On-the-fly Encryption with TrueCrypt

How sensitive is your data? You may use highly confidential data at work or at home. If you are concerned about the potential exposure of that data, encryption may be a good solution for ensuring that your data remains protected. One tool that you can use to encrypt your data is TrueCrypt. It is a free, open source program that works on Windows 7/Vista/XP, Mac OS X, and Linux.

TrueCrypt is a very easy-to-use tool. I installed it today on my Ubuntu laptop, and within about five minutes, I created an encrypted drive and put sample data in that drive. You can download the software at http://www.truecrypt.org/.

When you create an encrypted drive with TrueCrypt, you are creating a file on your file system that contains all of the encrypted data you will be protecting. Creating the encrypted drive is the trickiest part, but the on-line tutorial for beginners makes it very easy to use. If you are more experienced with encryption technologies, you may like that it offers a variety of algorithms, including my favorites - AES and SHA-256.

After you create your encrypted drive, the next step is to mount it. To do this, you select a drive letter (Windows) or a slot (Linux) to which to mount the drive. Next you select the encryption file you just created and mount it. You will be prompted for the password for the encrypted drive that you entered when you created it. If you enter the correct password, the drive mounts, and you can use it like any other drive or file system.

In Ubuntu, from the Settings / Preferences window, I chose to use automatically open the mounted drive in Explorer once it was mounted, so a normal file system window popped up and allowed me to use it like any other mounted partition. I was also able to find the mounted partition in /media/truecrypt1, which allowed me to use it from the command line as well.

From what I have seen, the Windows version has some added functionality for encrypting system partitions and even creating a hidden encrypted partition that can be used for creating a hidden operating system. This may be good if you are trying to cover your tracks, but from a security professional's view, this may be hard to detect in a forensic investigation. Perhaps in a future post, I will try to find a hidden TrueCrypt system partition using FTK or Encase.

Have you used TrueCrypt? What do you think of it?

Read More...

Secure Coding Practices, Part 8: Cryptography

Several volumes can be written on encryption. With the various protocols and and approaches to encryption, it can leave software developers uncertain about how it applies to them.

Sensitive data must be encrypted. This may be to support compliance requirements, such as PCI and HIPAA, or it may be because your own organization has standards that require certain data to be encrypted. At a minimum, user credentials, like passwords, must be encrypted.

Data can exist in three different states: 1) at rest, meaning it's stored in a file system, database, or archive media; 2) in transit, meaning it is moving from one system to another system or subsystem (usually over a network); and 3) in process, meaning it is being processed by an application and may be resident in memory or the CPU's registers. It is data at rest and data in transit that should be considered for encryption.

In some cases, the transport layer may be used to allow encryption over a network The applications that receive this data will not need to decrypt the message. This means that data that is being stored will not be encrypted, unless the application storing the data or the storage layer itself performs the encryption. Examples of transport layer encryption are SSL, TLS, and IPSec.

In other cases, encryption may be performed by the application, which means that the data can be sent across an unencrypted network, because it leaves the application encrypted. It also means that data can be stored directly on the file system or in a database, because the data is already encrypted.

When looking at encryption, make sure your encryption protocol is sufficiently strong. The increasing performance of computers makes decrypting much easier for attackers. Consider protocols such as AES, 3DES, and TLS for starters.

When writing or reviewing secure code, the following questions are important:

• What is the sensitivity of the data being processed by the application?
• Is encryption required for the data? If so, in transit, at rest, or both?
• Does the application comply with your organization's standards regarding encryption?
• Are standard, accepted encryption protocols being used, rather than home-grown algorithms?
• Are passwords encrypted in transit and at rest?
• Are keys used with encryption protocols managed securely in the application?

Encryption is essential for certain information, but performance is also important. Make sure your application encrypts only what is needed to ensure optimal performance.

Read More...