Posts Tagged ‘aes’

TrueCrypt 6.0a

July 21, 2008

I’m a bit late on this one, but TrueCrypt 6 was released earlier this month. This upgrade won’t be a major benefit to everyone, but it does have some interesting new features.

The first is the ability to create hidden encrypted operating systems when using whole-disk encryption. This works in a similar fashion to hidden encrypted disk containers. That is, you have a primary boot partition that is encrypted with one password, and a second virtual one that is contained within the primary, but encrypted with another password. The password you enter will determine which partition is loaded and, without knowing the password, it is impossible to know that there is a second hidden operating system. This is called plausible deniability and allows you to have a “decoy” or “safe” operating system to open if, for example, you were under duress. While most of us aren’t spies, this feature may still come in handy.

The other new features are more performance and reliability enhancements. TrueCrypt is now multi-core aware, so if you’re creating a lot of encrypted disks, the time to encrypt them will now be halved on a dual-core, quartered on a quad-core, etc. In the area of reliability, the team have added header redundancy so you have a greater chance of recovering a damaged container or partition.

For regular use, you probably won’t notice a lot of difference, but none-the-less, it’s another great release from the TrueCrypt team.

IronKey: A Seriously Secure USB Drive

April 27, 2008

I use TrueCrypt to encrypt anything sensitive on my USB drive and I sleep extremely well at night, knowing that no-one in their right mind would try to break its 256-bit AES encryption. While I know that it’s theoretically possible to do so, it doesn’t really matter, because nothing I have is worth dedicating a server farm to brute force it. Some people do have data that important on their USB drives, and that’s why there’s IronKey.

TrueCrypt’s greatest weakness is that it is susceptible to offline attacks. That is to say, if someone gets hold of a TrueCrypt volume, they are able to try a variety of techniques to guess the password, with computer power being their only limitation. TrueCrypt places no limit on how many times you can attempt a password. IronKey, on the other hand, limits you to ten consecutive incorrect attempts. After that, it destroys all the encryption keys and data. For good.

IronKey was developed as a piece of security hardware and, as such, has a bunch of features which make it, to my knowledge, the most hacker-proof data storage device on the market. Not only does it limit the number of incorrect passwords before self-destruct, it also ensures that even the encrypted data cannot be removed from the device, which means it is not susceptible to offline attacks.

First off, you can’t see any data without first authenticating with the device. Second, if you try to physically tamper with the device, the epoxy filling in the device will cause the data and encryption chips to break. Last of all, the device is electron-shielded, so you can’t scan it to elicit data. It’s sturdy metal-cased and epoxy-filled construction keeps your data safe from unintentional physical damage too.

All this, along with hardware-based AES encryption, makes for a very secure device. If you have data that’s worth paying US$79 (for the 1GB version) to protect, take a look. If you’re like me, TrueCrypt is still a phenomenally secure solution.

TrueCrypt 5.1a

March 17, 2008

The TrueCrypt team are working overtime adding improvements and bug fixes.

This time they’ve increased boot speed (for system encrypted drives) by ~10% and fixed some system incompatibility issues which could lead to the hibernation file being left unencrypted on particular setups. Good to see them dealing with these issues so quickly, yet another reason TrueCrypt’s such a great product.

TrueCrypt 5.1

March 14, 2008

A few days ago, the TrueCrypt guys released version 5.1 of their stunningly secure and free, data encryption utility. The release of TrueCrypt 5.0 added support for system partition encryption, ie. encrypting every byte on your OS partition, so you have to enter a password before Windows/OSX/Linux boots. 5.1 added hibernation support for this sort of encryption.

Whole disk encryption isn’t a do-or-die for everyone, so here’s my two cents on using TrueCrypt.

USB Sticks: They’re just asking to be lost. If they are, any old sideshow could read through your resume, work documents, love letters and whatever else you keep on it. TrueCrypt has a ‘Traveller Disk’ tool which lets you encrypt some or all of your USB stick. Making a small (mine’s 100MB) encrypted file (an encrypted file which you mount as a drive letter) container will give you enough space to lock up your important files, while leaving your videos and mp3s alone. TrueCrypt throws a portable version of the software on your USB so you always have it on hand.

External Hard Drives: From a security point of view, these are similar to USB Sticks. They’re small, light and easily stolen/lost. However, you’re likely to store a lot more data on them and the data’s likely to be more important. It’s best to encrypt the whole disk. A couple of caveats though. Unlike system partition encryption, you can’t just click “decrypt disk” to get rid of the encryption. You have to copy the data off the disk, reformat, then copy it back on. Another issue is that if you use your disk on other people’s systems, you’ll have to install TrueCrypt first. If either will cause problems, figure out what needs to be secured and create an encrypted file container.

Laptops: There are a lot of news articles about laptop theft. Because they are so tempting to thieves, it’s probably best to encrypt your whole disk. You could just create an encrypted file container or encrypt your data partition (if you have one), but it’s better to do the whole lot, just in case you have some financial papers or embarrassing photos stored somewhere you’ve forgotten about.

Desktops: The risk of these being lost/stolen is significantly less than laptops or USB sticks, but it still happens. Encrypting your whole disk doesn’t hurt. In fact, according to tests by Steve Gibson, it actually makes your drive run faster in some situations. That said, even though TrueCrypt is phenomenally reliable, encrypting your drive could make it more difficult to recover data from if there is a problem. It’s probably better to create an encrypted file container and mount that. If you have a separate HDD or partition for your data (which is recommended, less system files fragmention), you can encrypt the whole thing and have TrueCrypt auto-mount and prompt for a password when you boot up your OS.

Then again, if you don’t store anything private on your computer, don’t bother. But chances are you have at least a few files which are worth the small inconvenience of using TrueCrypt. I highly recommend giving it a try.


Some RFID Cards Cracked

March 11, 2008

I don’t understand why people develop proprietary encryption. Seems like a lot of effort for no gain. AES is rock solid and there are a number of secure hashing standards… and they’re free to use.

Here’s the reason this issue has come up. NXP Semiconductors, an RFID access card manufacturer, have sold over a billion of their ‘Mifare Classic’ RFID cards. Recently, some University of Virginia researchers physically opened one of these cards and, using a microscope to analyse the physical logic gates, worked out the proprietary algorithm. It’s called ‘Crypto1’.

Turns out Crypto1 is a dud. It produces cryptographically weak output allowing an attacker to guess the key in a matter of minutes. Because its RFID, an attacker doesn’t even need physical access to the card. Seeing as these cards are potentially used as access tokens for buildings around the world, this could potentially be a threat to your company’s security. We may never know how big this issue becomes, seeing as it would be unwise to publicly announce that you use a broken security technology.

The point here is that companies shouldn’t use proprietary security. They should use opens standards like AES, which has been pounded on, without fault, for years. Security through obscurity is a poor practice.

To the credit of NXP, they have now released the ‘Mifare Plus‘, which is backwards-compatible with the ‘Classic’ system, and supports AES. It ain’t a free upgrade though.

KeePass Password Safe

March 2, 2008

Passwords are annoying. If we make them too simple they can be cracked. If we make them too complex they will be forgotten. We also don’t want to use the same password for every account we have, in case someone gets hold of it.

It’s easy to use the password manager built into the browser to cut out the hassle, but these password managers have limitations. Few let you review and change the saved information and, unless you are using a portable browser, it’s stuck on the one machine.

KeePass is a good solution. It’s a lightweight, open source password manager which lets you organise your ever-growing list of passwords and encrypt them with 256-bit AES. You then use one master password to get access to the database.

You can throw it on a USB key or save it in a draft email on your online account so you have access to it wherever you may be. It probably isn’t worth the effort putting an overly-complex passwords on everything, but at least for financial accounts, this is very useful.

The interface is a bit cluttered, but with the search bar it doesn’t really matter.