for an electronic lock that drives appropriate dead bolts in the door edges which also has an anti shock deadlock system. In one such system the deadbolts are mounted against springs and a loop of wire rope is used to retract them, however the loop is supported by fragile glass plates, if they break then the loop cannot be drawn in sufficiently to pull back the dead bolts.

There are a number of physical traps and detectors such as vibration, movment that you need to add that will trigger wiping of key material etc.

As for AES KeyMat etc one way to put this in is via an asymetric key system using multiple (M of N) shared keys from out of jurisdiction locations.

However the system software etc becomes a weak point without care. First off all major software has bugs as a given. A second given is you won’t know most of them, and your advisory is going to know atleast one of them you don’t (ie a zero day). Thus the design has to mitigate this. A third more important given these days is that of side channels such as timing side channels leaking KeyMat, plaintext and other security related information.

Mitigation of many of these issues can be a challenge, however one way is to actually use two systems with a strongly mediated link between the two.

Clive Robinson • December 10, 2011 1:13 AM

@ haxxsmaxx,

“Let’s use some real life examples of FDE and how it works and doesn’t”

One of the things you forgot to mention is “dead mens switches” which these days can come in all sorts of flavours.

However

“… array servers he kept in his safe house. The servers were powered on when he was busted, so getting the key was only a matter of time”

That’s where not having the key on the server realy helps (AKA Client side encryption).

Most times when crypto fails the reason it has failed is simple and would have been easily avoided with a little thought.

For instance a laptop has a hard drive that is encrypted, and has the key or part of the key in memory. Now obviously if the laptop remains powered up in some way then given a relativly short time the key will be obtained…

Now the obvious soloutions are,

1, don’t keep the key in memory on the laptop
2, ensure the key can be erased quickly and easily at a moments notice.

The problem with 1 is most OS’s need the key there because of the bad habit of swaping, so as a first step find an OS that does not page or swap to hard disk (not to difficult these days with CD run versions of Linux etc)

However as noted above by myself and others RAM has a habit of being persistent so you need to make sure it only remembers garbage persistently (I explain ways to do that above).

Now the next question is how do you deal with the gun at your head, or other methods of persuasion when you are in the process of operating the equipment?

This is where a dead mans switch either hits the reset button, kicks out the power or runs a memory cleaner etc.

There are a number of ways to do this from a foot peddle switch, a near field card on a bit of string tied to your wrist or even a bluetooth device or java button style ring. If you get it right just simply raising your hands will trigger the key auto destruct, or if you are truely paranoid and have real secrets to keep that effect others lives a foot switch or knee button where if you relax or twitch the circuit is broken, Thus if the do put one through the back of your head it’s gained them nothing…

Clive Robinson • December 13, 2011 1:00 AM

@ Haxxsmaxx,

“… but like all superhackers he started getting complacent with his success, felt invincible and decided to …”

Opps major fail, he forgot the maxim of “Eternal Vigilance”.

It also sounds like for some reason he was to tight fisted to secure his own “safe house” perimiter with alarms (though they may have been bypassed).

There are a couple of reasons I did not turn to crime, “Eternal Vigilance” being one, the other being as my father pointed out to me “If you are bright enough to carry out the perfect crime you are bright enough to earn more money honestly”.

Now I know one or two people disagree with the point about being “bright enough” but I always think they have not thought it through far enough.

Many people can do the first few basic steps of the “perfect crime”,

1, Idea,
2, Planning,
3, Preperation,
4, Execution.

Of which the first is not illegal (otherwise most reading this blog would be locked up 😉

Even the second step is arguably not a criminal act and a requirment for good security on the old maxim of “think like a poacher to catch a poacher”.

It is the third stage where you “show intent” and often have to involve others which is where “conspiracy to…” comes into play. It is also where things start to go wrong with “perfect crime plans” due to human failings.

As history has shown us usually criminals do not actually trust each other sufficiently to work effectivly as a team, and certainly not under preasure and many will “rat out” at the first signs of trouble. Hence another old maxim “No honour amongst thieves”. The notable exceptions to this “lack of trust” issue often being the criminals of fame. and also why the Mafia etc are reputed as having significant “looking after” policies for those caught, backed up by hard line “vengence” policies for defectors.

It is these human failings that also brings us into the failings of the fourth stage where the crime is commited. Unlike agents of the government such as the military and LEA’s criminals do not generaly do sufficient training to deal with the unexpected. Hence the old army maxim about “Battle plans don’t survive first contact with the enemy”. Nothing can be “perfectly planned” to cover all eventualities, thus any team has to have the trust in other team members to act reliably and predictably when things start to go wrong as they eventually will.

But lets assume things do go according to plan and the criminal team end up with their objective, what happens then.

Often this is where it goes wrong because the criminals have not planed beyond the execution phase and to be frank behave very very stupidly in many many cases.

Dealing with the proceeds of crime is fraught with difficulties, often way more than actually executing the crime. And if the crime was significant the LEO’s will be looking for the processing of the proceeds, and putting preasure on those likley to “recieve stolen goods”.

Also the team members are likley to be “flushed with successc and all “pumped up” and need to unwind and often behave just as soldiers or LEO’s do they go out and celebrate etc. Big mistake, because unlike soldiers and LEO’s they are now “wanted men”. Then there is that peculier thing about the difference between a hero and a zero “you’re only a hero if people know what you’ve done”. That is people “big it up” and “brag” because of “a sence of entitlement” which gives rise to “war stories” to impress people with. Unlike the rest of society for criminals it generaly does not “pay to advertise” because some people will want to “bring a bragger down a peg or two” and “grass them up”.

But there is another problem with many criminals and it’s “easy money” syndrome, they often suffer from poor impulse control and start to live above their recognisable income level which is a red flag issue for the authorities. Another aspect of this is even when they put in place a “legend” to account for the income the “burn rate” is such they have to go back and do more crime and build up an MO by which they will eventually hang themselves.

In the UK something like 90% of crimes that are prosecuted come about because the criminals have been stupid after the execution phase in one way or another.

The effort and money involved with safely dealing with the proceads of crime is quite high and this has another asspect it’s like a “fixed cost”, that has to be covered by the proceads of crime year on year. The only two working solutions to this are very far out tails on the distribution curve. That is you do one very large “Big Crime” to cover the cost for the rest of your life, or you go for “the economies of scale” solution by doing hundreds if not thousands of very small crimes every year, where the cost of each crime is below a nominal threshold of “investigation cost”.

Now “investigation cost” is a funny thing because it has a very very large political element for LEA’s. A flashy “big crime” is newsworthy so has to be not just investigated but “be seen to be investigated” and thus must also “be seen to be solved”. Thus the actuall real monetary cost of investigation could actuall excead the proceads of the crime and suffer badly from the “bad money folows good” problem of “sunk costs” in that the more money spent on the investigation the more monet that “has to be spent” to keep up the political appearences. Traditional small crime has a similar political element, it becomes a nuisance or crime wave, which is then “newsworthy” and suffers the same problems.

Thus the type of crime you do must also have political considerations. As has been noted in the past “only the insurance companies care about victimless crime” whilst not entirely true it is an indicator that crimes of violence or crimes with identifiable victims are newsworthy, especialy if the victims arouse public sympathy (children, little old ladies, pets etc). But you have to be carefull because even victimless crime can attract fame / notoriety, and this is another red flag for the authorities causing a sharp rise in the political element of “investigation cost”.

Finding a “big crime” with no identifiable victims and little or no newsworthyness is possable but usualy requires specialised skills. One area is “white collar” crime where an insider takes an organisation for a very large sum due to poor internal controls. Whilst it might be newsworthy it’s rarely in the organisations interest to have such a crime become public because the reputational loss might well exceed the direct loss of the crime. As Nick Leason and others have shown it is possible with specialised insider knowledge to commit billion dollar crimes against financial institutions and they only came to light because the size of the loss could not be hidden by the organisation.

But does that get you off the hook, sadly no, often such organisations will turn to specialised recovery oparatives, who earn a fee on “monies recovered” they are like bounty hunters and some of these individuals and organisations are better than LEO’s. Some of their techniques are far from legal and they have (as in the case of Kroll Associates) considerably over steped the mark causing significant collateral damage including death and significant injury, which becomes public and causes the reputational damage that the original hireing organisation wished to avoid. Sometimes the organisations decide to investigate themselves, but as seen by the example of HP that can aslo go very bad and cause significant reputational damage, if not criminal investigation and legal censure.

However sometimes their are “Game Changers” such as the Internet, and certain types of small value crime do pay (faux Anti-Virus) even when those involved get caught and fined, but they usualy get followed by changes in legislation pushed through such as “anti-spam” legislation.

But few last because their success makes them a target and the political element needs a head on a pole to hang above the parapet so that “Justice can be seen to be done” even though it probably has not been done in actuality.

Oh one area where crime does appear to pay over and over is politics it’s self. We have of recent times seen various dictators toppled, in some cases they would have been alowed to walk off into the sunset with their ill gotten gains, but they had to much self delusion and ended up dead as a result of it. It will be interesting to see how it plays out in Russia over the next few months, but for obvious reasons I don’t want to be there whilst it happens.

Clive Robinson • December 13, 2011 10:35 AM

@ RobertT,

“so live in NZ trade from Nz but extract information from other regions”

Hey ho just one more reason to consider living there over and above, nice wine, weather, landscape, lower levels of stress and cost of living releative to income…

I did once consider moving to HK but, the hand back to Communist China concerned me. I do however have relatives living there and they definatly give me the impression I was over cautious…

Clive Robinson • November 5, 2012 2:00 PM

@ Peter t,

Why is open source software considered to be better?

What do you mean by better?

All software open or closed source can be considered good or bad depending on how you weight various asspects.

For instance some closed source software in vertical markets is very well supported better than many equivalent Open Source projects. However there are well known Open Source projects that are better supported than many well known commercial closed source products.

You have to weigh up what is important or not for each individual class of application.

When it comes to encryption programs I would certainly err on the side of caution and go for as much information as you can get. In this respect Open Source “could” be better as you have access to the source, however this is only an advantage if and only if you or those you trust can actually evaluate the code correctly. Even then you can only evaluate to the limit of your current knowledge, which may be out of date tomorrow…

What appears to be the case is that currently Open Source code is less of a low hanging fruit than closed source comercial software, even though the source is available. Which tends to sugest that having the source is not of necessity a requirment for looming fro/finding suitable attack vectors. So the argument between which is better between Open&Closed software may not be of relevance to attackers.