PV204 Security technologies File and disk encryption – lab intro Milan Brož xbroz@fi.muni.cz Faculty of Informatics, Masaryk University Laboratory – FDE attack examples Basic understanding of some tools and hw VeraCrypt, LUKS, chip-based encryption I. HW key-logger attack (remote => video only) II. Scanning memory image for encryption key ColdBoot attack principle III. Flawed algorithm and watermarking Revealing TrueCrypt hidden disk existence (CBC) 2 | PV204 File and disk encryption Environment setup VirtualBox virtual machine (in IS) • note: image is large >4GB (disk-encrypted Linux) • slightly modified Debian Linux • Login: pv204 • Password: pv204 (including root/sudo and disk unlock) VM has all tools prepared. You can use own distro, but some tools need to be installed locally: • TrueCrypt 7.1a (last non-crippled version) • VeraCrypt 1.2x • Cryptsetup 2.x (distro provides it) • Patched AesKeyfind – in Exercise2_aeskeyfind.zip or https://github.com/mbroz/aeskeyfind • Small utilities for Exercise 3 – in Exercise3_tc_cbc_hidden_attack.zip 3 | PV204 File and disk encryption Demo • Storage in Linux • lsblk command • device-mapper dm-crypt (disk encryption), dmsetup • cryptsetup (LUKS: open, dump metadata) • CBC benchmark (encryption/decryption speed) • VeraCrypt intro • basic concepts (RNG, key-derivation, encryption, chained ciphers) • create AES encrypted container for key search 4 | PV204 File and disk encryption 5 | PV204 File and disk encryption Display storage stack (with some encryption devices) 6 | PV204 File and disk encryption cryptsetup benchmark Display volume key for active dm-crypt device 7 | PV204 File and disk encryption cryptsetup metadata dump / VeraCrypt and LUKS1 device 8 | PV204 File and disk encryption cryptsetup dump of volume key 9 | PV204 File and disk encryption EXERCISE II KEY FROM MEMORY IMAGE How to dump VirtualBox memory image For exercise II. you need to get content (dump) of memory from running VM. In Exercise2_aeskeyfind.zip are scripts for Linux/Windows • Vbox_save_memcore.bat or • linux/vbox_save_memcore_linux If you have different paths, it needs some tweaks – script contains only: vboxmanage debugvm pv204_fde dumpvmcore --filename memcore.img Then use memcore.img as parameter for aeskeyfind command. You can try another images, or other FS; VMware VM paused images etc. 10 | PV204 File and disk encryption AESkeyfind output example 11 | PV204 File and disk encryption Image analysis on host dm-crypt key (from VeraCrypt container) Questions for you: • What are other keys? • Why some keys repeats? • Why is VeraCrypt key printed swapped? 12 | PV204 File and disk encryption EXERCISE III WRONGLY USED CBC MODE 13 | PV204 File and disk encryption EXERCISE I HW KEYLOGGER Simple HW Keylogger Demo 14 | PV204 File and disk encryption HW Keylogger – KeyDaemon module 15 | PV204 File and disk encryption