1 -= The Gringotts FAQ =- 2 3 4 -= The Project =- 5 6 7Q: Why Gringotts, in first place? 8 9A: The name comes from a famous book saga for children, by J.K.Rowling, and it 10 is the name of a bank, famous for its extreme safety. If you still have 11 doubts, the best thing you can do is to read the books - they're cool! :) The 12 idea of the program comes from a similar program I once used under Windows - 13 I can't remember its name. Since I had the desire to program something about 14 security, I started this. Now the application is quite different from that, 15 because of all the people who gave me invaluable advice... :) 16 17 18 -= On Security =- 19 20 21Q: You define it a strongbox. How safe it is, actually? 22 23A: Very safe, and not entirely safe. If a malicious user put his hands on a file 24 created with Gringotts (Grg, from now on), there's virtually nothing he can 25 do to open it without knowing the password. It can't retrieve any information 26 about the content - neither the type of password, nor the kind of data 27 contained. It's all locked. 28 29 30Q: What if the attacker can access the system I'm working into? 31 32A: It still has barely a remote chance to read them. The memory is protected, 33 and neither users nor root can spy it; the data that are written to temporary 34 files are coded with temporary keys, so they're safe, too. Data is also 35 protected from paging, and gets overwritten with random data at exit, so 36 after the use of Gringotts he can't get anything dumping the memory you wrote 37 to, or the swap file. 38 39 40Q: What if it can see my screen?? 41 42A: Don't joke. It's impossible to protect anything in these conditions... or 43 maybe it is... ;-) I've received an important advice on this, and I'm 44 working on it :) 45 46 47Q: Amazing! It's totally safe! 48 49A: No :( Grg is built on top of Gtk+, and even if these are very safe 50 libraries, they aren't designed with the same goal as Grg in mind. They would 51 be too slow, for istance. So, it's still true that nothing gets paged and no 52 one can spy in the memory, but not all the data gets securely erased after 53 use. Not clipboard, nor the editor buffer, for instance. Be careful. I'm 54 working on it, anyway. 55 56 57Q: Ok, ok. What else does it provide? 58 59A: Some other cute features. It allows the user to securely delete files, in 60 such a way that no one can recover them later. It allows one to use different 61 password than just strings. 62 63 64Q: Nice! Tell me more on this! 65 66A: Well, the user can use three kind of passwords. The first is plain text, the 67 usual ones. Simple character blah-blah-blah. The second, files. You can use 68 any regular file to protect data. If an attacker doesn't have that file, he 69 can't even dream to open your data. Third, floppy disks. This is the closest 70 thing to smart cards available on common PC's: insert your key disk, use it 71 to protect your data, and store it in a safe place. As long as no one can 72 access it, no one will be able to read your passwords... :) 73 The nice thing about this all is that it's impossible to tell what kind of 74 password you used to protect your data by just looking at the file! 75 76 77Q: Is there something I should know about string passwords? 78 79A: Hmm... they can be up to 32 bytes in size... and when you first type your 80 password, a gauge will tell you how "good" it is. You have an idea of how 81 secure your data will be. 82 My advice for this choice is the usual: try to use as many characters, 83 symbols and numbers you can, and be sure not to forget it. 84 85 86Q: Is there something I should know about passfiles? 87 88A: When using a file, the "password quality" is very secure because both its 89 length and its alphabet size will be considerably larger. If you're on your 90 "private" system, at home, and want to store your data in a "public" place 91 (i.e. an internet repository), you can use this feature to simply ensure a 92 much better password quality. 93 The bad thing is that, if you aren't careful, the number of possible keys 94 will be *much smaller* using files than using passwords: in fact, you'll need 95 to choose a file that won't change, and if you are on a "public" system (i.e. 96 logged on a system where other users are logged on, too) the choice could be 97 quite limited. So, a brute-force attack that simply tries all the files in 98 the system is relatively simple to do. Don't rely on simply deleting a file; 99 it can be undeleted, so it's better use the `wipe file' tool present in 100 Gringotts. The best thing to do is probably to store the file on a removable 101 device (i.e. a floppy disk) and bring it with you... and keep it safe. 102 103 Here are some notes to take into consideration: 104 105 * Pay extra attention to the integrity of the file you use: if you lose it or 106 it gets corrupted, you'll lose your data! There's NO recovering! 107 * Only the *content* of the file is used. So, you can change file name, date, 108 permissions as much as you want; as long as the content is preserved, it 109 will work. 110 * Don't rely on being able to generate the same password file. For example, 111 if you compile a program and use the binary as password, don't assume you 112 will be able to re-generate the /very same/ file: next time, something can 113 be different, and even a slight difference will lead to a different result, 114 trashing your data! This is valid also for "generated" images, especially 115 using lossy algorithms (JPEG...). 116 * Generating files from commandline (i.e. 117 118 echo "password" | bzip2 -c | gzip -c > file.pwd 119 120 ) may be a good idea, *but* be careful, all the same: be sure to erase the 121 command from the bash history (~/.bash_history), and, when you delete the 122 generated file (and the bash history, in case), to ensure they can't be 123 undeleted. 124 * Password files (and strings) are hashed into keys, to be used by the coder. 125 These keys are generally of 256 bits, which are 32 bytes. So, if you use a 126 good file (that is, a file in which bytes can assume all the 255 values, 127 and aren't disposed in any particular pattern, for example in some binary 128 data), a 32 byte file is just as good as a 512 Kb one. 129 Is this a weakness? No! A good hashing algorithm (and the two used by 130 Gringotts are the best) will scramble the data in a very impredictable 131 manner, so there's NO way to guess the key without knowing the password. In 132 a word: just pick a password and use it, and don't worry! :-) 133 * It's better not to leave files on the hard drive, anyway. Store them in 134 something you can protect such as a CD, a USB flash drive, etc, and keep it 135 safe. Remember to securely wipe files from hard disk when you delete them! 136 137Q: Is there something I should know about keydisks? 138 139A: Using floppy disks as passwords can effectively improve safety of your data. 140 If you choose the disk carefully, it's very unlikely that an opponent can 141 find one *exactly* equal to yours. Again, here are some considerations: 142 143 * choose non-standard disks. Avoid use of default linux boot disks, for 144 example. They can easily be downloaded on the Internet. Use a disk for a 145 while, add files to it, remove them, read some more -- and then use it. 146 * the good thing of this feature is that as long as an attacker can't access 147 the "keydisk", he can't access the data, either. The bad case would be if 148 the disks in your collection are few. So: don't let the keydisk hang around 149 on your desktop! Hide it in a safe place! 150 * magnetic media are delicate: dust, heat or a weak magnetic field can make 151 your data unrecoverable. BEWARE! Store the disk in a cool place, wrapped, 152 and far from magnetic fields. 153 * ...and make backups! In UNIX, it's simply a matter of 154 155 cat /dev/fd0 > floppy.img 156 157 then you can protect the image as you like: compress it, copy it to other 158 disks (make backups of your disk and hide them; it's the best solution), 159 store it on a safe and less error-prone CD-R.. only, take care not to leave 160 the image file on the hard disk, and to wipe it securely. It can be 161 restored with 162 163 cat floppy.img > /dev/fd0 164 165 166Q: Anything else? 167 168A: Please be aware that the most common way to crack a password isn't done 169 analyzing the file, but analyzing the owner! Don't use obvious passwords, and 170 please, please don't write them in paper sheets, booklets, unprotected PDAs.. 171 In a word: be careful! 172 173 174Q: What if I lose the password/passfile/keydisk? 175 176A: Short answer: no way back. Please, be careful with it. 177 Long answer: there can't be a way back, in a safe system. Gringotts could do 178 two things to grant a solution: tell you the password, and be able to recover 179 the data with another one, or without any. In the first case, the password 180 should be stored in the file, and an attacker could retrieve it pretending to 181 be you. The only way to prevent this would be to protect it... with another 182 password. So what's the use? The second solution is really stupid: if you can 183 access to the data without the password, anyone could. 184 Another short answer: protect Your Password!!! 185 186 187 -= Configurations =- 188 189 190Q: What's that `strong random' stuff, in ./configure and/or commandline? 191 192A: You can make the program use /dev/random instead of /dev/urandom as the 193 source of random data. I mean with `strong randomness'. You do this by 194 specifying the option `--enable-strong-random' in ./configure for 195 Gringotts <= 1.2.0, or by passing the commandline option `--strong-random' in 196 later versions. 197 /dev/random returns only true random data; when no more random data are 198 available, it stops and waits for the entropy sources. 199 In such cases, it will block the application. When alot of random data is 200 required (i.e. in saving and loading of files, etc), it can be a real pain. 201 Using /dev/urandom will provide a constant stream of numbers, calculating 202 them with a cryptographically strong algorythm based on the true random data 203 available. This means that it's almost as secure as the other method, but 204 much faster. 205 206 207Q: Why are there many algorithms to choose among. What are they used for? 208 209A: There are three types of algorithms to choose. Basically, the data you submit 210 to Grg are compressed, then encrypted using a key. This key is obtained by 211 hashing the password you provide. You can choose the algorithms used to 212 perform these three operations: encrypting, hashing and compressing. Of 213 course, you can also decide the compression ratio. "0" actually means that 214 you didn't use any compression algorithm. 215 216 217Q: Which is the best encryption algorithm to use? 218 219A: Your mileage may vary. Basically, all the algorithms used are safe ones. 220 They are chosen among the contestants to be AES; LOKI97, SAFER+ and CAST-256 221 which didn't get to the final phase; first was Rijndael (128), that was 222 designed to be the AES. Second prize went to Serpent, while Twofish was 223 third. Rijndael 256 is a 256-bit-block version of Rijndael, thus a little 224 safer. 3DES (Triple DES) was the algorithm of choice before AES, after DES 225 was proved to be unsafe. 226 Serpent is thought to be the safest, while Rijndael is the best tradeoff 227 between speed and safety. Recent attacks seem to have cast doubts on both of 228 them, while Twofish seems to be unaffected. But no one knows for sure if 229 these attacks are really exploitable. 230 For more information see http://www.counterpane.com/crypto-gram-0209.html#1 231 and http://www.counterpane.com/crypto-gram-0210.html#2 232 Anyways, we are in the field of theoretical speculation, since no one has yet 233 found a real, effective attack that breaks these algorithms. Choose one, and 234 be happy! :) 235 236 237Q: Which is the best hashing algorithm to use? 238 239A: Again, it's a matter of personal preference. Both SHA1 and RIPEMD-160 are 240 designed to be safe, and no one yet has proved they aren't. 241 Just pick one of them: SHA1 is american, and Ripemd-160 is european, if this 242 means something to you. 243 244 245Q: Which is the best compression algorithm to use? 246 247A: This is a more interesting question. BZip2 is slower, but ZLib (gzip) grants 248 lower compression rates. If you prefer to have smaller files, you'll probably 249 want to choose BZip2; on the other hand, if you don't have a powerful PC, or 250 you just don't care, ZLib will be your choice. Notice that if you have few 251 data to encode, ZLib will still generate smaller files than BZip2. 252 253 254 -= Internals =- 255 256 257Q: Why didn't you use SHA-256 for hashing? 258 259A: To generate the key, Gringotts use the P2K (Password-to-Key) algorithm used 260 by OpenPGP. Using 256-bit hashes would not improve the security, compared to 261 use of 160-bit ones; and since Grg already uses SHA1, it would be somehow a 262 duplication. 263 264 265Q: How does the secure file erasing tool work? 266 267A: First, it overwrites the file data several times, using random data. You can 268 control how many times to repeat the process. Then it unlinks the file, and 269 actually deletes it. This way, the previously written data should be 270 impossible to recover. 271 272 273Q: Haven't you read the Gutmann paper? You don't do as he says! Are you mad? 274 275A: I've read it. Before calling me names ;-), read it again to the end: it 276 clearly states that 35 passages are just too many for modern drives. Being 277 almost all (E)PRML drives, `a few passages of random scrubbing is the best 278 you can do' (sic). Gringotts allows you to make up to 32 of such passes... 279 Ops... don't you know what the Gutmann paper is? It's a document called 280 `Securing deletion of data from magnetic and solid-state memory', by Peter 281 Gutmann, of Auckland University (NZ). It's really good; you can find it at 282 http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html 283 284 285Q: Nice! So this feature is perfect! :) 286 287A: :( Aw, no. As you can read in the man page of shred(1), of which it obviously 288 shares the concept, it works under an important assumption: the filesystem 289 must overwrite the files "in place". This is the case of, for example, Ext2 290 and FAT, but not of some modern journalling FSs (such as ReiserFS, XFS, JFS) 291 nor of network file systems. Moreover, a network file system could store a 292 copy of the file somewhere remotely, and that one wouldn't be properly wiped. 293 This is valid also for RAID systems, of course. Be careful. 294 295 296Q: Aw! It's SLOW! :( What's up with it? 297 298A: Unfortunately, it is. If you save large amounts of data, the various 299 operations involved in encoding them took quite a lot of time. The actual 300 performances varies depending on the system you use: on my K6-3 466 saving a 301 1 Mb file takes as long as 1.5 minutes, on my Athlon XP1600 about 15 seconds. 302 It depends on many factors: memory speed, processor speed, hard disk speed... 303 anyway, there's much to do for speed, so expect consistent speedups as new 304 versions are released. 305 306Q: Hey, I can't use [ gdb | Electric Fence | something else ] to debug it! 307 308A: The security measures grg adopts have the effect to corrupt the way it 309 behaves with debuggers. Gdb should work fine, as long as you launch it on a 310 non-SUID binary; on the other hand, grg won't produce core dumps, so you must 311 gdb it "on the fly". It erases also the environmental variables, so programs 312 like Electric Fence will get confused; compile with the --disable-env-check 313 switch to ./configure to disable this erasure -- you won't be able to debug 314 the very env validation code, tough. Finally, ptrace and strace won't work on 315 SUID binaries, just like gdb. 316 317 318 -= Future releases =- 319 320 321Q: How can I know when a new version of Gringotts is released? 322 323A: Subscribe to the project in Freshmeat (http://freshmeat.net). I'll update the 324 record regularly. 325 326 327Q: Will Grg be ever ported to other systems? 328 329A: It should be reasonably compatible with many UNIXes. If it isn't, please tell 330 me. It is currently supported in Linux (RedHat, Mandrake, Gentoo, Debian) and 331 FreeBSD. 332 I don't think I'll ever port it to native Windows systems. They lack many of 333 the special features Gringotts uses to ensure data safety. I simply don't 334 want to spend time to find workarounds for them. Anyway, maybe it can be 335 ported to the cygwin environment; stay tuned! ;) 336 Gringotts could be ported easily to PHP, and published on the web, providing 337 to have a good random number generator. I'll consider it. 338 I have also an idea of porting it to Python, making it a little bit more 339 cross-platform. It depends on the effective availability of libmcrypt and 340 mhash for that platform, tough. We'll see :) 341 342 343Q: Will you implement asymmetric (public/private) key encryption? 344 345A: No. It's not in the scope of Grg. But, as many people are asking me it, I'm 346 beginning to consider the possibility. Please tell me if you'd like this, and 347 I'll consider it further... :) 348 349 350Q: What about console/commandline operability? 351 352A: This is another thing people keep asking. In latest versions, some basic 353 functionalities have been added; I'd like to add some more, but I don't know 354 how exactly to design them. Every suggestion is greatly appreciated... what 355 would you like to be able to do, exactly? 356 357 358 --thanks, thanks, thanks to Dan Frezza for correcting 359 my english!! :-) 360