View Source

Outline of the paper by the same name.

This is an outline of the topics covered in New Methods in Hard Disk Encryption at http://clemens.endorphin.org/cryptography. The main chapters of interest are 5 (Password Management) and 6 (A Tour or LUKS: Linux Unified Key Setup).

Chapters 1-4: Mathematical and Cryptographic Background Information

Chapters 1 through 4 cover mathematical and cryptographic background info. Two important ideas are found here:

Not all modes of AES are suitable for disk encryption.
CBC mode (used by Linux Crypto-loop) has a number of weaknesses.

The cipher and mode used for disk encryption needs to be noted with any product being evaluated.

Chapter 5: Password management

Key Hierarchies for Passwords

The actual key used to encrypt the data (master key) is stored encrypted with one or more user keys which can be used to decrypt the master key.

This allows for multiple user passwords which can be used to access the data.
A single user password can be used, or a threshold system that requires multiple passwords can be used.
Changing a user key is done by re-encrypting the master key.
Many common encryption products use a similar scheme: SSL, SSH, PGP, etc.
A user key can be changed without changing the master key (which would require re-encrypting all of the data).
The need to destroy old data is reduced if all of the encrypted data does not have to be destroyed.
The plain text master key is never written to disk.

Anti-forensic Data Storage

A key hierarchy with an encrypted master key stored on the disk raises some concerns about exactly how that key is stored and how you can be assured that it is destroyed if it is erased.

On most file systems, erasing a file does not remove its contents.
Journaled file systems make assuring the destruction of data even harder.
Anti-forensic key storage
- The key is diffused into many disk blocks.
- All the contents of all blocks are required to recover the key.
- Every bit of every block affects every bit of the encrypted key.
  - An algorithm with high error propagation is used.
  - http://clemens.endorphin.org/AFsplitter provides a working example.
  - Compare to a simple XOR. With XOR, if a portion of each block remains intact, some bits of the key may be recoverable.

Passwords from Entropy Weak Sources

Users do not always pick strong passwords. Even if they do, good passwords usually contain less entropy than 128-bit keys and they are easier to guess than the key they are protecting. Methods can be used to expand the size of the key domain and remedy some aspects of these problems.

PBKDF2 (Password-Based Key Derivation Function)
- PBKDF2 article at Wikipedia
- RFC 2898: PKCS #5: Password-Based Cryptography Specification Version 2.0
Introduces a cpu-intensive step in key setup (maybe several seconds)
Sometimes called key strengthening
Artificial inflation of data
Similar to salt and pseudo-random function (hash, cipher, etc.)
makes precomputed dictionary attacks harder
makes brute force more complicated (larger key space)
does not improve insufficient entropy

TKS1: Template Key Setup 1

TKS1 is a concrete design using the ideas expressed earlier in this chapter.

Security Community > New Methods in Hard Disk Encryption Summary > tks1.png

Chapter 6: A Tour of LUKS: Linux Unified Key Setup

Integrated after loop-AES
Reference implementation of TKS1 and disk encryption
Uses cryptsetup and dm-crypt
Uses a partition header to store info.

Additional Info

(Material in this section is not covered in the paper, but I thought it should be added here. PEB)

Plausible Deniability

Anti-forensic techniques to hide the existence of an encrypted volume.
Encrypted data appear to be random.
Most encryption products use some kind of header structure, e.g. a header probably contains the encrypted master key. This header may be a "signature" that can be used to identify an encrypted volume.
Some products (e.g. TrueCrypt) store this header encrypted. In this case the encrypted volume does not have a signature. It just appears to be random data.
Time stamps (atime,ctime) of file-hosted volumes can be preserved.
File names or extensions may also provide a signature. Products that allow any file name to be used avoid this.
Initializing the entire (real) volume with random numbers (dd if=/dev/urandom of=/dev/hdaX) makes it harder to identify fragments of encrypted data.

Steganography

Even with the Plausible deniability features above, the existence of large files of random data may be a sign of the use of cryptography.
Steganography deals with concealing data in other "ordinary" data, e.g an image, audio file, etc.
TrueCrypt supports having an "inner" volume in the unused space of another
truecrypt volume.