• Disk encryption. Data protection on an external HDD or fully encrypted

    These days we constantly deal with information. Thanks to development information technology, now work, creativity, entertainment have largely become processes for processing or consuming information. And among this huge amount of information, some of the data should not be publicly available. Examples of such information include files and data associated with business activities; private archives.

    Some of this data is not intended for the general public simply because “they don’t need to know about it”; and some information is vital.

    This article is dedicated to reliable protection namely vital information, as well as any files that you want to protect from access by others, even if your computer or storage media (flash drive, hard drive) falls into the hands of unauthorized persons, including those who are technically advanced and have access to powerful computing resources.

    Why you shouldn't trust closed-source encryption software

    Closed source programs can include “bookmarks” (and don’t hope they aren’t there!) and the ability to open encrypted files using a master key. Those. you can use any, the most complex password, but your encrypted file can still be opened with ease, without brute-forcing passwords, using a “bookmark” or the owner of the master key. The size of the encryption software company and the name of the country do not matter in this matter, since this is part of the government policy of many countries. After all, we are surrounded by terrorists and drug dealers all the time (what can we do?).

    Those. Truly strong encryption can be achieved by properly using popular open source software and a crack-proof encryption algorithm.

    Is it worth switching from TrueCrypt to VeraCrypt?

    The reference program that has been providing very secure file encryption for many years is TrueCrypt. This program still works great. Unfortunately, development of the program has currently been discontinued.

    Its best successor was the VeraCrypt program.

    VeraCrypt is a free disk encryption software based on TrueCrypt 7.1a.

    VeraCrypt continues the best traditions of TrueCrypt, but adds enhanced security to the algorithms used to encrypt systems and partitions, making your encrypted files immune to new advances in brute-force attacks.

    VeraCrypt has also fixed many of the vulnerabilities and security issues found in TrueCrypt. It can work with TrueCrypt volumes and offers the ability to convert TrueCrypt containers and non-system partitions to the VeraCrypt format.

    This improved security only adds some latency to opening encrypted partitions, without any performance impact during the encrypted drive phase. For a legitimate user this is an almost imperceptible inconvenience, but for an attacker it becomes almost impossible to gain access to encrypted data, despite the presence of any computing power.

    This can be clearly demonstrated by the following benchmarks for cracking (brute force) passwords in Hashcat:

    For TrueCrypt:

    Hashtype: TrueCrypt PBKDF2-HMAC-RipeMD160 + XTS 512 bit Speed.Dev.#1.: 21957 H/s (96.78ms) Speed.Dev.#2.: 1175 H/s (99.79ms) Speed.Dev.#* .: 23131 H/s Hashtype: TrueCrypt PBKDF2-HMAC-SHA512 + XTS 512 bit Speed.Dev.#1.: 9222 H/s (74.13ms) Speed.Dev.#2.: 4556 H/s (95.92ms) Speed.Dev.#*.: 13778 H/s Hashtype: TrueCrypt PBKDF2-HMAC-Whirlpool + XTS 512 bit Speed.Dev.#1.: 2429 H/s (95.69ms) Speed.Dev.#2.: 891 H /s (98.61ms) Speed.Dev.#*.: 3321 H/s Hashtype: TrueCrypt PBKDF2-HMAC-RipeMD160 + XTS 512 bit + boot-mode Speed.Dev.#1.: 43273 H/s (95.60ms) Speed.Dev.#2.: 2330 H/s (95.97ms) Speed.Dev.#*.: 45603 H/s

    For VeraCrypt:

    Hashtype: VeraCrypt PBKDF2-HMAC-RipeMD160 + XTS 512 bit Speed.Dev.#1.: 68 H/s (97.63ms) Speed.Dev.#2.: 3 H/s (100.62ms) Speed.Dev.#* .: 71 H/s Hashtype: VeraCrypt PBKDF2-HMAC-SHA512 + XTS 512 bit Speed.Dev.#1.: 26 H/s (87.81ms) Speed.Dev.#2.: 9 H/s (98.83ms) Speed.Dev.#*.: 35 H/s Hashtype: VeraCrypt PBKDF2-HMAC-Whirlpool + XTS 512 bit Speed.Dev.#1.: 3 H/s (57.73ms) Speed.Dev.#2.: 2 H /s (94.90ms) Speed.Dev.#*.: 5 H/s Hashtype: VeraCrypt PBKDF2-HMAC-RipeMD160 + XTS 512 bit + boot-mode Speed.Dev.#1.: 154 H/s (93.62ms) Speed.Dev.#2.: 7 H/s (96.56ms) Speed.Dev.#*.: 161 H/s Hashtype: VeraCrypt PBKDF2-HMAC-SHA256 + XTS 512 bit Speed.Dev.#1.: 118 H /s (94.25ms) Speed.Dev.#2.: 5 H/s (95.50ms) Speed.Dev.#*.: 123 H/s Hashtype: VeraCrypt PBKDF2-HMAC-SHA256 + XTS 512 bit + boot-mode Speed.Dev.#1.: 306 H/s (94.26ms) Speed.Dev.#2.: 13 H/s (96.99ms) Speed.Dev.#*.: 319 H/s

    As you can see, cracking encrypted VeraCrypt containers is several orders of magnitude more difficult than TrueCrypt containers (which are also not at all easy).

    I published the full benchmark and description of the hardware in the article “”.

    Second important question- reliability. No one wants to lose valuable and important files and information due to a software error. I knew about VeraCrypt as soon as it appeared. I followed her development and constantly looked closely at her. Over the past year I have completely switched from TrueCrypt to VeraCrypt. Over the course of a year of daily use, VeraCrypt has never let me down.

    Thus, in my opinion, it is now worth switching from TrueCrypt to VeraCrypt.

    How VeraCrypt works

    VeraCrypt creates special file, which is called a container. This container is encrypted and can only be connected if the correct password is entered. After entering the password, the container is displayed as additional disk(like an inserted flash drive). Any files placed on this disk (i.e., in the container) are encrypted. As long as the container is connected, you can freely copy, delete, write new files, and open them. Once a container is disconnected, all files on it become completely inaccessible until it is connected again, i.e. until the password is entered.

    Working with files in an encrypted container is no different from working with files on any other drive.

    When opening a file or writing it to a container, there is no need to wait for decryption - everything happens very quickly, as if you were really working with a regular disk.

    How to Install VeraCrypt on Windows

    There was a half-spy story with TrueCrypt - sites were created to “download TrueCrypt”, on them the binary file (well, of course!) was infected with a virus/Trojan. Those who downloaded TrueCrypt from these unofficial sites infected their computers, allowing attackers to steal personal information and facilitate the spread of malware.

    In fact, all programs should be downloaded only from official websites. And this is even more true for programs that address security issues.

    Official placements installation files VeraCrypt are:

    Installing VeraCrypt on Windows

    There is an installation wizard, so the installation process for VeraCrypt is similar to that of other programs. Is it possible to clarify a few points?

    The VeraCrypt installer will offer two options:

    • Install(Install VeraCrypt on your system)
    • Extract(Extract. If you select this option, all files in this package will be extracted, but nothing will be installed on your system. Do not select this if you intend to encrypt system partition or system disk. Selecting this option can be useful, for example, if you want to run VeraCrypt in so-called portable mode. VeraCrypt does not require installation on the operating system on which it will run. After extracting all the files, you can run the extracted file "VeraCrypt.exe" directly (VeraCrypt will open in portable mode))

    If you select the checked option, i.e. file association .hc, then this will add convenience. Because if you create a container with the .hc extension, then double click By this file VeraCrypt will start. But the downside is that third parties may know that .hc are encrypted VeraCrypt containers.

    The program reminds you to donate:

    If you are not short of money, of course, be sure to help the author of this program (he is alone) I would not want to lose him, like we lost the author of TrueCrypt...

    VeraCrypt Instructions for Beginners

    VeraCrypt has many different features and advanced features. But the most popular feature is file encryption. The following shows step by step how to encrypt one or more files.

    Let's start by switching to Russian. Russian language is already built into VeraCrypt. You just need to turn it on. To do this in the menu Settings select Language…:

    There, select Russian, after which the program language will immediately change.

    As already mentioned, files are stored in encrypted containers (also called “volumes”). Those. you need to start by creating such a container; to do this, in the main interface of the program, click on the button “ Create Volume».

    The VeraCrypt Volume Creation Wizard appears:

    We are interested in the first option (“ Create an encrypted file container"), so we, without changing anything, press Next,

    VeraCrypt has very interesting feature- the ability to create hidden volume. The point is that not one, but two containers are created in the file. Everyone knows that there is an encrypted partition, including possible ill-wishers. And if you are forced to give out your password, then it is difficult to say that “there is no encrypted disk.” When creating a hidden partition, two encrypted containers are created, which are located in one file, but can be opened different passwords. Those. you can place files that look “sensitive” in one of the containers. And in the second container there are really important files. For your needs, you enter a password to open an important section. If you cannot refuse, you reveal the password for a not very important disk. There is no way to prove that there is a second disk.

    For many cases (hiding not very critical files from prying eyes) it will be enough to create a regular volume, so I just click Next.

    Select file location:

    The VeraCrypt volume can be located in a file (VeraCrypt container) on a hard drive, USB flash drive, etc. A VeraCrypt container is no different from any other regular file (for example, it can be moved or deleted like other files). Click the "File" button to specify the name and path to the container file to be created to store the new volume.

    NOTE: If you select an existing file, VeraCrypt will NOT encrypt it; this file will be deleted and replaced with the newly created VeraCrypt container. You can encrypt existing files (later) by moving them to the VeraCrypt container you are creating now.

    You can choose any file extension; this does not affect the operation of the encrypted volume in any way. If you select the extension .hc, and also if you associated VeraCrypt with this extension during installation, then double-clicking on this file will launch VeraCrypt.

    History recently open files allows you to quickly access these files. However, entries in your history like “H:\My offshore accounts of stolen dollars worth of dollars.doc” may raise doubts in the minds of outsiders about your integrity. To prevent files opened from an encrypted disk from going into history, check the box next to “ Don't save history».

    Selecting encryption and hashing algorithms. If you are not sure what to choose, then leave the default values:

    Enter the volume size and select units of measurement (kilobytes, megabytes, gigabytes, terabytes):

    A very important step is setting a password for your encrypted disk:

    Good password- this is very important. Avoid passwords with one or more words found in the dictionary (or combinations of 2, 3 or 4 such words). The password must not contain names or dates of birth. It should be difficult to guess. A good password is a random combination of upper and lower case letters, numbers and special characters (@ ^ = $ * + etc.).

    Now you can again use Russian letters as passwords.

    We help the program collect random data:

    Note that here you can check the box to create a dynamic disk. Those. it will expand as it is filled with information.

    As a result, I have created a test.hc file on my desktop:

    If you created a file with the extension .hc, then you can double-click on it, the main program window will open, and the path to the container will already be inserted:

    In any case, you can open VeraCrypt and select the path to the file manually (To do this, click the "File" button).

    If the password is entered correctly, a new disk will appear in your system:

    You can copy/move any files to it. You can also create folders there, copy files from there, delete them, etc.

    To close the container from outsiders, press the button Unmount:

    To regain access to your secret files, remount the encrypted drive.

    Setting up VeraCrypt

    VeraCrypt has quite a few settings that you can change for your convenience. I highly recommend checking the " Automatically unmount volumes when inactive for a period»:

    And also set a hotkey for " Immediately unmount everything, clear the cache and exit»:

    This can be very... VERY useful...

    Portable version of VeraCrypt on Windows

    As of version 1.22 (which is in beta at the time of writing), a portable option was added for Windows. If you read the installation section, you should remember that the program is already portable and allows you to simply extract your files. However, the standalone portable package has its own peculiarities: you need administrator rights to run the installer (even if you just want to unpack the archive), and the portable version can be unpacked without administrator rights - that's the only difference.

    Official beta versions are only available. In the VeraCrypt Nightly Builds folder, the portable version file is VeraCrypt Portable 1.22-BETA4.exe.

    The container file can be placed on a flash drive. You can copy it to the same flash drive portable version VeraCrypt - this will allow you to open an encrypted partition on any computer, including those without VeraCrypt installed. But be aware of the dangers of keystroke hijacking - an on-screen keyboard could probably help in this situation.

    How to Use Encryption Software Properly

    Some tips to help you keep your secrets better:

    1. Try to prevent unauthorized persons from accessing your computer, including not checking laptops in luggage at airports; If possible, send computers for repairs without a system hard drive etc.
    2. Use a complex password. Don't use the same password you use for mail etc.
    3. Don't forget your password! Otherwise, the data will be impossible to recover.
    4. Download all programs only from official sites.
    5. Use free programs or purchased ones (do not use hacked software). And also do not download or run dubious files, since all such programs, among other malicious elements, may have kilologgers (keystroke interceptors), which will allow an attacker to find out the password from your encrypted container.
    6. Sometimes it is recommended to use an on-screen keyboard as a means of preventing keystrokes from being intercepted - I think this makes sense.

    Our media stores personal and important information, documents and media files. They need to be protected. Such cryptographic methods, How AES And Twofish, standardly offered in encryption programs, belong to approximately one generation and provide relatively high level security.

    In practice regular user You won't be able to make a big mistake in your choice. Instead, you should decide specialized program depending on intent: Hard drive encryption often uses a different operating mode than file encryption.

    For a long time, the best choice was the utility TrueCrypt, if we were talking about full encryption of the hard drive or saving data in an encrypted container. This project is now closed. Its worthy successor was an open source program VeraCrypt. It was based on the TrueCrypt code, but it was modified, resulting in improved encryption quality.

    For example, in VeraCrypt improved key generation from password. A less common mode used to encrypt hard drives is CBC, A XTS. IN this mode blocks are encrypted by type ECB, however, this adds the sector number and intrasegmental displacement.

    Random numbers and strong passwords

    To protect individual files, a free program with simple interface, For example, MAXA Crypt Portable or AxCrypt. We recommend AxCrypt because it is an open source project. However, when installing it, you should pay attention to the fact that the package with the application includes unnecessary add-ons, so you need to uncheck them.

    The utility is launched by right-clicking on a file or folder and entering a password (for example, when opening an encrypted file). This program uses AES algorithm 128 bit with CBC mode. To generate a robust initialization vector (IV), Ax-Crypt integrates a pseudo-random number generator.

    If IV is not real random number, then the CBC mode weakens it. The MAXA Crypt Portable program works in a similar way, but encryption occurs using a key 256 bits long. If you upload personal information to cloud storage, you must assume that their owners, such as Google and Dropbox, scan the content.

    Boxcryptor is built into the process as virtual hard disk and, with a right-click, encrypts all files located there before uploading to the cloud. It is important to get a password manager, such as Password Depot. He creates complex passwords that no one can remember. Need to just don't lose master password for this program.

    We use encrypted disks

    Similar to TrueCrypt, utility wizard VeraCrypt guides the user through all the stages of creating an encrypted disk. You can also protect an existing partition.

    One-click encryption

    Free program Maxa Crypt Portable offers all the necessary options for quickly encrypting individual files using the AES algorithm. By clicking on the button you start generating a secure password.

    Linking the cloud to privacy

    Boxcryptor One-click encrypts important files before uploading to Dropbox storage or Google. AES encryption is used by default with a key length of 256 bits.

    Cornerstone - Password Manager

    Long passwords enhance security. Program Password Depot generates and uses them, including for encrypting files and working with web services to which it transfers data to access the account.

    Photo: manufacturing companies

    Launch the encryption tool on Windows by searching for "BitLocker" and selecting "Manage BitLocker." In the next window, you can enable encryption by clicking on “Enable BitLocker” next to the hard drive (if an error message appears, read the section “Using BitLocker without a TPM”).

    You can now choose whether you want to use a USB flash drive or a password when unlocking an encrypted drive. Regardless of the option you choose, you will need to save or print the recovery key during the setup process. You'll need it if you forget your password or lose your flash drive.

    Using BitLocker without TPM

    Setting up BitLocker.
    BitLocker also works without a TPM chip - however, for this you need to make some settings in the local editor group policy.

    If your computer does not have a TPM (Trusted Platform Module) chip, you may need to make some adjustments to enable BitLocker. In line Windows search Type "Edit Group Policy" and open the "Local Group Policy Editor" section. Now open in the left column of the editor “Computer Configuration | Administrative Templates | Windows components| BitLocker Drive Encryption | Operating system disks", and in the right column, check the entry "Required additional check authenticity at launch."

    Then, in the middle column, click on the "Edit Policy Setting" link. Check the box next to “Enable” and check the box next to “Allow BitLocker without a compatible TPM” below. After clicking on "Apply" and "OK", you can use BitLocker as described above.

    Alternative in the form of VeraCrypt

    To encrypt the system partition or the entire hard drive using successor TrueCrypt programs called VeraCrypt, select “Create Volume” from the VeraCrypt main menu, and then select “Encrypt the system partition or entire system drive”. To encrypt the entire hard drive along with Windows partition, select "Encrypt the whole drive", then follow step by step instructions by setting. Attention: VeraCrypt creates a disk disaster recovery in case you forget your password. So you will need a blank CD.

    Once you've encrypted your drive, you'll need to specify PIM (Personal Iterations Multiplier) after your password when you boot up. If you did not install PIM during setup, just press Enter.

    Researchers at Princeton University have discovered a way to bypass hard drive encryption using a property of modules RAM store information for a short period of time even after a power failure.

    Preface

    Since to access the encrypted hard drive you need to have a key, and it is, of course, stored in RAM - all you need is to gain physical access to the PC for a few minutes. After rebooting from an external hard drive or USB Flash A complete memory dump is made and the access key is extracted from it within a matter of minutes.

    In this way it is possible to obtain encryption keys (and full access to the hard drive) used by BitLocker, FileVault and dm-crypt programs in operating systems Windows systems Vista, Mac OS X and Linux, as well as the popular free hard drive encryption system TrueCrypt.

    The importance of this work lies in the fact that there is not a single simple method of protection against this method of hacking, other than turning off the power for a time sufficient to completely erase the data.

    A visual demonstration of the process is presented in video.

    Annotation

    Contrary to popular belief, DRAM memory, used in most modern computers, stores data even after turning off the power for several seconds or minutes, and this happens at room temperature and even if the chip is removed from the motherboard. This time is quite enough to take a complete RAM dump. We will show that this phenomenon allows an attacker with physical access to the system to bypass the OS functions to protect cryptographic key data. We will show how reloading can be used to make successful attacks against known encryption systems hard drives without using any specialized devices or materials. We will experimentally determine the degree and probability of retention of residual magnetization and show that the time for which data can be taken can be significantly increased using simple techniques. New methods will also be proposed for searching for cryptographic keys in memory dumps and correcting errors associated with loss of bits. Several ways to reduce these risks will also be discussed, but we do not know of a simple solution.

    Introduction

    Most experts assume that data from a computer's RAM is erased almost instantly after the power is turned off, or believe that residual data is extremely difficult to retrieve without the use of special equipment. We will show that these assumptions are incorrect. Conventional DRAM memory loses data gradually over several seconds, even when normal temperatures, and even if the memory chip is removed from the motherboard, the data will be stored in it for minutes or even hours, provided that the chip is stored at low temperatures. Residual data can be recovered using simple methods that require short-term physical access to the computer.

    We will show a series of attacks that, using the remanence effects of DRAM, will allow us to recover encryption keys stored in memory. This poses a real threat to laptop users who rely on hard drive encryption systems. After all, if an attacker steals a laptop while the encrypted disk is connected, he will be able to carry out one of our attacks to access the content, even if the laptop itself is locked or in sleep mode. We will demonstrate this by successfully attacking several popular encryption systems, such as BitLocker, TrueCrypt and FileVault. These attacks should also be successful against other encryption systems.

    Although we have focused our efforts on hard drive encryption systems, if an attacker has physical access to the computer, any important information stored in RAM can become a target for attack. It is likely that many other security systems are vulnerable as well. For example, we discovered that Mac OS X leaves passwords for accounts in memory, from where we were able to extract them, we also carried out attacks to obtain the private RSA keys of the Apache web server.

    Some community representatives information security and semiconductor physicists already knew about the remanence effect of DRAM, there was very little information about it. As a result, many who design, develop or use security systems are simply unfamiliar with this phenomenon and how easily it can be exploited by an attacker. To the best of our knowledge, this is the first detailed work examining the information security implications of these phenomena.

    Attacks on encrypted drives

    Encrypting hard drives is a well-known method of protecting against data theft. Many people believe that hard drive encryption systems will protect their data, even if an attacker has gained physical access to the computer (in fact, that’s what they are for, editor’s note). A California state law passed in 2002 requires reporting of possible disclosures of personal data only if the data was not encrypted, because. It is believed that data encryption is a sufficient protective measure. Although the law does not describe any specific technical solutions, many experts recommend using encryption systems for hard drives or partitions, which will be considered sufficient protection measures. The results of our research showed that faith in disk encryption is unfounded. A less-than-skilled attacker can bypass many commonly used encryption systems if a laptop with data is stolen while it is turned on or in sleep mode. And data on a laptop can be read even if it is on an encrypted drive, so using hard drive encryption systems is not a sufficient measure.

    We used several types of attacks on well-known hard drive encryption systems. What took the most time was installing encrypted disks and checking the correctness of the detected encryption keys. Obtaining a RAM image and searching for keys took only a few minutes and was fully automated. There is reason to believe that most hard drive encryption systems are susceptible to similar attacks.

    BitLocker

    BitLocker is a system included in some versions of the OS Windows Vista. It functions as a driver that runs between the file system and the hard drive driver, encrypting and decrypting selected sectors on demand. The keys used for encryption remain in RAM as long as the encrypted disk is encrypted.

    To encrypt each sector of a hard drive, BitLocker uses the same pair of keys created by the AES algorithm: a sector encryption key and an encryption key operating in cipher block chaining (CBC) mode. These two keys are in turn encrypted with the master key. To encrypt a sector, a binary addition procedure is performed on the plaintext with the session key generated by encrypting the sector offset byte with the sector encryption key. The resulting data is then processed by two mixing functions that use the Microsoft-developed Elephant algorithm. These keyless functions are used to increase the number of changes to all cipher bits and, accordingly, increase the uncertainty of the encrypted sector data. At the last stage, the data is encrypted with the AES algorithm in CBC mode, using the appropriate encryption key. The initialization vector is determined by encrypting the sector offset byte with the encryption key used in CBC mode.

    We have implemented a fully automated demo attack called BitUnlocker. This uses an external USB drive with Linux OS and a modified bootloader based on SYSLINUX and a FUSE driver that allows you to connect encrypted BitLocker drives in Linux OS. On a test computer running Windows Vista, the power was turned off, a USB hard drive was connected, and booted from it. After this, BitUnlocker automatically dumped the RAM on external drive, using the keyfind program, I searched for possible keys, tried all suitable options (pairs of sector encryption key and CBC mode key), and if successful, connected the encrypted disk. As soon as the disk was connected, it became possible to work with it like any other disk. On a modern laptop with 2 gigabytes of RAM, the process took about 25 minutes.

    It is noteworthy that this attack became possible to carry out without reverse engineering any software. In the documentation Microsoft system BitLocker is described sufficiently to understand the role of the sector encryption key and the CBC mode key and create your own program that implements the entire process.

    The main difference between BitLocker and other programs in this class is the way keys are stored when the encrypted drive is disconnected. By default, in basic mode, BitLocker protects the master key only using the TPM module, which exists on many modern PCs. This method, which appears to be widely used, is particularly vulnerable to our attack because it allows encryption keys to be obtained even if the computer has been turned off for a long time, since when the PC boots up, the keys are automatically loaded into RAM (before login window) without entering any authentication information.

    Apparently, Microsoft specialists are familiar with this problem and therefore recommend configuring BitLocker in an improved mode, where keys are protected not only using TPM, but also with a password or key on external USB carrier. But, even in this mode, the system is vulnerable if an attacker gains physical access to the PC at the moment when it is working (it can even be locked or in sleep mode (states - simply turned off or hibernate in this case are considered not susceptible to this attack).

    FileVault

    Apple's FileVault system has been partially investigated and reverse engineered. In Mac OS X 10.4, FileVault uses a 128-bit AES key in CBC mode. When the user password is entered, the header containing the AES key and the second K2 key is decrypted, used to calculate the initialization vectors. The initialization vector for the Ith disk block is calculated as HMAC-SHA1 K2(I).

    We used our EFI program to obtain images of RAM to obtain data from a Macintosh computer (based on Intel processor) with a mounted drive encrypted by FileVault. After this, the keyfind program automatically found FileVault AES keys without errors.

    Without an initialization vector, but with the resulting AES key, it becomes possible to decrypt 4080 of the 4096 bytes of each disk block (all except the first AES block). We made sure that the initialization vector is also in the dump. Assuming that the data has not yet become corrupted, an attacker can determine the vector by trying all the 160-bit strings in the dump one by one and checking whether they can form a possible plaintext when binary added to the decrypted first part of the block. Together, using programs like vilefault, AES keys and an initialization vector allow you to completely decrypt an encrypted disk.

    While investigating FileVault, we discovered that Mac OS X 10.4 and 10.5 leave multiple copies of the user's password in memory, where they are vulnerable to this attack. Account passwords are often used to protect keys, which in turn can be used to protect key phrases FileVault encrypted disks.

    TrueCrypt

    TrueCrypt is a popular encryption system with open source, running on Windows, MacOS and Linux. It supports many algorithms, including AES, Serpent and Twofish. In version 4, all algorithms worked in LRW mode; in the current 5th version, they use XTS mode. TrueCrypt stores the encryption key and tweaks the key in the partition header on each drive, which is encrypted with a different key derived from the user-entered password.

    We tested TrueCrypt 4.3a and 5.0a running on Linux. We connected the drive, encrypted with a 256-bit AES key, then removed the power and used our own memory dump software to boot. In both cases, keyfind found an intact 256-bit encryption key. Also, in the case of TrueCrypt 5.0.a, keyfind was able to recover the tweak key of the XTS mode.

    To decrypt disks created by TrueCrypt 4, you need to tweak the LRW mode key. We found that the system stores it in four words before the AES key schedule. In our dump, the LRW key was not corrupted. (If errors occurred, we would still be able to recover the key).

    Dm-crypt

    The Linux kernel, starting with version 2.6, includes built-in support for dm-crypt, a disk encryption subsystem. Dm-crypt uses a variety of algorithms and modes, but by default it uses a 128-bit AES cipher in CBC mode with IVs generated not based on key information.

    We tested the partition created by dm-crypt using the LUKS (Linux Unified Key Setup) branch of the cryptsetup utility and the 2.6.20 kernel. The disk was encrypted using AES in CBC mode. We briefly turned off the power and, using a modified PXE bootloader, took a memory dump. The keyfind program detected a correct 128-bit AES key, which was recovered without any errors. After it is restored, the attacker can decrypt and mount the dm-crypt encrypted partition by modifying the cryptsetup utility so that it accepts the keys in the required format.

    Methods of protection and their limitations

    Implementing protection against attacks on RAM is non-trivial, since the cryptographic keys used must be stored somewhere. We suggest focusing efforts on destroying or hiding keys before an attacker can gain physical access to the PC, preventing RAM dump software from running, physically protecting RAM chips, and reducing the lifespan of RAM data when possible.

    Overwriting memory

    First of all, you should whenever possible avoid storing keys in RAM. You need to overwrite key information when it is no longer used and prevent data from being copied to page files. Memory must be cleared in advance using OS tools or additional libraries. Naturally, these measures will not protect those used in at the moment keys because they must be stored in memory, such as those used for encrypted disks or on secure web servers.

    Also, the RAM must be cleared during the boot process. Some PCs can be configured to clear RAM upon boot using a cleanup tool. POST request(Power-on Self-Test) before loading the OS. If an attacker cannot prevent the execution of this request, then he will not be able to make a memory dump with important information on this PC. But, he still has the opportunity to remove the RAM chips and insert them into another PC with the BIOS settings he needs.

    Restricting downloading from the network or from removable media

    Many of our attacks were carried out using network downloads or removable media. The PC must be configured to require an administrator password to boot from these sources. But it should be noted that even if the system is configured to boot only from the main hard drive, an attacker can change the hard drive itself, or in many cases, reset the computer's NVRAM to roll back to the original BIOS settings.

    Safe Sleep Mode

    The results of the study showed that simply locking the PC desktop (that is, the OS continues to work, but in order to start interacting with it you must enter a password) does not protect the contents of RAM. Hibernation mode is also not effective if the PC is locked when returning from sleep mode, since an attacker can activate the return from sleep mode, then reboot the laptop and take a memory dump. The hibernate mode (the contents of RAM are copied to the hard drive) will also not help, except in cases of using key information on alienated media to restore normal functioning.

    In most hard drive encryption systems, users can protect themselves by turning off the PC. (The Bitlocker system in the basic mode of operation of the TPM module remains vulnerable, since the disk will be connected automatically when the PC is turned on). Memory contents may persist for a short period after being disconnected, so it is recommended to monitor your workstation for a couple more minutes. Despite its effectiveness, this measure is extremely inconvenient due to long loading time workstations.

    The transition to sleep mode can be secured in the following ways: require a password or other secret to “wake up” the workstation and encrypt the memory contents with a key derived from this password. The password must be strong, since an attacker can make a memory dump and then try to guess the password by brute force. If encrypting the entire memory is not possible, you need to encrypt only those areas that contain key information. Some systems may be configured to enter this type of protected sleep mode, although this is not usually the default setting.

    Avoiding Pre-Computations

    Our research has shown that using precomputation to speed up cryptographic operations makes key information more vulnerable. Pre-calculations result in redundant information about key data appearing in memory, which allows an attacker to recover keys even if there are errors. For example, as described in Section 5, information about the iterative keys of the AES and DES algorithms is extremely redundant and useful to an attacker.

    Not doing pre-computations will reduce performance because potentially complex calculations will have to be repeated. But, for example, you can cache precomputed values ​​for a certain period of time and erase the received data if it is not used during this interval. This approach represents a trade-off between security and system performance.

    Key expansion

    Another way to prevent key recovery is to change the key information stored in memory in such a way as to make it more difficult to recover the key due to various errors. This method has been discussed in theory, where a discovery-resistant function has been shown whose input remains hidden even if virtually all of the output has been discovered, much like the operation of one-way functions.

    In practice, imagine that we have a 256-bit AES key K that is not currently in use but will be needed later. We can't overwrite it, but we want to make it resistant to recovery attempts. One way to achieve this is to allocate a large B-bit data area, fill it with random data R, and then store in memory the result of the following transformation K+H(R) (binary summation, editor's note), where H is a hash function, such as SHA-256.

    Now imagine that the power was turned off, this would cause the d bits in this area to be changed. If the hash function is strong, when attempting to recover key K, the attacker can only count on being able to guess which bits of area B were changed out of the approximately half that could have changed. If d bits have been changed, the attacker will have to search an area of ​​size (B/2+d)/d to find the correct values ​​of R and then recover key K. If area B is large, such a search can be very long, even if d is relatively small

    In theory, we could store all the keys this way, calculating each key only when we need it, and deleting it when we don't need it. Thus, using the above method, we can store the keys in memory.

    Physical protection

    Some of our attacks relied on having physical access to memory chips. Such attacks can be prevented by physical memory protection. For example, memory modules are located in a closed PC case, or are sealed with epoxy glue to prevent attempts to remove or access them. You can also implement memory erasure as a response to low temperatures or attempts to open the case. This method will require the installation of sensors with an independent power supply system. Many of these methods involve tamper-resistant hardware (such as the IBM 4758 coprocessor) and can greatly increase the cost. workstation. On the other hand, the use of memory soldered to motherboard, will cost much less.

    Architecture change

    You can change the PC architecture. This is impossible for already used PCs, but will allow you to secure new ones.

    The first approach is to design DRAM modules so that they erase all data faster. This can be tricky because the goal of erasing data as quickly as possible conflicts with the other goal of ensuring data doesn't go missing between memory refresh periods.

    Another approach is to add key information storage hardware that is guaranteed to erase all information from its storage upon startup, restart, and shutdown. This way, we will have a secure place to store multiple keys, although the vulnerability associated with their pre-calculation will remain.

    Other experts have proposed an architecture in which the contents of memory would be permanently encrypted. If, in addition to this, we implement erasing of keys during a reboot and power outage, then this method will provide sufficient protection against the attacks we have described.

    Trusted Computing

    Hardware corresponding to the concept of “trusted computing”, for example, in the form of TPM modules, is already used in some PCs. Although useful in protecting against some attacks, in its current form such equipment does not help prevent the attacks we describe.

    Used TPM modules do not implement full encryption. Instead, they observe the boot process to decide whether it is safe to load the key into RAM or not. If the software needs to use a key, then the following technology can be implemented: the key, in a usable form, will not be stored in RAM until the boot process goes as expected. But as soon as the key is in RAM, it immediately becomes a target for our attacks. TPMs can prevent a key from being loaded into memory, but they do not prevent it from being read from memory.

    Conclusions

    Contrary to popular belief, DRAM modules store data for a relatively long time when disabled. Our experiments have shown that this phenomenon allows for a whole class of attacks that can obtain sensitive data, such as encryption keys, from RAM, despite the OS's attempts to protect its contents. The attacks we have described can be implemented in practice, and our examples of attacks on popular encryption systems prove this.

    But other types of software are also vulnerable. Digital rights management (DRM) systems often use symmetric keys stored in memory, and these can also be obtained using the methods described. As we have shown, SSL-enabled web servers are also vulnerable because they store in memory the private keys needed to create SSL sessions. Our key information search techniques are likely to be effective for finding passwords, account numbers, and any other sensitive information stored in RAM.

    Looks like not simple way eliminate found vulnerabilities. The software change will most likely not be effective; hardware changes will help, but the time and resource costs will be high; Trusted computing technology in its current form is also ineffective because it cannot protect keys located in memory.

    In our opinion, laptops that are often located in public places and operate in modes that are vulnerable to these attacks are most susceptible to this risk. The presence of such risks shows that disk encryption protects important data to a lesser extent than is commonly believed.

    As a result, you may have to consider DRAM memory as an untrusted component of a modern PC, and avoid processing sensitive sensitive information in it. But for now, this is not practical until the architecture of modern PCs changes to allow software to store keys in a secure location.

    Probably, each of us has folders and files that we would like to hide from prying eyes. Moreover, when not only you, but also other users work at the computer.

    To do this, you can, of course, install or archive it with a password. But this method is not always convenient, especially for the files you are going to work with. For this, a program for file encryption.

    1. Encryption program

    Despite large number paid programs (for example: DriveCrypt, BestCrypt, PGPdisk), I decided to focus in this review on free ones, the capabilities of which are sufficient for most users.

    http://www.truecrypt.org/downloads

    An excellent program for encrypting data, be it files, folders, etc. The essence of the work is to create a file that resembles a disk image (by the way, new versions of the program allow you to encrypt even an entire partition, for example, you can encrypt a flash drive and use it without fear that anyone - other than you, will be able to read information from it). This file cannot be opened so easily; it is encrypted. If you forget the password for such a file, it is unlikely that you will ever see your files that were stored in it...

    What else is interesting:

    Instead of a password, you can use a key file (a very interesting option, no file - no access to the encrypted disk);

    Several encryption algorithms;

    The ability to create a hidden encrypted disk (only you will know about its existence);

    Ability to assign buttons for quickly mounting a disk and unmounting it (disconnecting it).

    2. Disk creation and encryption

    Before we start encrypting data, we need to create our disk, onto which we will copy the files that need to be hidden from prying eyes.

    To do this, launch the program and press the “Create Volume” button, i.e. Let's start creating a new disk.

    Select the first item “Create an encrypted file container” - create an encrypted container file.

    Here we are offered two options for a container file:

    1. Normal, standard (one that will be visible to all users, but only those who know the password will be able to open it).

    2. Hidden. Only you will know about its existence. Other users will not be able to see your container file.

    Now the program will ask you to specify the location of your secret drive. I recommend choosing the drive on which you have more space. Usually this drive is D, because Drive C is the system drive and Windows is usually installed on it.

    An important step: specify the encryption algorithm. There are several of them in the program. For the average uninitiated user, I will say that the AES algorithm, which the program offers by default, allows you to protect your files very reliably and it is unlikely that any of the users of your computer will be able to hack it! You can select AES and click on “NEXT”.

    In this step you can select the size of your disk. Just below, under the window for entering the desired size, it appears free space on your real hard drive.

    Password - several characters (at least 5-6 are recommended) without which access to your secret disk will be denied. I advise you to choose a password that you will not forget even after a couple of years! Otherwise, important information may become inaccessible to you.

    If you want to use strong password, then we recommend that you use a generator to create it. Best choice will be a platform that will also answer the question “is my password secure”: https://calcsoft.ru/generator-parolei.

    After some time, the program will inform you that an encrypted container file has been successfully created and you can start working with it! Great…

    3. Working with an encrypted disk

    The mechanism is quite simple: select which container file you want to connect, then enter the password for it - if everything is “OK” - then you have a new disk in your system and you can work with it as if it were a real HDD.

    Let's take a closer look.

    Right-click on the drive letter that you want to assign to your file container, select “Select File and Mount” from the drop-down menu - select the file and attach it for further work.

    Read more: