Category Archives: Security

RatticDB secures NSA funding


Today it thrills me to announce that RatticDB has secured $20 million in funding from the NSA. This marks the beginning of a strategic alliance between the developers of RatticDB and the NSA.

The NSA is a widely known and recognized authority in the applications of cryptography. Starting as a code breaking unit in World War 1 they have rapidly expanded to become a major force in the world’s cryptography. The NSA has even advised encryption experts at RSA. The NSA has historically taken a great interest in the sharing of passwords, and has participated in several other password sharing schemes.

This funding will allow us to implement many new features for RatticDB. With the resources we have been provided we can now implement completely secure encryption for your passwords. We will likely implement this by transferring them to the nearest NSA secured datacenter. NSA datacenters, employees and the contractors they employ have always been known for their extreme security practices and their integrity under pressure. We will also be implementing a password generator based on the Dual_EC_DRBG random number generator.

Together with the NSA we know that RatticDB can become something amazing. Whether you choose to voluntarily use RatticDB or your government mandates its usage we know that together we will do great things. We are committed to keeping your passwords safe.

CLEARANCE: Cleared for Release, DATE: April 1st 2014

Using EncFS to encrypt your files

About EncFS

EncFS is an encrypted filesystem based on FUSE. It transparently encrypts files stored in it and places them on another volume. This is in contrast to block level encrypted filesystems which transparently encrypt the data under the filesystem layer as it is being written to disk. Think of EncFS as a bind mount, except that the source for the mount is encrypted and the place it is mounted to is the only place it is available unencrypted.

The main advantage of EncFS filesystems is that when backing up only the files which have changed need to be backed up. This means it works perfectly with tools such as rsnapshot. Another advantage is that the filesystem doesn’t need a block of disk allocated to it and will shrink and expand as the files inside change.

Finally because this is all implemented with FUSE it is all done in userspace. No root access is required (apart from setting FUSE up) to create and alter encfs filesystems.

Setting Up an EncFS Volume

So the first thing you need to do to setup an encfs volume is to install FUSE and EncFS. If you don’t have root access you will have to ask your sysadmin to do this for you, otherwise follow your distribution specific method of installing new packages. On Fedora it is called ‘fuse-encfs’ and on Debian/Ubuntu its called ‘encfs’. On some older systems users wishing to use FUSE may need to be added to the correct group.

First you need to decide where you will put the encfs volume, and where you’ll mount it. I usually put mine in /home/daniel/.crypt and mount it to /home/daniel/crypt. But feel free to name it whetever you want. When you’ve decided run the EncFS with those arguments, for example to use the example I specified it would look like this:

<daniel@server ~>$ encfs /home/daniel/.crypt /home/daniel/crypt
The directory "/home/daniel/.crypt/" does not exist. Should it be created? (y,n) y
The directory "/home/daniel/crypt" does not exist. Should it be created? (y,n) y
Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.

Standard configuration selected.

Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 2:2:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism.  However, the password can be changed
later using encfsctl.

New Encfs Password:
Verify Encfs Password:

As you can see the directories don’t need to be created first. There is also a prompt for what security settings you want to use. Hitting enter will give you standard settings, but for something more powerful you should hit ‘p’ then enter. You can now proceed to place files in /home/daniel/crypt and they will be encrypted and placed into /home/daniel/.crypt. If you don’t believe me go ahead and check.

See? I told you so. Now you can unmount it using ‘fusermount -u /home/daniel/crypt’ and mount it again using encfs /home/daniel/.crypt /home/daniel/crypt and typing your password.

Random Thought: When travelling to other countries, local laws may mean that customs can search your laptop, including encrypted filesystems. You may have to reveal your key, or be arrested.

Fingerprint readers and PC security

How fingerprint readers work

The user sees

You register your fingerprint using the built in reader and it saves it as your password. Next time you go to login you choose your username, swipe your finger and the PC verifies it against the one you scanned last time. If it matches then the computer logs you in.

What actually happens

  1. You open up the fingerprint reader application on your laptop, it adds hooks into the Windows login system (Credential Providers).
  2. You scan in one or more fingers and register them to your account.
  3. The application stores the fingerprints for later use, some will even store them unencrypted.
  4. When the user goes to login next time they select their username and scans a finger.
  5. The fingerprint reader takes the scan and compares it to the previous scan
  6. If the scan matches one of the stored scans then the user is authenticated

Why its not secure

How often do you write down your password? If you do where would you leave it? Now think about your fingerprint. Where would you leave your fingerprint? In general people don’t constantly where gloves and end up leaving fingerprints all over the place, on glasses, door handles, keyboards, touch screens and mobiles. It is a little bit harder to copy a fingerprint but security by obscurity is not an excuse. So it can be argued that a password is more secure (in that its harder to obtain) than a fingerprint.

Most fingerprint authentications allow you to use either your fingerprint, or your password. This effectively doubles the possible attack vectors for trying to get into the system. A malicious attacker can now either use a dictionary attack against your password, a fingerprint based attack against the fingerprint reader, or look for holes in either system.

Why it may actually endanger you

Do you know how the fingerprint reader is storing your fingerprints? Is it storing them as bitmaps, as a collection of swirls and whorls or as a md5 hash or some key identifiable features? If you can’t answer that question with 100% certainty then you should be concerned. If someone managed to hack your machine and retrieve bitmaps of your fingerprints then they could use them to open any other fingerprint locks you have, or implicate you in a crime.

Finally if someone is determined enough to break a law to hack your computer they could simply cut off your fingers to gain access to your PC. Of course if the fingerprint sensor has a warmth sensor they might need to microwave them first. I would hope though that you keep something that sensitive or valuable under all sorts on encryption and armed guards.

Don’t rely on fingerprint readers for added security, that is quite simply not the case. Fingerprint readers are primarily for convenience, and they could put your security and your wellbeing in danger.

Random Thought: What is this obsession with altering perfectly fine machines to remove an component that never bothers anyone? Dyson has the bladeless fan, and recently we’re seeing the spokeless bike. Have you ever looked at a fan and said: “Those blades really make that fan so annoying!”?