PV204: Disk encryption Laboratory of Security and Applied Cryptograph (LaBAK) May 7, 2012 1 Introduction Confidentiality and authenticity of user files is typically protected with PGP or other encryption tools (ZIP with password, etc). The biggest disadvantage of this approach is the need for explicit encryption and decryption of the file. It must be decrypted before it can be read or modified and it must be re-encrypted afterwards. Disk encryption counters those disadvantages. It allows transparent protection of whole disk volumes (or directories) without any user intervention (other than entering the password). This seminar will focus on those methods implemented in 3 different tools. EncFS Easy-to-use pass-thru cryptographic filesystem, that uses 2 directories: encrypted source directory and virtual destination directory, which allows an user (when mounted) to transparently access the files in the source directory. Encrypted directory has the same structure as the decrypted one, but file names and their content is always encrypted. Disadvantage of this approach is that an adversary is then able to see meta data, i.e. how many files are in the source directory, what are their permissions, approximate size, times of last access or modification, etc. We will configure and use own encrypted folder via Cryptkeeper GUI in one of the exercises. Advantages of pass-thru system vs an encrypted block device [9]: • Size. An empty EncFS filesystem consists of a couple dozen bytes and can grow to any size without needing to be reformatted. With a loopback encrypted filesystem, you allocate a filesystem ahead of time with the size you want. Depending on the filesystem, there may be ways of resizing it later, but that requires user intervention. • Automated Backups: An EncFS filesystem can be backed-up on a file-by-file basis. A backup program can detect which files have changed, even though it won’t be able to decipher the files. This way backups can be made without needing to mount the encrypted filesystem. • Layering / Separation of Trust: EncFS can be layered on top of other filesystems in order to add encryption to unencrypted filesystems. This also allows you to store data on filesystems you trust for storage but not for security. For example, EncFS could be used on top of a CD, or a remote NFS filesystem, Samba share, or perhaps even GMail storage using GMailFS. 1 TrueCrypt TrueCrypt is nowadays pretty popular multiplatform tool for transparent disk encryption. It allows an user to create a virtual encrypted block device within a partition or a regular file. This virtual disk can be formatted as if it was a physical device and mounted. Encrypted virtual volume starts always with the volume header (128 KB of data), which is encrypted with key derived from entered user password or submitted keyfile. When decrypted, the header contains master keys, which can be used for encryption and decryption of the whole volume. Therefore there is no need to reencrypt the volume when changing the password. In addition, TrueCrypt support steganography and allows to create a hidden virtual volume within another volume, which existence can’t be proved (if all precautions are followed). We will use this method to create a hidden virtual volume, that will be embedded into an innocent-looking video file. Cryptoloop Disk encryption kernel module for Linux, that can create encrypted block device, similarly to TrueCrypt. Cryptoloop encrypts/decrypts the volume directly with key derived from password. When used with weak modes of operations, it is vulnerable to multiple attacks. We will demonstrate watermark attack on AES-CBC as described in [6]. Cryptoloop has been marked deprecated and it’s successor is dm-crypt, which has basically the same functionality. 1.1 Modes of operation Block-cipher modes of operation play an important role in the security of transparent disk encryption. Unlike in regular file encryption, in disk encryption it is crucial to have a random access into the encrypted volume. Therefore it is unacceptable to use such a chaining-mode, in which change in the first sector will affect all the following ones. EBC mode will obviously meet this random access requirement, but will provide only weak security, as shown in Fig. 1. Similarly, CTR mode and CBC with predictable IVs (usually derived from sector number) are weak and there are multiple known attacks against them. Some of the examples of attacks on CBC are [8]: • Corrupt. Corruption of chosen data blocks is difficult to detect. As CBC decryption has little error propagation, modifying a ciphertext block within sector will only corrupt the corresponding plaintext block (8 or 16 bytes) and cause chosen bit changes the one block immediately following it. • Move. It is easy to shift multiple ciphertext blocks anywhere within the hard disk. Only the first plaintext block will be corrupted. This allows ”cut & paste” attacks. • Revert. It is possible to revert chosen sectors to their previous values without detection. An attacker can from two ciphertext images detect where the changes lie and choose the sectors to be reverted accordingly. In CBC mode, the IV must depend at least on both the encryption key and sector number (tweak value). Nowadays it is recommended to use modes of operations designed specifically for disk encryption, like XTS [1]. 2 Figure 1: Result of statistical analysis on image encrypted in ECB mode [7] 2 Exercises During the exercises, we will use prepared Virtual Machine PV204 (Ubuntu 11.04). VM can be run in Oracle VirtualBox. User name: pv204 Password: pv204 Note: User pv204 is a member of group admin and can run superuser commands via sudo, e.g. sudo ls /root. 2.1 Exercise: EncFS Disk Encryption During this exercise, we will try out how to work with EncFS via Cryptkeeper GUI. 1. Open Cryptkeeper by clicking on icon on main panel or by command-line (cryptkeeper). 2. Create new encrypted folder (LEFT click on icon with keys in tray). • Choose name of your new encrypted folder (e.g. Encrypted) and open directory, where it will be placed (e.g. Documents). • Click Forward, enter you password and Cryptkeeper should automatically create and mount encrypted folder (via EncFS). 3. Test your new encrypted folder. • Use mounted folder (create some directories and files) and observe how is the underlying hidden folder beeing modified. • Note: You can view hidden files in Nautilus via View → Show Hidden Files (CTRL+H). • For mounting/dismounting use again Cryptkeeper, there should be already bookmark for your directory. The volume can be also easily mount and dismount directly from command line. # In daemon mode the paths MUST be absolute pv204@pv204 -VirtualBox:$ encfs ~/ Documents /. Encrypted_encfs ~/ Documents/Encrypted pv204@pv204 -VirtualBox:$ mount ... encfs on /home/pv204/Documents/Encrypted type fuse.encfs (rw ,nosuid ,nodev ,...) pv204@pv204 -VirtualBox:$ sudo umount ~/ Documents/Encrypted 3 2.2 Exercise: Steganography with TrueCrypt During this exercise, we will try out practical steganography with TrueCrypt, as described in [4]. Our goal will be to hide TrueCrypt volume in QuickTime / MP4 video file. When opened in media player, the file will appear as a regular media file. However, when opened via TrueCrypt, the file will act as a virtual volume and can be mounted. See [4] for more information. All the necessary files are located in /home/pv204/Documents/Steganography with TrueCrypt. Sample video file sample iTunes.mov was downloaded from Apple’s web site [5]. 1. Try to play sample iTunes.mov in some media player (Totem Media Player). Doubleclick on sample iTunes.mov or use command-line (totem sample iTunes.mov). 2. Open TrueCrypt and create new hidden volume. Click on TrueCrypt icon on main panel or use command-line (truecrypt). • Use standard wizard: Create Volume → Encrypted file container → Hidden Vol- ume. • Save virtual volume to file test video.mov in directory Steganography with TrueCrypt. • Continue with the wizard, use default options, choose outer volume size 5 MB, inner volume size 4 MB and make sure outer and inner volume passwords are different. • After the volume has been created, test mounting it with both outer and inner passwords (don’t write anything in outer volume, you could damage the hidden inner one). 3. Run script embed video.sh (make sure the volume test video.mov is dismounted). • OR run script tcsteg.py with 2 arguments, video file sample iTunes.mov and volume file test video.mov. 4. Test your new hybrid video/volume file test video.mov, which can be both played and mounted (with the inner password). 2.3 Exercise: Cryptoloop Watermark Exploit First we create 5 MB Cryptoloop AES-CBC virtual encrypted disk and format it with ext3. pv204@pv204 -VirtualBox:$ cd /home/pv204/Documents/ Cryptoloop_Watermark_Exploit / # create 5 MB random file disk.img pv204@pv204 -VirtualBox:$ dd if=/dev/urandom bs=1M count =5 of=disk.img 5+0 records in 5+0 records out 5242880 bytes (5.2 MB) copied , 0.872662 s, 6.0 MB/s # associate virtual device /dev/loop0 with disk.img # (first password is for sudo , second one is for encrypted device) pv204@pv204 -VirtualBox:$ sudo losetup -e aes -cbc /dev/loop0 disk.img [sudo] password for pv204: Password: # format this virtual device pv204@pv204 -VirtualBox:$ sudo mkfs.ext3 /dev/loop0 mke2fs 1.41.14 (22-Dec -2010) Filesystem label= OS type: Linux Block size =1024 (log =0) ... # detach loop device /dev/loop0 pv204@pv204 -VirtualBox:$ sudo losetup -d /dev/loop0 # mount disk.img to /media/cryptoloop pv204@pv204 -VirtualBox:$ sudo mount -o loop ,encryption=aes -cbc disk.img /media/cryptoloop/ Password: # check whether it was mounted successfully pv204@pv204 -VirtualBox:$ mount ... /dev/loop0 on /media/cryptoloop type ext3 (rw ,encryption=aes -cbc) # set permission for user pv204 pv204@pv204 -VirtualBox:$ sudo chown pv204:pv204 /media/cryptoloop/ 4 The encrypted file system from disk.img should be mounted and accessible by now. It’s time to try out the Watermark Exploit [6]. Cryptoloop with AES-CBC encryption uses predictable IVs and as mentioned before, it is not considered secure. With the knowledge about the structure of its file system (block size 1024) and IVs (sector numbers), the attacker is able to detect presence of specially modified (watermark) files within encrypted disk. The attacker is basically trying to modify the files so that the XOR difference of first AES blocks of two consecutive sectors matches the XOR difference of their sector numbers. With first blocks in CBC mode this would cause the corresponding ciphertext blocks to be equal and thus the presence of such files would be detectable without the knowledge of the correct password. Since the majority of the file can be left unchanged, such watermarks can be easily embedded into JPEG pictures, MP3 music files, etc. Details of the attack are discussed in [8]. # we want to create watermarked file , that would encode ASCII text "LaBAK" (76 97 66 65 75) # create watermarked file labak_watermarks and place it in mounted encrypted volume pv204@pv204 -VirtualBox:$ ./ create -watermark -encodings 10:76 11:97 12:66 13:65 14:75 > \ > /media/cryptoloop/ labak_watermarks # unmount the volume pv204@pv204 -VirtualBox:$ sudo umount /media/cryptoloop/ # run the exploit - detect the presence of watermarks in ENCRYPTED file pv204@pv204 -VirtualBox:$ cat disk.img | ./detect -watermark -encodings 5242880 bytes scanned watermark encoding 10, count 76 watermark encoding 11, count 97 watermark encoding 12, count 66 watermark encoding 13, count 65 watermark encoding 14, count 75 3 Assignment There should be a file assignment.zip in study materials, which contains: • virtual volume.tc - TrueCrypt virtual volume • virtual volume header master keydata - Dumped master keys File virtual volume.tc contains virtual volume created by TrueCrypt 7.0a, which is protected by 14-characters long password. When mounted successfully, volume contains single text file password.txt, which contains plain-text password to the volume. Your task is to decrypt the volume and get the original password. Of course, the task would be pretty hard without the master keys to the volume. File virtual volume header master keydata contains concatenated primary and secondary master key1 . You are expected to implement XTS-AES decryption, according to IEEE 1619-2007[1]. Correct solution should contain decrypted volume, discovered password and source code of the tool, which you created and used for this decryption. For more details on TrueCrypt see [2] and [3]. Virtual volume details: • Filesystem FAT (FAT12) • Encrypted with AES in XTS mode, AES block length 128b • Primary key length 256b, secondary key length 256b, data unit size 512B 1 Decrypted part of volume header, bytes 256 - 512. 5 Figure 2: Volume decrypted using provided master keys Figure 3: Decryption of first data block of volume 3.1 Notes You can find XTS-AES encryption pseudocode in [1], Annex C. The same pseudocode can be used for decryption with only small modifications. The volume uses FAT filesystem, so when you decrypt the volume, the content of text file password.txt should be easily readable, see Fig. 2. You can use TrueCrypt build-in test tool (Menu → Tools → Test Vectors) for testing your code, see Fig. 3. 6 References [1] The XTS-AES Tweakable Block Cipher, http://axelkenzo.ru/downloads/ 1619-2007-NIST-Submission.pdf [2] TrueCrypt Modes of Operation, http://www.truecrypt.org/docs/?s= modes-of-operation [3] TrueCrypt Volume Format Specification, http://www.truecrypt.org/docs/?s= volume-format-specification [4] Real Steganography with TrueCrypt, http://keyj.s2000.at/?p=458 [5] QuickTime: Sample files, http://support.apple.com/kb/HT1425 [6] Linux Cryptoloop Watermark Exploit, http://www.securiteam.com/exploits/ 5UP0P1PFPM.html [7] Markku-Juhani O. Saarinen, HERRING - Crafting a Cipher for Sector-Level Encryption, http://mareichelt.de/pub/notmine/herring061103.pdf [8] Markku-Juhani O. Saarinen, Encrypted Watermarks and Linux Laptop Security, http: //mareichelt.de/pub/notmine/wisa2004.pdf [9] EncFS Introduction, http://www.arg0.net/encfsintro 7