Friday, March 19, 2010

Paper Keys and Me Wearing the Dunce Hat

When I said you could ignore this blog for the next couple of weeks, little did I realize how true that would be. I know this is the internet where no-one is ever wrong, but I'd like to retract some of the statements I made in the previous post about Safeberg's use of paper keys. As I said before, I won't always be right, but I will try to correct myself when I am proven wrong.

My real failure was that I didn't take the time to perform the proper research. That's why I wasn't planning on posting anything in the first place. But then I saw pictures like the one below, and just about every, "Someone is BSing me" alarm I had went off. Hence the angry post.


While some of the underlying points I made were factually correct, I had in my mind that Safeberg was selling standard file encryption software like Truecrypt. Instead they provide file storage and recovery. That's a pretty big misunderstanding on my part. The reason why that makes a difference is the threat models they fall under, and the people who would end up using them.

With normal file encryption the main worries are A) I lost my laptop, or B) The cops kicked down my door and took my laptop. With file backup though, your major worries are a hacker compromising Safeburg's website and grabbing your files, or a hacker breaking into your account and downloading your files. As for the userbases, well with file encryption you're talking about reasonable tech savvy people, or enterprise users who can be trained. With file backup, you're including the general public.

The important thing to remember is that since Safeburg is using PKI, not only are they encrypting your files, but they are encrypting them in a way that only you have access to the key to decrypt them. That's huge. Aka if Safeburg's website gets completely p0wned, an attacker still can't decypt your files. Also, even if an attacker guesses the password to your account, they don't have the private key to decrypt any of the files they download.

As I stated in my original post though, this security is provided by the use of PKI, and public/private keys themselves. It doesn't make you any more secure though if the key is stored on a USB drive or piece of paper. That's where I forgot that everyone is not like me, (and trust me, that's a very good thing). For instance, here is a picture of me grabbing up a couple of items I could store a private key on that I had lying around my desk:



Note, the above doesn't include an old palm phone my roommate was going to throw away, my voice recorder, my slide clicker, or about 10 other usb drives I've picked up over the years. Also, I just wear my defcon speaker badge around all the time. There's no way you could store a private key on it ;)

Most people don't have a modded defcon badge or for that matter a spare usb drive. Even if they do, how many people do you think would accidently save the key to their harddrive instead? People don't understand computers. But just about everyone understands paper records. That means from a usability standpoint, paper keys make a whole lot of sense.

I want to stress the part about PKI again. For file backup, encryption is useless if you give Safeberg the key. If an attacker breaks into their site, then they will also have access to the key. If they break into your account, then they can use the stored key to decrypt your files. The security comes from keeping the key to yourself. Also, the key has to be stored separately from the user's computer. This isn't a security feature so much as the fact that you're backing up your files at a remote site specifically because you are worried your computer is going to die on you. Therefore from what I can tell Safeberg really seems to be on the right track with this, and I should not have called what they were doing snake oil. The worst I can say is their marketing department stretches the truth a bit, but then, so does everyone else.

Wednesday, March 3, 2010

Paper Keys and Tinfoil Hats

I know I said I wasn't going to post anything, but then I saw this craziness on slashdot and like other bad ideas I just have to share it.

For those of you who don't want to click on the link, (smart move), a short summary is that a company called Safeberg is marketing file encryption software where the private RSA key is stored on a printed out piece of paper. To decrypt your files, you just take a picture of the key with your web-cam and their software will turn it back into a digital key. You can see a YouTube video they produced about it here. No seriously, this is a real product...

How do I know this is snake oil?
  1. It's using zany solutions to something that's not a problem
  2. They spend all their time talking about key length
First, let's back up and talk about file encryption. I've written a proof of concept password cracker for TrueCrypt encrypted files, and I'm currently working with another graduate student to implement it using GPU processors, so this is a topic that interests me a lot.

With most file encryption software, there actually are two keys used to encrypt your files. The first key is a symmetric key used to encrypt/decrypt files with algorithms like AES, Twofish, etc. This is the key you are generating when you spend a couple minutes moving your mouse all over the screen when setting up a TrueCrypt container. Symmetric encryption algorithms are almost always used due to the speed/computation power required to encrypt and decrypt large files. In Safeberg's product they actually use a 192 bit AES key.

The second key is used to encrypt the file header for the encrypted files. The file header contains a lot of important informations, (such as file length, information about the individual files, checksums, etc), which is depended on the encryption product being used. The encrypted file header also contains the previously mentioned file encryption key. When a user decrypts the file-header, the encryption program extracts the file encryption key and then uses that to decrypt the actual files. There's a couple of reasons why these two keys are separate:

First, this allows a user to easily change their password, or specify a new public/private key pair. If only one key was used, then when a user changes their password all the files would have to be re-encrypted. That would really be a pain for applications like full hard drive encryption. With two keys though, when a user changes their password all the program needs to do is recreate the encrypted file header.

Second, having two keys allows for an administrative recovery key. Basically a second copy of the file-header is stored but encrypted with a master administrative key. That way the user can change their password; the user doesn't have to tell their sys-admin about their password; but when the user forgets their password the files can be recovered. This feature is VERY important in a corporate setting.

The file-header can actually be encrypted in many different ways. If a human-generated password is used, that password is then hashed, and the resulting hash is then used as the key for the symmetric encryption algorithm. For example TrueCrypt uses the PBKDF2 framework available in RSA's PKCS #5 v2.0 standard to hash a user's password and turn it into an AES, TwoFish or Serpent key. Asymmetric encryption can also be used to decrypt the file encryption key. In this case, the file encryption key is stored in something resembling a certificate, but in this case the certificate is encrypted with the public key. That way the user can decrypt the certificate when they enter in their private key. This method is used by default both by Microsoft's BitLocker, and apparently Safeberg's product as well. TrueCrypt and PGP can also use asymmetric keys.

I'm not going to go into the whole human-generated password vs. public/private key debate. It's sufficient to say they both have their advantages/disadvantages. Luke O'Conner has a couple of great posts on using human-generated passwords to generate symmetric encryption keys here and here if you are interested. What is relevant to this post though, is that if a private key is used, it needs to be stored on some sort of media separate from the encrypted files. Traditionally this is a usb thumbdrive, but smart-cards are another popular option. All Safeberg is doing is storing the private key on a piece of paper instead. This isn't rocket science since you can represent a 4096 private key using a string of 683 characters composed of lower/upper/digits+2 special characters. This post is already over 4,500 characters at this point so this could be my clever private key right here ;).

The question then becomes, how much safer are you using a piece of paper to store your private key vs a usb drive? This is where my imagination fails me. Short of some crazy spy situation, "I print the key as a pattern on the inside of my shirt so the border guard doesn't suspect a thing" I can't think of a single use-case where printing the key out on a piece of paper would provide you any additional security. And that's why this idea is physically hurting my brain. At least with a usb, it is easy to encrypt it was a human-generated password so now you have two-factor authentication:
  1. Something you know -the password
  2. Something you have -the private key on the USB drive
Also, it's been my experience when people start talking about weird/zany things like printing out keys on paper, they often forget to focus on the fundamentals when it comes to file encryption. For example, how do they store the file encryption key in memory? How do they ensure the file encryption key isn't saved in a page-file? Well, you get the idea. Their product may actually be secure, but I wouldn't trust it without it going through a lot of independent testing beforehand. In short, snake-oil.

Edit: I just viewed this video and apparently their products mostly focus on encrypting online file backups. Now I'm really curious about what other online backup companies do... Also upon further reflection I might have been a bit too harsh since while paper keys might not be a security feature, they could be a very strong usability feature. That being said, since they are marketing it as a security feature I'm going to leave the above post as is.

Monday, March 1, 2010

Just a FYI

I apologize for the lack of actual posts. Right now I'm facing several fairly strict deadlines when it comes to graduating, so you probably can ignore this blog for the next two weeks or so. I know, it's annoying for me too because from real life spies caught on camera, to a new WPA attack, there's a few things to blog about...

For now though, it's LoLcats and funny comics 24/7