Hiding Information, Encryption, and Bypasses

Slides:



Advertisements
Similar presentations
White-Box Cryptography
Advertisements

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
CSUF Chapter CSUF Operating Systems Security 2.

Section 3.2: Operating Systems Security
Security+ Guide to Network Security Fundamentals, Fourth Edition
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
CS 591 C3S C ryptography & S teganography S ecure S ystem By: Osama Khaleel.
Computer Security CS 426 Lecture 3
0x1A Great Papers in Computer Security
File System and Full Volume Encryption Sachin Patel CSE 590TU 3/9/2006.
Encryption Methods By: Michael A. Scott
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
ENCRYPTION Coffee Hour for August HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.
Easy Encryption: OS X and Windows 2K/Xp Shawn Sines OARTech August 8, 2007.
TRUECRYPT.
Mac OS Lion Memory Forensics Using IEEE 1394 to Bypass FileVault 2 Full Volume Encryption. Todd Garrison September 18, 2011.
CWNA Guide to Wireless LANs, Second Edition Chapter Eight Wireless LAN Security and Vulnerabilities.
SECURITY Research Data Management. Research Data Management Security Laptops go missing very regularly; Intel’s study in 2012 surveying 329 private and.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 11 Basic Cryptography.
CHAPTER 6 Cryptography. An Overview It is origin from the Greek word kruptos which means hidden. The objective is to hide information so that only the.
Hiding Data in “Plain Sight” Computer Forensics BACS 371.
Chapter 17 Security. Information Systems Cryptography Key Exchange Protocols Password Combinatorics Other Security Issues 12-2.
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
Ronnie Mullins By: Ronnie Mullins. History Developed by the U.S. Military Prevents (or at least delays) an attacker Also implemented in Fire Prevention.
TE/CS 536 Network Security Spring 2005 – Lecture 8 Security of symmetric algorithms.
Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Lecture 2: Introduction to Cryptography
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Operating Systems Security
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
@Yuan Xue Case Study (Mid-term question) Bob sells BatLab Software License Alice buys BatLab Credit card information Number of.
PV204 Security technologies File and disk encryption Milan Brož Petr Švenda Faculty of Informatics, Masaryk University.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Systems Architecture Microsoft BitLocker -> securing data on mobile devices Johannes Marotzke
Security Protecting information data confidentiality
UNM Encryption Services in Development
Whole Disk Encryption Encrypting drives under Windows, Linux, and MacOSX By: The Doctor [412/724/301/703] [ZS|Media]
chownIoT Secure Handling of Smart Home IoT Devices Ownership Change
Vocabulary Big Data - “Big data is a broad term for datasets so large or complex that traditional data processing applications are inadequate.” Moore’s.
Basic Encryption: methods and tools
Outline Properties of keys Key management Key servers Certificates.
Symmetric Cryptography
PV204 Security technologies
Wireless Network Security
Cryptographic Hash Function
Trusted Computing and the Trusted Platform Module
Outline What does the OS protect? Authentication for operating systems
Digital Forensics 2 (DFC721S)
Cryptography.
Outline What does the OS protect? Authentication for operating systems
IS3230 Access Security Unit 9 PKI and Encryption
Digital Signatures Last Updated: Oct 14, 2017.
Cryptography Basics and Symmetric Cryptography
Mumtaz Ali Rajput +92 – INFORMATION SECURITY – WEEK 5 Mumtaz Ali Rajput +92 – 301-
Chapter 3: Windows7 Part 3.
Security through Encryption
Introduction to Symmetric-key and Public-key Cryptography
Security.
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
Using TrueCrypt 6th May 2009.
CDK: Chapter 7 TvS: Chapter 9
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Exercise: Hashing, Password security, And File Integrity
TPM, UEFI, Trusted Boot, Secure Boot
“Encryption threatens to lead all of us to a very dark place.”
Outline A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar. SPINS: Security protocols for sensor networks. In Proceedings of MOBICOM, 2001 Sensor.
Presentation transcript:

Hiding Information, Encryption, and Bypasses CS-695 Host Forensics Georgios Portokalidis

CS-695 Host Forensics Hiding Information Why Hide Information? Preserve privacy Data-loss prevention Hide illegal activities/incriminating evidence Protect confidential information Protect trade secrets 4/16/2013 CS-695 Host Forensics Hiding Information

How Would you Hide Information Make it hard to find Hide among other information Make it “unreadable” Encode information – use cryptography All of the above Plausible deniability 4/16/2013 CS-695 Host Forensics Hiding Information

Different Types of Encryption What other types can you think of? /home /usr /etc /encrypted_dir / /dev/sda1 /dev/sda2 Full disk File/directory based 4/16/2013 CS-695 Host Forensics Hiding Information

Different Types of Encryption What other types can you think of? /home /usr /etc /encrypted_dir / Partition based /dev/sda1 /dev/sda2 Full disk File/directory based 4/16/2013 CS-695 Host Forensics Hiding Information

Different Types of Encryption What other types can you think of? /home /usr /etc /encrypted_dir / Partition based Hiding in slack space Example: with bmap /dev/sda1 /dev/sda2 Full disk File/directory based 4/16/2013 CS-695 Host Forensics Hiding Information

Decoy Operating Systems TrueCrypt hidden partitions Deniable encryption Many other tools 4/16/2013 CS-695 Host Forensics Hiding Information

Other Data Hiding Locations Store in “bad” data blocks The disk controller will hide this information 4/16/2013 CS-695 Host Forensics Hiding Information

Steganography Hiding data within data Very simple example least significant bit (LSB) insertion 10010101 00001100 11001001 10010111 00001110 11001011 10011111 00010000 11001011 4/16/2013 CS-695 Host Forensics Hiding Information

Security Analysis and Decryption of Lion Full Disk Encryption 4/16/2013 CS-695 Host Forensics Hiding Information

CS-695 Host Forensics Hiding Information Overview Apple introduced FileVault in Mac OS X Lion Volume encryption support similar to existing systems E.g., TrueCrypt, PGP whole disk encryption, BitLocker Volumes provide an abstraction that can group multiple partitions Challenges: Closed system No documentation Closed source Builds on CoreStorage volume manager Provides the extra layer needed to support the encryption 4/16/2013 CS-695 Host Forensics Hiding Information

CS-695 Host Forensics Hiding Information Issues Where is the code that decrypts the volume? How is the encryption key derived? Where is it stored? How is encryption itself applied? AES 128bits key = 22 characters User password = n characters Where is the rest 22 – n? TPM SmartCard USB 4/16/2013 CS-695 Host Forensics Hiding Information

CS-695 Host Forensics Hiding Information Key Derivation More than one keys/passwords 4/16/2013 CS-695 Host Forensics Hiding Information

CS-695 Host Forensics Hiding Information Encryption Same data can result in the same ciphertext Solution: include block number in encryption Bit flipping issues See paper Disk block AES blocks 4/16/2013 CS-695 Host Forensics Hiding Information

Multiple Keys Must Decrypt the Master Key Password Recovery Key Password Recovery Key Master Volume Key Secondary Value 1 Secondary Value 2 Master Volume Key 4/16/2013 CS-695 Host Forensics Hiding Information

CS-695 Host Forensics Hiding Information 4/16/2013 CS-695 Host Forensics Hiding Information

CS-695 Host Forensics Hiding Information Attacking The Vault Guessing the randomly generated keys 4/16/2013 CS-695 Host Forensics Hiding Information

Pseudo Random Number Generators (PRNG) Random numbers are generated based on a seed Full sequence of random numbers can be predicted if the seed is known PRNG state is preserved across boots “Real” randomness or entropy is usually used to determine the seed How much entropy does FileVault have ? 4/16/2013 CS-695 Host Forensics Hiding Information

CS-695 Host Forensics Hiding Information Attacking The Vault 2 Leftover unencrypted data Unencrypted metadata can allow us to track the blocks that actually contain encrypted data Unencrypted data can expose user data 4/16/2013 CS-695 Host Forensics Hiding Information

CS-695 Host Forensics Hiding Information Attacking The Vault 3 Attacking the user password PBKDF2 generates a key based on salt and password Multiple hashing iterations ensure it’s hard to crack FileVault uses 41K iterations 4/16/2013 CS-695 Host Forensics Hiding Information

CS-695 Host Forensics Hiding Information Attacking The Vault 3 Brute forcing requires about 34 years But… What if the user password is weak Example: 6 characters or a 4-digit pin About 6 hours Known 41K iterations known 4/16/2013 CS-695 Host Forensics Hiding Information

CS-695 Host Forensics Hiding Information Improving FileVault Secondary keys like the salt and key-encryption-keys need to be better guarded Or rely on user to enter long passwords Not likely to happen1 TPM systems can help there Keys can be stored safely in the TPM 4/16/2013 CS-695 Host Forensics Hiding Information

CS-695 Host Forensics Hiding Information Cold Boot Attacks Cold Boot Attacks on Encryption Keys https://citp.princeton.edu/research/memory/media/ FROST: Forensic Recovery Of Scrambled Telephones https://www1.informatik.uni-erlangen.de/frost 4/16/2013 CS-695 Host Forensics Hiding Information

CS-695 Host Forensics Hiding Information 4/16/2013 CS-695 Host Forensics Hiding Information

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.