CERBERUS

Vulnerabilities Threats Countermeasures

Document Security

FIPS PUB 140-1
DOD 5220.22-M
NCSC TG-25
FIPS PUB 81
FIPS PUB 180-1
DOD 5200.28-STD

INFOSEC
Cryptosystems
Passphrases
Windows® Leaks
System Settings

QUESTIONS?

Our products automatically analyze your system configuration for potential security leaks, and will warn you of advisable modifications that they can perform for you, if you choose to authorize them to do so. (Neither our products nor their installers will unilaterally change your system settings.) We believe that these security features uniquely differentiate our products, and offer the following guidance for their use.

YOUR TEMP SPACE

The only way to know whether a particular application program makes "temporary" copies of your data for itself is to use File Manager or the Windows 95 Explorer to inspect the contents of whatever directory your autoexec.bat file specifies in its SET TEMP= line, while the program is open and after using it for a while. Notepad will allow you to inspect such TEMP Space files to see if they contain text from the document on which the program is working.

All Windows® programs send their print jobs to the Windows® print spooler utility, so any printing of a document by any program will create and then delete (not Sanitize or Clear) TEMP space files with ".tmp" name extensions containing your text and some printer formatting data. For this reason, after any use of your PC to print-out a copy of one of your un-encrypted documents, you should use the Clear your TEMP space command on the Disk security utilities sub-menu of the System Menu.

The only way to Clear your TEMP space is to overwrite the entire disk containing that directory. If you have everything on one disk, and it has several hundred megabytes of free space, it all must be overwritten.

Consequently, if you have two hard disks (or have partitioned one into multiple logical drives), transfer data to one from the other(s) until it has less than 200MB of free space, and put your TEMP space there. This should keep the time needed to Clear your TEMP space to a couple of minutes or less. (Few people need more than 10MB of TEMP space; 2-to-4 is sufficient for most. However, you'd have to continually defragment the drive to maintain performance with less than 25-50MB of free space.)

NOTE: To assign your TEMP space to the drive with the least free space, select System configuration from the sub-menu that pops-up when you select Disk security utilities on the System Menu; check the "Configure my smallest fixed drive as TEMP" checkbox in the TEMP space section of the dialog that pops-up; click OK and allow the program to reboot your computer when it asks your permission.

If you create a RAM-disk and define the TEMP directory on it, merely shutting-off power will Clear its contents for you, automatically eliminating the entire question of TEMP file leaks. If you have 16MB of RAM, setting aside 2-4MB for a RAM disk will work well under Win3x, since even the 32-bit Windows for Workgroups has a footprint of only 3 MB. However, the 14MB footprint of Windows 95 makes this a marginal proposition without at least 24 or 32MB of RAM.

NOTE: To do so, select System configuration from the sub-menu that pops-up when you select Disk security utilities on the System Menu; accept the recommended size in the TEMP space section of the dialog that pops-up or enter a different number of megabytes; check the "Configure a __MB RAM disk as TEMP" checkbox; click OK and allow the program to reboot your computer when it asks your permission.

Further compounding the potential for scattered copies of leaked documents is the fact that some programs define their own "temp" subdirectories for their working copies. In addition, Win95 provides the ability for custom environment settings for application programs. If these "temp" directories are on different logical drives than the TEMP directory, you must also Clear a disk's free space on those drives after such programs have been used to work on un-encrypted copies of your documents, or your sensitive information may be vulnerable to disk surfers.

YOUR SWAPFILE

If you use a permanent swapfile, our software's automatic CLEAR SWAPFILE? exit option will defeat any software-based attacks that scan it for sensitive data fragments. Windows® may re-establish a temporary swapfile in some of the same disk clusters, but you've no guarantee.

NOTE: There are products claiming to wipe your swapfile by providing an option for wiping all the free space on its drive, in order to overwrite clusters that it has released. Clearly, this can work with temporary swapfiles (and only with temporary swapfiles), if done after exiting Windows® to ensure that all virtual memory pages have truly been released. Otherwise, it can only overwrite clusters that were probably released by Windows® after you closed the application that used the sensitive data. We don't believe that "probably" is a sound basis for INFOSEC. The minimum virtual memory allocation - a 4096-byte page - can hold a lot of keys or passphrases in its tail.

Consequently, if your system is configured to use a temporary swapfile, our software will detect that fact as it starts, and automatically warn you. If you accept its suggestion to establish a permanent swapfile, it will automatically pop-up its System configuration dialog. To establish a permanent swapfile, accept the recommended size or enter a different number of megabytes; check the "Configure a __MB permanent swapfile" checkbox in the Swapfile section of the dialog; click OK and allow the program to reboot Windows® when it asks your permission.

NOTE: If the recommended size (based on the amount of RAM in your system) proves inadequate for the number of programs you like to simultaneously keep open, you may get "insufficient memory" warnings when starting additional programs. Just manually select the System configuration option from the sub-menu that pops-up when you select Disk security utilities on the System Menu, and repeat the procedure with a different size. If you use Win95's control panel instead, you must be sure that the maximum and minimum swapfile sizes match, since the minimum number is the amount that will actually be wiped.

OPERATIONAL SECURITY

The set of procedural disciplines followed to counter security threats is called Operational Security, or OPSEC.

When it is not encrypted, your sensitive data's confidentiality, its integrity and its availability can only be protected by physical security for your entire computer. That physical security is dependent on your personal OPSEC discipline.

Leaving your sensitive data in unencrypted form on an unattended machine outside your physical security perimeter is obviously not good OPSEC. However, many otherwise competent people never clearly analyze and define for themselves exactly what their physical security perimeter is.

The most secure guarded facility offers no protection, whatever from untrustworthy co-workers or visitors who are inside it with you. Having one do shoulder surfing while you enter your passphrase, or sit at your machine while you get a cup of coffee, can render all your INFOSEC efforts fruitless.

The key share diskettes that our Professional versions can generate for emergency access are individually useless to an attacker. However, if you leave two of these diskettes in the same desk drawer, you're asking for trouble.

When your sensitive data is properly encrypted and all plaintext copies have been removed from your disk, even theft of that disk or of the entire computer can't compromise its confidentiality. However, even when encrypted, your data's availability depends on your maintaining up-to-date backup copies in a physically secure location that is separate from your computer.

An attacker may be quite content to not be able to read your sensitive data if he can make it unavailable to you, also. Your only real defense against such denial of service attacks is to always backup changed sensitive data before leaving your machine.

That obviously applies to all your encrypted files, in their various locations on your disk. It applies even more so to your Document Inventory file that Document Security Manager uses to keep track of all of their locations, their security states and the one-time keys used to last encrypt them.

This allows not only their locations, but all file names and extensions to remain unchanged by encryption. It is intended to prevent traffic analysis of which files or folders on your disk you consider important enough to protect with encryption.

While you can always decrypt a file without the Document Inventory, you will have to remember what folder it's in on your disk. The Inventory file allows decryption by merely remembering your current passphrase (or by possessing two of the latest key share diskettes). It also encrypts the labels you use to remind yourself of their contents, or to access them by category (Professional version, only).

If you exit the program after any operations that change the Inventory in any way, you'll be warned if you haven't done an Inventory backup. Do so.

If you've decrypted any documents and attempt to exit without re-encrypting them, you'll be warned and given the opportunity to do so. This warning should also only be ignored under extreme time limitations.

However, our products will only warn - never force you to wait for some lengthy automatic procedure. You're responsible for your own OPSEC.

Read your Windows® documentation and remember: your diskette drive, your modem and your network connection all provide adversaries with access ports to your data.

- Keep your documents secured, while connected to any other machine or network;
- don't give clues to their contents, with carelessly chosen filenames; and
- beware of trojan horse programs, that can capture your passphrase keystrokes.