Data Integrity & Security, & Privacy LILUG 2008-11-11 Ilya S. (AKA dotcommie)
Overview Security Disk Encryption Theory Discussion of software What to encrypt Demo Data Integrity* Malicious Altering Accidental Altering Privacy Data destruction OpenVPN TOR
Disk Encryption Theory Basics Requirements Efficient encryption / Decryption Random Access & more ECB CBC CTR ESSIV XTS XEX
ECB (Electronic Code Book) C i =E k (P i ) C - Cipher P - Plaintext E - encryption Fn() k - Key i - Index Weakness Stupid Some information is recoverable Example below & more Strengths Simple Random Access
CBC (Cipher Block Chaining) C i = E k (P i C i-1 ) C - Cipher E - Encryption Fn P - Plaintext k - Key i - Index - xor 1100 1010 = 0110 Weakness Possible to check for existence of known data (Watermarking) Change P x requires reencryption of C >x Show Stoppers No random access Strengths Who cares
CTR C i =E k (P i V N,i ) C - Cipher i - Index / Counter k - Key N - Nonce V - N merged with i EG: + Weaknesses Watermarking Strengths Random Access ESSIV Introduces special per sector IV Solves the watermarking issue Using clever active attacks data can be decrypted
LRW, XEX (Xor Encrypt Xor), XTS (XEX-TCB-CTS) Details are beyond the scope of this discussion Used in modern disk encryption XTS Yields strong security guarantee as long as key is not used for much more than 1TiB Possibility of successful attack 1 in 8E15
Software -- Forewarning KNOW WHAT SOFTWARE YOU ARE USING
Software -- Overview TrueCrypt Easy setup (windows especially) Not in kernel Very portable Cryptoloop (deprecated) Watermarking issues dm-crypt Easy to setup Native Linux support (no patching necessary) Supports LUKS Nice frontend (cryptsetup)
TrueCrypt VS dm-crypt How to choose: If you dualboot, use TrueCrypt Similarities: Multiple encryption algorithm support (AES, Serpent, Twofish) Support for XTS mode Multiple password/key support Key USB UMS / Smartcard support Conclusion: They are essentially the same but I like dm-crypt better. Dm-crypt wins.
What to encrypt Whole disk encryption Do you really care if someone gets a hold of your ls program? On the flip side Adds unnecessary complications initrd servers & etc Just put them in a vault User data /home, /tmp SWAP! Sensitive System data: /var, /tmp, /etc
Dm-crypt cookbook -- installation Compile in or Load following modules: Device Drivers Multiple Device Driver Support (CONFIG_MD) Device Mapper Support (CONFIG_BLK_DEV_DM) Crypt Target Support (CONFIG_DM_CRYPT) Block Devices (Optional, for loopback file encryption) Loopback Device Support (CONFIG_BLK_DEV_LOOP) Cryptographic API (CONFIG_CRYPTO) AES cipher Algorithm (CONFIG_CRYPTO_AES) Userspace: Aptitude install cryptsetup hashalot Emerge sys-fs/cryptsetup Yum -y install cryptsetup-luks
Dm-crypt cookbook fdisk/cfdisk and make your desired partition # shred -n 1 -v /dev/sdb1 Optional, skip if you had no sensitive data on disk # cryptsetup version cryptsetup 1.0.6 # cryptsetup luksformat /dev/sdb1 WARNING! ======== This will overwrite data on /dev/sdb1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: blah Verify passphrase: blah Command successful.
Dm-crypt cookbook # cryptsetup luksopen /dev/sdb1 blah Enter LUKS passphrase: blah key slot 0 unlocked. Command successful. # mkfs.xfs /dev/mapper/blah meta-data=/dev/mapper/rootfs isize=256 agcount=4, agsize=125826 blks = sectsz=512 attr=2 data = bsize=4096 blocks=503303, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 log =internal log bsize=4096 blocks=2560, version=2 = sectsz=512 sunit=0 blks, lazy-count=0 realtime =none extsz=4096 blocks=0, rtextents=0
Dm-crypt cookbook Lets test mounting # mkdir /tmp/blah # mount /dev/mapper/blah /tmp/blah It works or maybe it doesn't but it should! Lets undo the test mess now # umount /tmp/blah # cryptsetup luksclose blah
Dm-crypt Now we are familiar with how things work Home dir example Simple method mount on boot You have to type in your partition password on boot. Not typing password is nasty! Annoying Consider enabling auto-login in KDM/GDM/XDM Pam plugin mount on login pam_mount 2 birds with one stone Same password for system account + encryption
Dm-crypt Cookbook WARNING THE REST OF DEMO MIGHT CONTAIN DEBIANISMS
Dm-crypt home mount on boot # cat /etc/crypttab # <tgt name> <src device> <key file> <options> blah /dev/sdb1 none luks,auto # cat /etc/fstab grep blah /dev/mapper/blah /home/blah xfs defaults 0 0 # adduser --home /home/blah blah
Dm-crypt home mount on login # cat /etc/crypttab # <tgt name> <src device> <key file> <options> blah /dev/sdb1 none luks,noauto # cat /etc/fstab grep blah /dev/mapper/blah/home/blah xfs defaults 0 0 # adduser --home /home/blah blah In the following files: /etc/pam.d/sshd /etc/pam.d/login /etc/pam.d/kdm (or gdm or xdm) Find the line: @include common-session and after it insert: @include common-pammount
Why use LUKS Does your password look like this: ost1\lsxt7>imun?yczngwix~? haf/5e~btnh&#pxh^kwo9xjjlb$m^a&mvpo>lji GoQfy3- zu+\4v>_tk1slrzcz<caxbulf3pwa46uc_y %LwSZEq3
LUKS Linux Unified Key Setup Practical implementation of TKS1 & TKS2 Allows for: Multiple credentials Multiple forms of authentication Smart Card, USB UMS (Flash Drive) Credential revocation/alteration
Demo discussion Why use LUKS? Dm-crypt & cryptsetup don't strictly need it Dm-crypt + LUKS on windows & PDAs FreeOTFE http://www.freeotfe.org/ Cryptsetup luksdump
HD crypto Its Perfect.. In certain cases.. In others: Cold boot attack hibernate/suspend Binary Substitution Whole disk encryption! Not quite. TPM? SWAP Rootkits, exploits... LuksDump backups $5 wrenches
Data Integrity Your data is only as secure as your binaries Protecting your binaries Checksums Debsum (debian-like) Veriexec (netbsd) http://www.win.tue.nl/hashclash/softintcodesign/ Md5 collisions SHA-1 better but not perfect.. There are powerful machines out there. SE Linux Read only /
Data Theft Physical vs Virtual theft Is your valuable data: Backed up? RSYNC/AMANDA/... Encrypted? Tracking stolen laptops Data recovery/destruction Installing a secure backdoor Talk to your laptop after its stolen
Privacy Encryption of personal data Concealment of internet traffic Browsers TOR Anonymity OpenVPN
OpenVPN bridging VS routing. Bridging advantages Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows NetBIOS file sharing and network neighborhood browsing to work. No route statements to configure Works with any protocol that can function over ethernet, including IPv4, IPv6, Netware IPX, AppleTalk, etc. Relatively easy-to-configure solution for road warriors. Bridging disadvantages Less efficient than routing, and does not scale well.
OpenVPN bridging VS routing. Routing advantages Efficiency and scalability. Allows better tuning of MTU for efficiency. Routing disadvantages Clients must use a WINS server (such as samba) to allow cross-vpn network browsing to work. Routes must be set up linking each subnet. Software that depends on broadcasts will not "see" machines on the other side of the VPN. Works only with IPv4 in general, and IPv6 in cases where tun drivers on both ends of the connection support it explicitly.
OpenVPN example configs
Sources & more reading material: LUKS: http://cryptsetup.googlecode.com/svnhistory/r42/wiki/luks-standard/on-disk-format.pdf http://clemens.endorphin.org/tks1-draft.pdf http://clemens.endorphin.org/nmihde/nmihde-letteros.pdf Veriexec: http://www.netbsd.org/docs/guide/en/chap-veriexec.html http://www.users.on.net/~blymn/veriexec/ XTS: http://www.cs.ucdavis.edu/ %7Erogaway/papers/offsets.pdf OpenVPN http://openvpn.net/index.php/documentation/faq.html