CERBERUS

Vulnerabilities Threats Countermeasures

Document Security

FIPS PUB 140-1
DOD 5220.22-M
NCSC TG-25
FIPS PUB 81
FIPS PUB 180-1
DOD 5200.28-STD

INFOSEC
Cryptosystems
Passphrases
Windows® Leaks
System Settings

QUESTIONS?

The Windows® family of personal computer operating systems are the most widely employed operating systems in the world. However, Windows® was not designed for security, nor were the IBM®-compatible personal computers on which it runs.

Forensic software exploits Windows® security leaks for computer evidence recovery and for electronic discovery in litigation. This is usually the real method by which "the suspect's encryption was cracked." It is also used by criminals and industrial spies.

- The basic Windows® multi-tasking capability, that allows you to run several programs at once, will leak your documents; your passwords; and even your encryption keys.

- Every time you print a sensitive document, Windows® will leave un-encrypted copies of it on your hard disk, even though you carefully encrypt your copy. Many application programs you use to work with your data will also leak such plaintext copies.

- The Windows 95 file system can ignore encryption software's attempts to overwrite sensitive data after encryption, leaving the un-encrypted data available on your disk (as some users of PGP® have discovered).

- Wiping all the free space on a disk can't erase sensitive data that Windows® has scavanged into the slack spaces of other files.

- Wiping the tail slack of files can't erase data scavanged into the interior slack of the compound files made by programs like Word® and Excel®.

Unless these data leaks are plugged, any encryption can be bypassed.

DELETE DOESN'T

The DOS/Windows® delete command does not delete your file's data bytes from your disk. It merely deletes its own record of the fact that the area of the disk they occupy is unavailable for other uses. It merely unlinks the file by changing the first character of its name to a special byte.

Consequently, the DOS/Windows® undelete command merely has to change that mark back (with a character it prompts you to provide) in order to recover any deleted file that hasn't been overwritten by subsequent save commands. (The Win95 Explorer even leaves deleted files overtly available in a Recycle Bin.)

As a consequence of this "recovery feature," your deleted data's confidentiality depends on subsequent save commands that may (or may not) overwrite other data on top of (some of) those data bytes.

The format command doesn't format your disk; it merely formats a brand-new DOS/Windows® file record for that logical drive, declaring all areas available. You can't depend on it, either. (Modern hard drives don't allow low-level formatting of the disk.)

NOTE: Our software Sanitizes any file it discards, by multiple overwriting of its contents, per DOD 5220.22-M. The file's record entry is then also overwritten with ANSI X9.17-generated random characters to obliterate its name, and its size set to zero. Only then are the overwritten disk clusters unlinked (deleted) from the DOS/Windows® file record. The Destroy command allows you to do this Sanitizing of any file you select.

Unless and until they are overwritten, all data bytes from a sensitive file that has been deleted are available to be read by any software that can talk to your disk drive.

Such forensic software is widely used by governmental authorities; by "data recovery specialists" performing electronic discovery for lawsuits; and by other disk surfers.

Whether disk surfers run such forensic software on your DOS/Windows® computer, or run it on one of their own to which they connected your disk drive's controller cable plug, is as irrelevant as Windows® "access control software."

Being denied "access" to your particular one of the millions of copies of Windows® is hardly an insurmountable obstacle to reading your disk.

Windows®-compatible encryption must Sanitize, not delete sensitive plaintext.

DEFRAGMENTING

When files are created (or expanded) on a well-used disk, their contents may be scattered into disparate chunks in whatever areas of disk are labelled as unoccupied. If these areas are widely separated, such fragmented files will be slow to read or write, due to disk drive seek times between the separated areas.

Consequently, there are "defragmenting" utilities that rearrange your entire disk into contiguous files, to maximize system performance. This obviously involves some (undetermined amount of) overwriting.

Windows 95 includes one in the system tools section of its accessories folder, accessable from the Programs start button. Windows 3.1, Windows 3.11 and Windows for Workgroups 3.11 require you to exit to DOS (not use a DOS window) in order to run a program called defrag.exe. (You should never run this older defragmenter under Win95, where it can corrupt your filename structure.)

You should defragment your disk(s) often, as a matter of "good housekeeping" for system performance. As an added benefit, it may overwrite some sensitive data left-overs, but defragmenting isn't sanitizing.

DIGITAL SCRAPS

Hard disk controllers are block-transfer devices, reading or writing blocks of data bytes from or to multi-byte sectors on the magnetic disk's individual tracks. If a 512-byte sector is overwritten with new data of less than that number of bytes, the small sector tail of leftover bytes will still retain the original data.

However, Windows® reads disk files conforming to the 16-bit DOS file-system, for purposes of backward compatibility. The DOS File Allocation Table (FAT - in the disk's first sector) uses 16-bit numbers as pointers to record the locations of clusters of 512-byte disk data sectors. Thus, the FAT can only distinguish between 65,536 (2-to-the-16th-power) separate data clusters on each drive.

Consequently, each cluster is an all-or-nothing allocation of however many bytes into which the disk's total capacity can be so divided. For instance, a disk larger than 256MB, but less than 512MB, is accessed in 16-sector clusters of 8KB, each. On a 1GB to 2GB disk, the 16-bit FAT must allocate at least 32KB of disk space to even the smallest file, because it can't deal in smaller quantities.

Since all block transfers must start at the beginning of a cluster, a cluster tail can easily hold several 2500-byte pages of plaintext from the last file that "owned" it.

NOTE: Our software records the size of a file as it is decrypted, so that the greater of that size and the current size is used in Sanitizing the plaintext after re-encryption. This assures the overwriting of any data tail left from possible editing of the un-encrypted file that shortened it. The Sanitize (multi-overwrite) and Clear (single overwrite with zeros, or zeroize) routines also query the operating system for the size of clusters on whatever drive contains the file to be overwritten (since different-sized drives will have different-sized clusters), and adjust all overwrites to cover complete clusters.

In addition to this slack space at the end of all files, the interior slack spaces of the compound files created by applications such as Word® and Excel® can also hold sensitive data scavanged by the reallocation of "deleted" clusters to those files.

NOTE: Our Clear a file's slack space instruction Clears the tails of non-sensitive files that you suspect may have scavanged sensitive data deleted during previous editing. Unlike other products that claim to "wipe file slack," it also Clears the interior slack space of OLE container files. Clear a disk's file slack does this for every file on the selected drive.

Sensitive data scavanged into file slack spaces are analogous to the unburned scraps of incriminating paper recovered from fireplaces by fictional detective heroes. They can be "recovered" with the kinds of forensic software employed by real law enforcement agencies, or by data recovery consultants employed by attorneys in discovery for law suits. Such software is commercially available to other potential disk surfers, as well.

Windows®-compatible encryption must overwrite ALL plaintext - including that left in free clusters and that scavanged into all file slack spaces, not just the tails.

WRITE-BEHIND CACHE LEAKS

Some encryption programs that supposedly provide Sanitizing functions (sometimes called "secure delete," a marketing term almost as meaningless as "military grade encryption") can be defeated by Windows® mechanisms for caching file data.

Their generically implemented "file wiping" routines don't take this caching behavior into account. This can result in Windows® ignoring their instructions to overwrite data and merely deleting (unlinking) the file clusters, which remain available to disk surfers.

Windows 3.1 and 3.11 deal directly with the File Allocation Table in 16-bit emulated-8086 mode, whether or not 32-bit disk access is enabled. Windows for Workgroups 3.11 and Windows 95 use a 32-bit virtual device driver (VxD) called VFAT, to deal with copies of the FAT in memory to provide their faster 32-bit file access.

Windows® caches recently-used data in memory, to minimize the need to reload it from disk. There is also read-ahead caching of the next likely block of data from disk. Win3.1 and Win3.11 use a 16-bit DOS terminate-and-stay-resident program (TSR) called SMARTDRV, while WFW3.11 and Win95 use a 32-bit VxD called VCACHE.

Both VCACHE and SMARTDRV are also capable of write-behind caching. This allows Windows® to gain some performance, by waiting until the last operation on cached data is completed before writing it to disk, and allowing programs to exit before all disk writing has finished. Under Windows 3.x, this can defeat all but the last of any multiple overwritings of each buffer-full of data, unless the cache is explicitly flushed.

The Windows 95 version of VCACHE is actually "smart" enough to not bother with any of the overwrites of the last buffer-full from a file that is subsequently deleted, unless the cache is flushed. Except for large files, this can be the entire file, as users of the Windows® version of the e-mail encryption program PGP® have discovered.

Even more insidious is the fact that Win95's VCACHE ignores cache flush calls from 16-bit Windows® or DOS programs. Consequently, even the well-written DOS version of PGP® (which does include explicit cache-flushing instructions in its file-wiping subroutine) can't reliably overwrite files when run in a DOS window under Win95.

NOTE: Our 32-bit software flushes VCACHE after each overwrite of each buffer-full of file data, forcing the multiple overwriting of the disk clusters (including their tails). This is so on Windows 95 systems, or on Windows 3.x systems, on which they will run with the free Win32s upgrade installed. Our older (and slower) 16-bit versions must, of course, rely on 16-bit cache-flushing functions. Consequently, our 16-bit software will refuse to run on Windows 95 systems, which are insecure for 16-bit overwriting.

Any "encryption software" that doesn't cache-flush can't prevent Windows® from leaking your data. Under Windows 95, 16-bit software cannot Sanitize.

FILENAME LEAKS

The long filename features in Win95 are implemented in such a fashion that even though the file may be overwritten, its name may still be recoverable by disk surfers.

VFAT in Win95 (but not VFAT in WFW) will only be purged of all traces of the name when the spaces it occupies in both DOS (8+3 byte) format and in long filename format are overwritten when VFAT needs to accomodate enough additional names.

This is a potential leak for people who use sensitive filenames under Windows 95. If you are concerned about such name fragments, running the Windows 95 Disk Defragmenter will result in most such fragments being overwritten.

However, it's bad INFOSEC practice to expend the effort to encrypt most of a file's sensitive contents, and to then leak some of them yourself by including them in plaintext form in the filename. Disk surfers thrive upon this kind of stupidity.

INFOSEC includes your operational security. Don't leave clues in filenames.

THE SWAPFILE

Windows^®is a multi-tasking operating system. This means that when switching the context in which it services application programs from one to another, un-encrypted data that the first program was working with in memory may be swapped-out to a disk swapfile. Once Windows® is finished with them and swaps their contents back to RAM, these disk clusters will be declared available for re-writing with other swap data.

Unfortunately, unless they actually are overwritten, their sensitive contents will remain available for possible later scavenging by disk-surfers.

NOTE: Our software was written in C (the language in which Windows® was written) to the raw Windows® API. It includes no foundation classes or other visual programming building blocks to obscure possible information leaks. It stalls the message queue for the duration of those operations during which un-encrypted passphrase or keying information is in memory. All memory used for passphrase or keying data is zeroized before release.

An extremely important, but sometimes-overlooked source of sensitive data leaks to the swapfile is the Clipboard, the basis for all cutting and pasting of data between (or within) Windows® programs. If you have any other programs running while you use a Windows® application to work on a sensitive file in plaintext (un-encrypted) form, it is quite likely that portions of it will be found in the swapfile.

This kind of leak can allow the file to be compromised, even though you have carefully re-encrypted it with a program that Sanitized your copy of the plaintext with multiple overwrites. Otherwise-strong cryptosystems can still be bypassed by the swap file.

NOTE: The free DOS version of Pretty Good Privacy, PGPv2.62, is often run in a DOS box by any of a large number of Windows® front-end programs, to make it less intimidating for users uncomfortable with command-line interfaces. Unfortunately, this can introduce INFOSEC vulnerabilities, while lulling the user into a false sense of security. While the PGP program itself is a well-written DOS cryptosystem, Windows' multi-tasking between such a DOS-box and other programs carries the possibility of your passphrase being captured in the swapfile, above and beyond whatever other passphrase leaks may be present in the front-end program. Furthermore, 16-bit DOS overwrite calls will be ignored by the Windows 95 version of VCACHE.

When your computer is inside a physical security perimeter, you don't have to worry about disk surfers. You don't need encryption, or any other feature of our software (assuming your complete trust in every person who might get inside that perimeter).

However, if you ever take your computer outside such a perfect perimeter (or it becomes imperfect), you might not remember not having allowed our software to automatically Clear the Windows® swapfile when it offered you the option on exit.

Windows®-compatible encryption must Clear the swapfile. Don't circumvent it.

UNAUTHORIZED COPIES

Another class of potential security leaks are associated with the convenience features of many application programs. Like an over-eager-but-security-unaware typist trying to anticipate your needs, they make extra copies of your sensitive data, in order to be more "efficient."

One example are the history files maintained by some application programs for your convenience in undoing changes or deletions. If you use such a program to edit an un-encrypted document, any sensitive data you cut or delete in editing will be stored in the history file, in plaintext form for possible recovery by an adversary. If you fail to re-secure the document, because you believe that it no longer contains sensitive information, you could be made rudely aware of this vulnerability.

NOTE: In DOE Master AIS Security Plan, section 9.3, the Department of Energy (responsible for US nuclear weapons programs) mandates disabling the Undo/Redo History function in WordPerfect for Windows® version 6.1, for precisely this reason. Users of Microsoft Word® may also discover fragments of their un-encrypted documents in the clear space at the beginning of unrelated Word® files created after working on them. Such fragments are not displayed by Word®, but may be seen with simple file editors. This problem has been linked to pre-1996 versions of the Object-Linking and Embedding (OLE) dynamic link libraries scavanging portions of the swapfile into this supposedly unused space, and you should download free OLE-upgrade files from Microsoft.

Many application programs (especially those doing disk-to-disk compression or similar operations) may also create workspace files in your TEMP directory. These "temporary" files are merely deleted. Their remains must be overwritten to avoid leaks.

In addition, Windows® application programs don't really talk to your printer. They merely write their formated print-out data to temporary files to be read by the print-spooler utility provided by the operating system. This enables the application program to serve you, while the print spooler feeds the printer in the background.

Unfortunately, this means that "temporary" copies of anything you print-out are made in TEMP space files, which the print-spooler then deletes. Consequently, every time you print a decrypted document with your computer, leaked copies will appear on the drive containing your TEMP directory.

Our software clears all free sectors on the drive containing your TEMP directory with the Clear TEMP space command on the Disk-wiping utilities sub-menu of your System Menu. This overwrites all free clusters on that drive with all-zeros, per DOD 5220.22-M. Unless you have our software configure your system's TEMP directory on a drive with little free space, this process can take 5 minutes per gigabyte on Ultra DMA disk drives, and longer on older ones. For this reason, although Clear TEMP space is performed automatically on exit, it can be canceled or interrupted.

NOTE: In compliance with the Derived Test Requirements for FIPS PUB 140-1, our software's cryptographic services can't be user-interrupted. This includes the file Sanitizing function. However, the disk free-space overwriting functions can be, in order to permit using the [Esc] key in an emergency, to terminate the sometimes lengthy operations to Clear TEMP space, or to Clear or to Sanitize a disk's free space.

You can eliminate the TEMP file problem entirely, by having our software configure your TEMP space as a RAM disk that automatically Clears with power off. However, some programs may make temporary files in their own folders, rather than in the TEMP directory. For these, you must use the Clear disk free space command.

If you haven't configured your system to use a RAM-disk for TEMP space, it's very important that you let our software Clear TEMP space after sensitive print-outs.

SYSTEM CRASHES

Our software encrypts a plaintext file into a temporary file. It then Sanitizes the plaintext original by multiple overwriting, per DOD 5220.22-M, and replaces it with the temporary file. This is an availability measure.

Our design intentionally avoids the faster method of encrypting directly into the source file. Thus, if a power transient crashes your system during encryption, your document will be undamaged.

Similarly, it decrypts a secured document to a working file, copies it over the encrypted file, and then Sanitizes the working file. This method ensures that your document's confidentiality is not purchased at the expense of its availability.

However, if your system crashes during a decryption operation, partially-decrypted plaintext may be left in a temporary file in your TEMP Space.

Upon start-up, our software automatically looks for and Sanitizes any such file. It is essential after such a crash that you let it do so as quickly as possible, unless you have allowed it to configure your system to use a RAM-disk for your TEMP Space, which would result in automatic Clearing of TEMP space by power interruption.

Windows®-compatible encryption must withstand system crashes.