Here's a good way to protect your files. Mr. Giles explains how to encrypt your entire file system rather than individual files.
by Bear Giles
In one episode of ``Miami Vice'' Crockett and Tubbs have managed to gain access to a drug runner's computer, only to be stymied by its insistence on a password before presenting incriminating evidence. Not to worry--after only three unsuccessful guesses, the helpful computer offered to reveal the secret password to our heroes. It's easy to laugh at this plot development, but many otherwise intelligent people continue to do equally dumb things.
Consider the law office where legal papers are always kept in locked cabinets behind locked doors. Every computer on the LAN also has access to the ``password-protected'' word processing documents, but the encryption can be broken in seconds with readily available software. The name of this program, and the files it can crack, are in the sci.crypt FAQ. These files could be retrieved by a hostile agent ``working'' for a cleaning contractor.
Or consider the company with sales offices spread nationwide. Highly sensitive pricing and contact information is distributed on CD-ROM discs, which are discarded as soon as each new disc arrives. Alternately, a salesman may have his laptop stolen while on the road. (See Practical UNIX and Internet Security, Garfinkel and Spafford, O'Reilly and Associates, 1996.)
Or consider the individual computer owner who leaves his system in a shop for free installation of an upgrade. One of the employees quietly copies a few files, and by the time the victim learns of the extent of the identity theft it's too late--he's already recommended the same shop to several of his friends for the unusually good service.
For every complex problem there is an answer that is clear, simple and wrong. --H. L. MenckenThe simple solution to these problems is file encryption. But this solution is flawed for several reasons:
Our solution is to encrypt the entire file system. User programs see a regular file system--perhaps even a file system that natively supports encryption. An attacker who can only see the physical disk sees garble.
This approach is not perfect. Most notably, some implementations could leave decrypted data visible in the disk cache. That is a minor problem with the cache in core (if an attacker has compromised root, you have more serious problems), but a major problem if these pages get written to swap.
On the other hand, the kernel ensures that disk sectors are decrypted during reads and re-encrypted during writes. The impact on users is minimal. In one practical scenario, a ``responsible individual'' will mount the encrypted file system in the morning. (This requires the encryption key.) In the evening, the last person to leave could unmount the file system, or it could be automatically unmounted by a cron job.
Better the devil we know... --AnonymousWe've agreed on the desirability of encrypting file system. But which encryption algorithm should we use? The wrong choice will leave us with a false sense of security.
Writing our own encryption routines is one possibility. The downside is encryption algorithms are notoriously difficult to properly design and implement. The problem is that the designer does not know what others will find difficult. He only knows what he finds difficult. Mathematics is littered with the bodies of ``difficult'' problems which became trivial after one person had a flash of insight.
As a practical matter, we should limit our search to well-known encryption algorithms. This has the additional benefit of allowing us to share encrypted file systems with others with a minimum amount of hassle.
The first encryption algorithm learned by most programmers is the lowly xor algorithm. To encrypt the data, we XOR it with the key (modulo the length of the key, if we use multi-byte encryption). To decrypt the data, we XOR it with the key again.
DES has a controversial past. It was a government-endorsed algorithm for non-classified use, but some people believe that the government deliberately introduced weaknesses. On the other hand, decades of research have revealed only relatively modest weaknesses. It is economically feasible for a large company to build a DES-cracking machine.
DES was designed for hardware implementations--and is difficult to implement efficiently in software. IDEA was designed around the low-level operations common on small processors. It is not a U.S. federal standard and wasn't weakened by the dreaded TLAs (three letter acronyms, such as DEC and FBI). On the other hand, while the TLAs have undoubtedly analyzed it, they aren't talking.
RSA encryption is a relatively ineffective algorithm. Many people feel that the primary weakness with PGP lies in the 1024-bit RSA encryption of the IDEA key, not the IDEA encryption of the actual data.
Fools rush in where angels fear to tread. --Alexander PopeUndoubtedly, some people now feel the urge to run out and write an encrypting file system. The rest of us turn to the Cypherpunks. They have published a set of patches to the 2.0.11 kernel which implement DES and IDEA encryption in ``loopback'' devices. The primary source for these patches is at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/filesystems/linux.
There are four patches:
The source code in crypto-2.0.11.patch implements DES and IDEA encryption and cannot be legally exported, even though this source is readily available worldwide. Violating export restrictions will not aid the effort to promote the free use of strong encryption, since the government could use this as proof of the need for stronger restrictions on domestic distribution.
Building the new kernel is no different than applying any other set of patches. The latest stable kernel release for which this works is 2.0.30. For convenience, I will assume it is stored in /usr/src/linux-2.0.30.tar.gz. Next, build a reference version of the kernel. Then, follow these steps:
cd /usr/src rm linux tar xzpf linux-2.0.30.tar.gz mv linux linux-2.0.30.efs ln -s linux-2.0.30.efs linuxI applied the patches using these commands:
cd linux patch < ./cryptfs/export-2.0.11.patch patch < ./cryptfs/loopfix-2.0.11.patch patch < ./cryptfs/crypto-2.0.11.patchI fixed problems using these commands:
mv *.h linux/include/linux mv des.c linux/kernel mv idea.c linux/drivers/block mv loopfix.txt linux/Documentation
od -x /dev/urandom | moreGiving this command produced kernel warning messages. If this happens to you, reinstall the kernel source and patches and check your warnings carefully.
Find a couple of blank floppies on which to test an encrypted file system. Then, create an encrypted file system using DES encryption:
# dd if=/dev/urandom of=/dev/fd0 bs=1k count=1440 # losetup -e des /dev/loop0 /dev/fd0 Pass phrase: des test # mke2fs /dev/loop0 # losetup -d /dev/loop0A couple of notes about this example:
Finally, create one more pair of disks which use different passwords. (If you want to be unusually perverse, use your previous IDEA test pass phrase on your second DES test disk and vice versa.)
Now we're ready to mount these disks. First, try to mount the floppies using a standard mount command:
# mount /dev/fd0 /mnt -text2These commands should fail with ``can't find an EXT2 file system.'' Now try mounting each floppy again:
# mount /dev/fd0 /mnt -text2,loop,encryption=idea # mount /dev/fd0 /mnt -text2,loop,encryption=desIn each case you should be prompted for a pass phrase. Needless to say, you should not be able to mount the DES encrypted disk when specifying IDEA encryption, and vice versa. Likewise, you should not be able to mount the DES encrypted disk 1 with the second password or vice versa, and you should be able to mount the file system when you specify the correct encryption format and password.
This is another area where gremlins have appeared on my system. Once IDEA encryption worked fine but /dev/urandom failed; in another case, /dev/urandom worked but IDEA encryption produced kernel warnings on every even sector.
Now a few more tests. Edit the /etc/fstab file to add these entries:
/dev/fd0 /mnt/des ext2 defaults,noauto,loop,encryption=des 0 0 /dev/fd0 /mnt/idea ext2 defaults,noauto,loop,encryption=idea 0 0Try to mount your test disks on /mnt/des and /mnt/idea. Once again you should be prompted for a pass phrase and will be successful only when encryption algorithm and pass phrases match.
Finally, reboot your system and repeat these tests. If possible, install the modified kernel on a second system and verify that you can exchange media between the systems. Such is life on the bleeding edge of technology.
Now that we have encrypted file systems, what can we do?
Even taking a cursory glance at the trends of security software, one notices recurring themes. Encrypted file systems protect the data on disks. SSH (Secure Shell) encrypts and authenticates communications. Secure-RPC (remote procedure call) encrypts interprocess communications. RPM authenticates software upgrades.
Is there any question that encryption and authentication routines belong in the kernel? Encryption keys could be stored with each device and process, and with negotiations for unique session keys automatically mediated between any process within and without the system that desired it. There would not be needless duplication of identical routines, or worries about export restrictions since these issues would have already been addressed. If necessary the encryption routines could be localized to a loadable module, although that raises certain security issues.
The downside is anyone with root access can grab the encryption keys from the system tables; however, once root is compromised all bets are off anyway. On the other hand, supplying strong encryption and authentication services in the kernel should reduce the risk of root becoming compromised. Also, DH key negotiation means that my keys aren't compromised even if I'm talking to someone who is compromised.
Bear Giles, bear@coyotesong.com, of Coyote Song LLC, is a UNIX Consultant with almost 15 years of experience. He has used Linux at home since pre-0.99 days.