CONTENTS

SYNOPSIS

DESCRIPTION

We cannot at this point guarantee that the on-disk format will not change in response to reviews or bug-fixes, so potential users are advised to be prepared that dump 8 / restore(8) based migrations may be called for in the future.
.Ef

The objective of this facility is to provide a high degree of denial of access to the contents of a "cold" storage device.

Be aware that if the computer is compromised while up and running and the storage device is actively attached and opened with a valid pass-phrase, this facility offers no protection or denial of access to the contents of the storage device.

If, on the other hand, the device is "cold", it should present an formidable challenge for an attacker to gain access to the contents in the absence of a valid pass-phrase.

Four cryptographic barriers must be passed to gain access to the data, and only a valid pass-phrase will yield this access.

Third barrier: decryption of the sector key.

Fourth barrier: decryption of the sector data.

Examining the reverse path

First he will have to derive from the encrypted sector and the known plain text the sector key(s) used. At the time of writing, it has been speculated that it could maybe be possible to break open AES in only 2^80 operations; even so, that is still a very impossible task.

Armed with one or more sector keys, our patient attacker will then go through essentially the same exercise, using the sector key and the encrypted sector key to find the key used to encrypt the sectorkey.

Armed with one or more of these "kkeys", our attacker has to run them backwards through MD5. Even though he knows that the input to MD5 was 24 bytes and has the value of 8 of these bytes from the sector number, he is still faced with 2^128 equally likely possibilities.

Having successfully done that, our attacker has successfully discovered up to 16 bytes of the master-key, but is still unaware which 16 bytes, and in which other sectors any of these known bytes contribute to the kkey.

To unravel the last bit, the attacker has to guess the 16 byte random-bits salt stored in the lock-sector to recover the indexes into the masterkey.

Imagine an installation with a vault with walls of several hundred meters thick solid steel. This vault can only be feasibly accessed using the single key, which has a complexity comparable to a number with 600 digits.

This key exists in four copies, each of which is stored in one of four small safes, each of which can be opened with unique key which has a complexity comparable to an 80 digit number.

In addition to the masterkey, each of the four safes also contains the exact locations of all four key-safes which are located in randomly chosen places on the outside surface of the vault where they are practically impossible to detect when they are closed.

Finally, each safe contains four switches which are wired to a bar of dynamite inside each of the four safes.

In addition to this, a keyholder after opening his key-safe is also able to install a copy of the master-key and re-key any of key-safes (including his own).

In normal use, the user will open the safe for which he has the key, take out the master-key and access the vault. When done, he will lock up the master-key in the safe again.

If a keyholder-X for some reason distrusts keyholder-Y, she has the option of opening her own safe, flipping one of the switches and detonating the bar of dynamite in safe-Y. This will obliterate the master-key in that safe and thereby deny keyholder-Y access to the vault.

Should the facility come under attack, any of the keyholders can detonate all four bars of dynamite and thereby make sure that access to the vault is denied to everybody, keyholders and attackers alike. Should the facility fall to the enemy, and a keyholder be forced to apply his personal key, he can do so in confidence that the contents of his safe will not yield access to the vault, and the enemy will hopefully realize that applying further pressure on the personnel will not give access to the vault.

This can be used to offer a plausible deniability of existence, where it will be impossible to prove that this specific area of the device is in fact used to store encrypted data and not just random junk.

The main obstacle in this is that the output from any encryption algorithm worth its salt is so totally random looking that it stands out like a sore thumb amongst practically any other sort of data which contains at least some kind of structure or identifying byte sequences.

Certain file formats like ELF contain multiple distinct sections, and it would be possible to locate things just right in such a way that a device contains a partition with a file system with a large executable, (""abackup copy of my kernel"") where a non-loaded ELF section is laid out consecutively on the device and thereby could be used to contain a gbde encrypted device.

The payload is encrypted with AES in CBC mode using a 128 bit random single-use key (""theskey""). AES is well documented.

No IV is used in the encryption of the sectors, the assumption being that since the key is random bits and single-use, an IV adds nothing to the security of AES.

The random key is produced with arc4rand(9) which is believed to do a respectable job at producing unpredictable bytes.

The skey is stored on the device in a location which can be derived from the location of the encrypted payload data. The stored copy is encrypted with AES in CBC mode using a 128 bit key (""thekkey"") derived from a subset of the master key chosen by the output of an MD5 hash over a 16 byte random bit static salt and the sector offset. Up to 6.25% of the masterkey (16 bytes out of 2048 bits) will be selected and hashed through MD5 with the sector offset to generate the kkey.

Up to four copies of the master-key and associated geometry information is stored on the device in static randomly chosen sectors. The exact location inside the sector is randomly chosen. The order in which the fields are encoded depends on the key-material. The encoded byte-stream is encrypted with AES in CBC mode using 256 bit key-material.

The key-material is derived from the user-entered pass-phrase using 512 bit SHA2.

HISTORY

AUTHORS