Wednesday, March 3, 2010

Paper Keys and Tinfoil Hats

I know I said I wasn't going to post anything, but then I saw this craziness on slashdot and like other bad ideas I just have to share it.

For those of you who don't want to click on the link, (smart move), a short summary is that a company called Safeberg is marketing file encryption software where the private RSA key is stored on a printed out piece of paper. To decrypt your files, you just take a picture of the key with your web-cam and their software will turn it back into a digital key. You can see a YouTube video they produced about it here. No seriously, this is a real product...

How do I know this is snake oil?
  1. It's using zany solutions to something that's not a problem
  2. They spend all their time talking about key length
First, let's back up and talk about file encryption. I've written a proof of concept password cracker for TrueCrypt encrypted files, and I'm currently working with another graduate student to implement it using GPU processors, so this is a topic that interests me a lot.

With most file encryption software, there actually are two keys used to encrypt your files. The first key is a symmetric key used to encrypt/decrypt files with algorithms like AES, Twofish, etc. This is the key you are generating when you spend a couple minutes moving your mouse all over the screen when setting up a TrueCrypt container. Symmetric encryption algorithms are almost always used due to the speed/computation power required to encrypt and decrypt large files. In Safeberg's product they actually use a 192 bit AES key.

The second key is used to encrypt the file header for the encrypted files. The file header contains a lot of important informations, (such as file length, information about the individual files, checksums, etc), which is depended on the encryption product being used. The encrypted file header also contains the previously mentioned file encryption key. When a user decrypts the file-header, the encryption program extracts the file encryption key and then uses that to decrypt the actual files. There's a couple of reasons why these two keys are separate:

First, this allows a user to easily change their password, or specify a new public/private key pair. If only one key was used, then when a user changes their password all the files would have to be re-encrypted. That would really be a pain for applications like full hard drive encryption. With two keys though, when a user changes their password all the program needs to do is recreate the encrypted file header.

Second, having two keys allows for an administrative recovery key. Basically a second copy of the file-header is stored but encrypted with a master administrative key. That way the user can change their password; the user doesn't have to tell their sys-admin about their password; but when the user forgets their password the files can be recovered. This feature is VERY important in a corporate setting.

The file-header can actually be encrypted in many different ways. If a human-generated password is used, that password is then hashed, and the resulting hash is then used as the key for the symmetric encryption algorithm. For example TrueCrypt uses the PBKDF2 framework available in RSA's PKCS #5 v2.0 standard to hash a user's password and turn it into an AES, TwoFish or Serpent key. Asymmetric encryption can also be used to decrypt the file encryption key. In this case, the file encryption key is stored in something resembling a certificate, but in this case the certificate is encrypted with the public key. That way the user can decrypt the certificate when they enter in their private key. This method is used by default both by Microsoft's BitLocker, and apparently Safeberg's product as well. TrueCrypt and PGP can also use asymmetric keys.

I'm not going to go into the whole human-generated password vs. public/private key debate. It's sufficient to say they both have their advantages/disadvantages. Luke O'Conner has a couple of great posts on using human-generated passwords to generate symmetric encryption keys here and here if you are interested. What is relevant to this post though, is that if a private key is used, it needs to be stored on some sort of media separate from the encrypted files. Traditionally this is a usb thumbdrive, but smart-cards are another popular option. All Safeberg is doing is storing the private key on a piece of paper instead. This isn't rocket science since you can represent a 4096 private key using a string of 683 characters composed of lower/upper/digits+2 special characters. This post is already over 4,500 characters at this point so this could be my clever private key right here ;).

The question then becomes, how much safer are you using a piece of paper to store your private key vs a usb drive? This is where my imagination fails me. Short of some crazy spy situation, "I print the key as a pattern on the inside of my shirt so the border guard doesn't suspect a thing" I can't think of a single use-case where printing the key out on a piece of paper would provide you any additional security. And that's why this idea is physically hurting my brain. At least with a usb, it is easy to encrypt it was a human-generated password so now you have two-factor authentication:
  1. Something you know -the password
  2. Something you have -the private key on the USB drive
Also, it's been my experience when people start talking about weird/zany things like printing out keys on paper, they often forget to focus on the fundamentals when it comes to file encryption. For example, how do they store the file encryption key in memory? How do they ensure the file encryption key isn't saved in a page-file? Well, you get the idea. Their product may actually be secure, but I wouldn't trust it without it going through a lot of independent testing beforehand. In short, snake-oil.

Edit: I just viewed this video and apparently their products mostly focus on encrypting online file backups. Now I'm really curious about what other online backup companies do... Also upon further reflection I might have been a bit too harsh since while paper keys might not be a security feature, they could be a very strong usability feature. That being said, since they are marketing it as a security feature I'm going to leave the above post as is.

5 comments:

Ohswin said...

Where does the company market the paper key as a security feature? Seems they simply promote it as an optional method to store a key offline for a long time.

Matt Weir said...

Actually, I'm probably going to post a follow-up since the idea is growing on me as a usability issue. Not everyone has a spare usb key laying around, and when I wrote the original post I didn't realize it was for file backups. That being said, without a doubt they are marketing it as a security feature first and foremost. From what they wrote on the front page of their website:

"Want ultimate security? Safeberg offers an optional offline key that you can print on paper."

To the blurb they put in front of their youtube videos: http://tinyurl.com/yctwdeo

they are pushing the security aspect. The thing is, they probably are more secure than most online file backup services since they are using public/private keys to encrypt the file encryption key. My main disagreement was that a paper key doesn't enhance security. As I said in the edit, I was too harsh on them. I certainly merited the +disagree click ;)

Ohswin said...

I got your point. But they allow it as an extra feature, not a key functionality. You can login like the traditional way (ie. with a password and username), but also with the paperkey. Sorry for the disagree =p

Matt Weir said...

Don't apologize for that. There's a reason why I have that button there. I'm just saying you were right ;)

Dustin said...

Thanks for the post! I found the companies approach at least interesting. I wonder if an engineer at their company really wanted to work with 'QR-type' Coding and pushed the concept.->Being an EE I can see that as a possibility :).

However, as both of you suggested, Safeberg could just be offering a viable alternative to those not able to carry around a thumb drive or smartcard.