1			    -=   The Gringotts FAQ   =-
2
3
4			  -=        The Project        =-
5
6
7Q: Why Gringotts, in first place?
8
9A: The name comes from a famous book saga for children, by J.K.Rowling, and it
10   is the name of a bank, famous for its extreme safety. If you still have
11   doubts, the best thing you can do is to read the books - they're cool! :) The
12   idea of the program comes from a similar program I once used under Windows -
13   I can't remember its name. Since I had the desire to program something about
14   security, I started this. Now the application is quite different from that,
15   because of all the people who gave me invaluable advice... :)
16
17
18			  -=        On Security        =-
19
20
21Q: You define it a strongbox. How safe it is, actually?
22
23A: Very safe, and not entirely safe. If a malicious user put his hands on a file
24   created with Gringotts (Grg, from now on), there's virtually nothing he can
25   do to open it without knowing the password. It can't retrieve any information
26   about the content - neither the type of password, nor the kind of data
27   contained. It's all locked.
28
29
30Q: What if the attacker can access the system I'm working into?
31
32A: It still has barely a remote chance to read them. The memory is protected,
33   and neither users nor root can spy it; the data that are written to temporary
34   files are coded with temporary keys, so they're safe, too. Data is also
35   protected from paging, and gets overwritten with random data at exit, so
36   after the use of Gringotts he can't get anything dumping the memory you wrote
37   to, or the swap file.
38
39
40Q: What if it can see my screen??
41
42A: Don't joke. It's impossible to protect anything in these conditions... or
43   maybe it is... ;-) I've received an important advice on this,  and I'm
44   working on it :)
45
46
47Q: Amazing! It's totally safe!
48
49A: No :( Grg is built on top of Gtk+, and even if these are very safe
50   libraries, they aren't designed with the same goal as Grg in mind. They would
51   be too slow, for istance. So, it's still true that nothing gets paged and no
52   one can spy in the memory, but not all the data gets securely erased after
53   use. Not clipboard, nor the editor buffer, for instance. Be careful. I'm
54   working on it, anyway.
55
56
57Q: Ok, ok. What else does it provide?
58
59A: Some other cute features. It allows the user to securely delete files, in
60   such a way that no one can recover them later. It allows one to use different
61   password than just strings.
62
63
64Q: Nice! Tell me more on this!
65
66A: Well, the user can use three kind of passwords. The first is plain text, the
67   usual ones. Simple character blah-blah-blah. The second, files. You can use
68   any regular file to protect data. If an attacker doesn't have that file, he
69   can't even dream to open your data. Third, floppy disks. This is the closest
70   thing to smart cards available on common PC's: insert your key disk, use it
71   to protect your data, and store it in a safe place. As long as no one can
72   access it, no one will be able to read your passwords... :)
73   The nice thing about this all is that it's impossible to tell what kind of
74   password you used to protect your data by just looking at the file!
75
76
77Q: Is there something I should know about string passwords?
78
79A: Hmm... they can be up to 32 bytes in size... and when you first type your
80   password, a gauge will tell you how "good" it is.  You have an idea of how
81   secure your data will be.
82   My advice for this choice is the usual: try to use as many characters,
83   symbols and numbers you can, and be sure not to forget it.
84
85
86Q: Is there something I should know about passfiles?
87
88A: When using a file, the "password quality" is very secure because both its
89   length and its alphabet size will be considerably larger. If you're on your
90   "private" system, at home, and want to store your data in a "public" place
91   (i.e. an internet repository), you can use this feature to simply ensure a
92   much better password quality.
93   The bad thing is that, if you aren't careful, the number of possible keys
94   will be *much smaller* using files than using passwords: in fact, you'll need
95   to choose a file that won't change, and if you are on a "public" system (i.e.
96   logged on a system where other users are logged on, too) the choice could be
97   quite limited. So, a brute-force attack that simply tries all the files in
98   the system is relatively simple to do. Don't rely on simply deleting a file;
99   it can be undeleted, so it's better use the `wipe file' tool present in
100   Gringotts. The best thing to do is probably to store the file on a removable
101   device (i.e. a floppy disk) and bring it with you... and keep it safe.
102
103   Here are some notes to take into consideration:
104
105   * Pay extra attention to the integrity of the file you use: if you lose it or
106     it gets corrupted, you'll lose your data! There's NO recovering!
107   * Only the *content* of the file is used. So, you can change file name, date,
108     permissions as much as you want; as long as the content is preserved, it
109	 will work.
110   * Don't rely on being able to generate the same password file. For example,
111     if you compile a program and use the binary as password, don't assume you
112	 will be able to re-generate the /very same/ file: next time, something can
113	 be different, and even a slight difference will lead to a different result,
114	 trashing your data! This is valid also for "generated" images, especially
115	 using lossy algorithms (JPEG...).
116   * Generating files from commandline (i.e.
117
118	    echo "password" | bzip2 -c | gzip -c > file.pwd
119
120	 ) may be a good idea, *but* be careful, all the same: be sure to erase the
121	 command from the bash history (~/.bash_history), and, when you delete the
122	 generated file (and the bash history, in case), to ensure they can't be
123	 undeleted.
124   * Password files (and strings) are hashed into keys, to be used by the coder.
125     These keys are generally of 256 bits, which are 32 bytes. So, if you use a
126	 good file (that is, a file in which bytes can assume all the 255 values,
127	 and aren't disposed in any particular pattern, for example in some binary
128	 data), a 32 byte file is just as good as a 512 Kb one.
129     Is this a weakness? No! A good hashing algorithm (and the two used by
130	 Gringotts are the best) will scramble the data in a very impredictable
131	 manner, so there's NO way to guess the key without knowing the password. In
132	 a word: just pick a password and use it, and don't worry! :-)
133   * It's better not to leave files on the hard drive, anyway. Store them in
134     something you can protect such as a CD, a USB flash drive, etc, and keep it
135	 safe. Remember to securely wipe files from hard disk when you delete them!
136
137Q: Is there something I should know about keydisks?
138
139A: Using floppy disks as passwords can effectively improve safety of your data.
140   If you choose the disk carefully, it's very unlikely that an opponent can
141   find one *exactly* equal to yours. Again, here are some considerations:
142
143   * choose non-standard disks. Avoid use of default linux boot disks, for
144     example. They can easily be downloaded on the Internet. Use a disk for a
145     while, add files to it, remove them, read some more -- and then use it.
146   * the good thing of this feature is that as long as an attacker can't access
147     the "keydisk", he can't access the data, either. The bad case would be if
148     the disks in your collection are few. So: don't let the keydisk hang around
149     on your desktop! Hide it in a safe place!
150   * magnetic media are delicate: dust, heat or a weak magnetic field can make
151     your data unrecoverable. BEWARE! Store the disk in a cool place, wrapped,
152	 and far from magnetic fields.
153   * ...and make backups! In UNIX, it's simply a matter of
154
155        cat /dev/fd0 > floppy.img
156
157     then you can protect the image as you like: compress it, copy it to other
158     disks (make backups of your disk and hide them; it's the best solution),
159     store it on a safe and less error-prone CD-R.. only, take care not to leave
160	 the image file on the hard disk, and to wipe it securely. It can be
161	 restored with
162
163        cat floppy.img > /dev/fd0
164
165
166Q: Anything else?
167
168A: Please be aware that the most common way to crack a password isn't done
169   analyzing the file, but analyzing the owner! Don't use obvious passwords, and
170   please, please don't write them in paper sheets, booklets, unprotected PDAs..
171   In a word: be careful!
172
173
174Q: What if I lose the password/passfile/keydisk?
175
176A: Short answer: no way back. Please, be careful with it.
177   Long answer: there can't be a way back, in a safe system. Gringotts could do
178   two things to grant a solution: tell you the password, and be able to recover
179   the data with another one, or without any. In the first case, the password
180   should be stored in the file, and an attacker could retrieve it pretending to
181   be you. The only way to prevent this would be to protect it... with another
182   password. So what's the use? The second solution is really stupid: if you can
183   access to the data without the password, anyone could.
184   Another short answer: protect Your Password!!!
185
186
187			-=         Configurations        =-
188
189
190Q: What's that `strong random' stuff, in ./configure and/or commandline?
191
192A: You can make the program use /dev/random instead of /dev/urandom as the
193   source of random data. I mean with `strong randomness'. You do this by
194   specifying the option `--enable-strong-random' in ./configure for
195   Gringotts <= 1.2.0, or by passing the commandline option `--strong-random' in
196   later versions.
197   /dev/random returns only true random data; when no more random data are
198   available, it stops and waits for the entropy sources.
199   In such cases, it will block the application. When alot of random data is
200   required (i.e. in saving and loading of files, etc), it can be a real pain.
201   Using /dev/urandom will provide a constant stream of numbers, calculating
202   them with a cryptographically strong algorythm based on the true random data
203   available. This means that it's almost as secure as the other method, but
204   much faster.
205
206
207Q: Why are there many algorithms to choose among. What are they used for?
208
209A: There are three types of algorithms to choose. Basically, the data you submit
210   to Grg are compressed, then encrypted using a key. This key is obtained by
211   hashing the password you provide. You can choose the algorithms used to
212   perform these three operations: encrypting, hashing and compressing. Of
213   course, you can also decide the compression ratio. "0" actually means that
214   you didn't use any compression algorithm.
215
216
217Q: Which is the best encryption algorithm to use?
218
219A: Your mileage may vary. Basically, all the algorithms used are safe ones.
220   They are chosen among the contestants to be AES; LOKI97, SAFER+ and CAST-256
221   which didn't get to the final phase; first was Rijndael (128), that was
222   designed to be the AES. Second prize went to Serpent, while Twofish was
223   third. Rijndael 256 is a 256-bit-block version of Rijndael, thus a little
224   safer. 3DES (Triple DES) was the algorithm of choice before AES, after DES
225   was proved to be unsafe.
226   Serpent is thought to be the safest, while Rijndael is the best tradeoff
227   between speed and safety. Recent attacks seem to have cast doubts on both of
228   them, while Twofish seems to be unaffected. But no one knows for sure if
229   these attacks are really exploitable.
230   For more information see http://www.counterpane.com/crypto-gram-0209.html#1
231   and http://www.counterpane.com/crypto-gram-0210.html#2
232   Anyways, we are in the field of theoretical speculation, since no one has yet
233   found a real, effective attack that breaks these algorithms. Choose one, and
234   be happy! :)
235
236
237Q: Which is the best hashing algorithm to use?
238
239A: Again, it's a matter of personal preference. Both SHA1 and RIPEMD-160 are
240   designed to be safe, and no one yet has proved they aren't.
241   Just pick one of them: SHA1 is american, and Ripemd-160 is european, if this
242   means something to you.
243
244
245Q: Which is the best compression algorithm to use?
246
247A: This is a more interesting question. BZip2 is slower, but ZLib (gzip) grants
248   lower compression rates. If you prefer to have smaller files, you'll probably
249   want to choose BZip2; on the other hand, if you don't have a powerful PC, or
250   you just don't care, ZLib will be your choice. Notice that if you have few
251   data to encode, ZLib will still generate smaller files than BZip2.
252
253
254			  -=         Internals         =-
255
256
257Q: Why didn't you use SHA-256 for hashing?
258
259A: To generate the key, Gringotts use the P2K (Password-to-Key) algorithm used
260   by OpenPGP. Using 256-bit hashes would not improve the security, compared to
261   use of 160-bit ones; and since Grg already uses SHA1, it would be somehow a
262   duplication.
263
264
265Q: How does the secure file erasing tool work?
266
267A: First, it overwrites the file data several times, using random data. You can
268   control how many times to repeat the process. Then it unlinks the file, and
269   actually deletes it. This way, the previously written data should be
270   impossible to recover.
271
272
273Q: Haven't you read the Gutmann paper? You don't do as he says! Are you mad?
274
275A: I've read it. Before calling me names ;-), read it again to the end: it
276   clearly states that 35 passages are just too many for modern drives. Being
277   almost all (E)PRML drives, `a few passages of random scrubbing is the best
278   you can do' (sic). Gringotts allows you to make up to 32 of such passes...
279   Ops... don't you know what the Gutmann paper is? It's a document called
280   `Securing deletion of data from magnetic and solid-state memory', by Peter
281   Gutmann, of Auckland University (NZ). It's really good; you can find it at
282   http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
283
284
285Q: Nice! So this feature is perfect! :)
286
287A: :( Aw, no. As you can read in the man page of shred(1), of which it obviously
288   shares the concept, it works under an important assumption: the filesystem
289   must overwrite the files "in place". This is the case of, for example, Ext2
290   and FAT, but not of some modern journalling FSs (such as ReiserFS, XFS, JFS)
291   nor of network file systems. Moreover, a network file system could store a
292   copy of the file somewhere remotely, and that one wouldn't be properly wiped.
293   This is valid also for RAID systems, of course. Be careful.
294
295
296Q: Aw! It's SLOW! :( What's up with it?
297
298A: Unfortunately, it is. If you save large amounts of data, the various
299   operations involved in encoding them took quite a lot of time. The actual
300   performances varies depending on the system you use: on my K6-3 466 saving a
301   1 Mb file takes as long as 1.5 minutes, on my Athlon XP1600 about 15 seconds.
302   It depends on many factors: memory speed, processor speed, hard disk speed...
303   anyway, there's much to do for speed, so expect consistent speedups as new
304   versions are released.
305
306Q: Hey, I can't use [ gdb | Electric Fence | something else ] to debug it!
307
308A: The security measures grg adopts have the effect to corrupt the way it
309   behaves with debuggers. Gdb should work fine, as long as you launch it on a
310   non-SUID binary; on the other hand, grg won't produce core dumps, so you must
311   gdb it "on the fly". It erases also the environmental variables, so programs
312   like Electric Fence will get confused; compile with the --disable-env-check
313   switch to ./configure to disable this erasure -- you won't be able to debug
314   the very env validation code, tough. Finally, ptrace and strace won't work on
315   SUID binaries, just like gdb.
316
317
318			  -=      Future releases      =-
319
320
321Q: How can I know when a new version of Gringotts is released?
322
323A: Subscribe to the project in Freshmeat (http://freshmeat.net). I'll update the
324   record regularly.
325
326
327Q: Will Grg be ever ported to other systems?
328
329A: It should be reasonably compatible with many UNIXes. If it isn't, please tell
330   me. It is currently supported in Linux (RedHat, Mandrake, Gentoo, Debian) and
331   FreeBSD.
332   I don't think I'll ever port it to native Windows systems. They lack many of
333   the special features Gringotts uses to ensure data safety. I simply don't
334   want to spend time to find workarounds for them. Anyway, maybe it can be
335   ported to the cygwin environment; stay tuned! ;)
336   Gringotts could be ported easily to PHP, and published on the web, providing
337   to have a good random number generator. I'll consider it.
338   I have also an idea of porting it to Python, making it a little bit more
339   cross-platform. It depends on the effective availability of libmcrypt and
340   mhash for that platform, tough. We'll see :)
341
342
343Q: Will you implement asymmetric (public/private) key encryption?
344
345A: No. It's not in the scope of Grg. But, as many people are asking me it, I'm
346   beginning to consider the possibility. Please tell me if you'd like this, and
347   I'll consider it further... :)
348
349
350Q: What about console/commandline operability?
351
352A: This is another thing people keep asking. In latest versions, some basic
353   functionalities have been added; I'd like to add some more, but I don't know
354   how exactly to design them. Every suggestion is greatly appreciated... what
355   would you like to be able to do, exactly?
356
357
358        --thanks, thanks, thanks to Dan Frezza for correcting
359          my english!! :-)
360