Secure Documents: Difference between revisions

From
Jump to navigation Jump to search
Line 108: Line 108:
=Literature=
=Literature=
* Die PostScript- & PDF-Bibel, Thomas Merz, Olaf Drümmer, Dpunkt Verlag, ISBN: 3935320019
* Die PostScript- & PDF-Bibel, Thomas Merz, Olaf Drümmer, Dpunkt Verlag, ISBN: 3935320019
* Windows Server 2003, Eric Tierling, Addison-Wesley, ISBN: 3827320763
* google.de ;)

Revision as of 13:03, 24 February 2005

Preface

This presentation will be performed on 2005-02-15, prepared by:

  • Mathias Jeschke and
  • Sven Wittig


Secure Electronic Documents with PDF

Encryption

Signatures

Possibility of Encrypting Files with UNIX and Linux

With Linux you have in general two ways of encrypting files effectively:

  • File based Encryption
  • File System based Encryption

File based Encryption with OpenSSL

OpenSSL supports a great variety of strong encryption algorithms.

Symmetric Encryption with AES

To encrypt a file (e.g. document.txt) symmetrically with AES-256 just use:

$ openssl aes-256-cbc -e -in document.txt -out document.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

You will be asked for a password twice. This is the symmetric key for encryption/decryption. To decrypt the secured file use:

$ openssl aes-256-cbc -d -in document.enc -out document.txt
enter aes-256-cbc decryption password:

Asymmetric Encryption with RSA

OpenSSL also supports asymmetric encryption, e.g. with RSA. First you need a private key to decrypt files, addressed to you later. Use a key with a minimal key size of 1024:

$ openssl genrsa -out bob.priv 1024
Generating RSA private key, 1024 bit long modulus
...........++++++
......++++++
e is 65537 (0x10001)

Than export your public key from the private one:

$ openssl rsa -in bob.priv -out bob.pub -pubout

This public key could be sent to the sender, who encrypts the file, addressed to you. Your correspondence (e.g. Alice) encrypts the file with your public key:

$ openssl rsautl -encrypt -in document.txt -out document.enc -inkey bob.pub -pubin

You can decrypt the file with your private key (bob.priv):

$ openssl rsautl -decrypt -in document.enc -out document.txt -inkey bob.priv

File based Encryption with GnuPG

The GnuPG (GPG) program is optimized for e-mail-embedded encryption especially with asymmetric algorithms. Default the ElGamal/DSA encryption will be used. A nice feature is the possibility to save public keys on so called "key servers".

Encrypted File Systems and related Stuff

  • EncFS/FUSE
  • Cryptoloop
  • loop-AES
  • dm-crypt

Encrypted FileSystem (EFS) with Windows 2000/XP/2003

What is EFS?

EFS is part of the OS and makes encryption of files and folders on a NTFS-partition possible. It is very easy for a user to encrypt or decrypt a file.

Why EFS?

With EFS you have an file access authorization. F.e. if an other user have physical access to your machine too maybe he has access to your private files. so you can encrypt the files with EFS and only you, with your private key, can open the file. EFS works transparently in the background.

Encryption

EFS use a combination of symmetric and asymmetric encryption. At first the file will be encrypted via DESX(128bit) or 3DES(168bit), the symmetric encryption, and then the key will be assymmetric encrypted via RSA(1024bit). The private key is saved on the machine encrypted via the user master key.

Security

The only way (at the moment) to hack the symmetric or asymmetric key is brute-force and that takes a long time. So the best solution is to save the private key on a smartcard, but if you will lose the key you will have no longer access to the files. EFS provides the service of an Recovery Agent (not on standalone machines) and he(normaly the administrator of the domain) will get automaticly access to all encrypted files of all user on his domain. => ATTENTION! Access to the recovery agent means access to all files!!!

Problems

  • Saving an encrypted file on a non NTFS-Partition means lost of encryption.
  • tmp-files are normaly not encrypted => best solution is to encrypt a folder so all files in the folder are encrypted (f.e. word always creates the tmp-files in the same folder)
  • EFS provides only non-encrypted transfer over network
  • packed and system-files can be not encrypted

Problems

Intersystem Communication or Using

Attacks

Physical Attacks

Decrypted Copies

/proc/kmem

Literature

  • Die PostScript- & PDF-Bibel, Thomas Merz, Olaf Drümmer, Dpunkt Verlag, ISBN: 3935320019
  • Windows Server 2003, Eric Tierling, Addison-Wesley, ISBN: 3827320763
  • google.de ;)