Evaluation Of Open Source Cryptographic Systems Computer Science Essay

Published:

The purpose of this project is to assess and evaluate four open-source cryptographic software, DM-Crypt/CryptSetup, DiskCryptor, TrueCrypt and eCryptfs, for use by the Defence Science and Technology Agency (DSTA). We hope that through this project we would be able to help DSTA in selecting the best disk encryption software that would best suit their requirements.

Introduction

Cryptography, in simple terms is the process that consists of Encryption and Decryption. In Encryption, it is defined as the process of altering legible readable data into unreadable data for the purpose of protecting the data from unwanted exposure or modification during storage or transmission. Decryption therefore is the process of reverting unreadable data into readable data, which is the opposite of Encryption.

Cryptography relies upon two basic components: an algorithm and a key. The algorithm is a mathematical function which is usually pre-defined and approved by various standard bodies, such as NIST (National Institutes of Standards and Technology), and also the key which is a parameter used in the transformation either manually supplied or automatically generated.

Lady using a tablet
Lady using a tablet

Professional

Essay Writers

Lady Using Tablet

Get your grade
or your money back

using our Essay Writing Service!

Essay Writing Service

There are three basic types of approved cryptographic algorithms as defined by NIST: Symmetric Key Algorithms, Asymmetric Key Algorithms and Cryptographic Hash Functions.

Symmetric key algorithms are the most basic and widely used algorithm to protect data in day to day activities. The basic parameters needed in the encryption process are the data and the secret key. An example would be in a situation in which a user wants to send a plaintext (readable data) secretly, to another user. The user would simply encrypt the plaintext using a secret key that he would supply to the encryption algorithm and the result would be a ciphertext (unreadable data), which is an encrypted plaintext.

Asymmetric key algorithms are more advanced and secure and usually used in enterprise systems, business transactions or in situations that require higher levels of data security. Asymmetric key algorithms rely on a key pair concept which requires a public key, which is usually known and can be distributed to everyone, and a private key, which only the owner of the key knows and is never distributed. Both the keys are mathematically related to each other, and encryption with one key can only be decrypted with the other key. Asymmetric key algorithms are usually slower than symmetric algorithms. Use of these keys allows protection of the authenticity of a message by creating a digital signature of a message using the private key which can be verified using the public key.

Cryptographic hash functions are special one way keyless algorithms (although they can be used in a mode in which keys are used). They are sometimes used in conjunction with private key or public key cryptography. It is a type of one-way encryption, which when applied to a message, it cannot be recovered. Unlike key-based cryptography, the main goal of hash functions is not to encrypt data for later decryption, but to create a sort of a unique digital fingerprint of a message. The value derived from applying the hash function can be re-calculated at the receiving end, to ensure that the message has not been tampered with during transit.

However asymmetric key algorithms and cryptographic hash functions are out of the scope of this evaluation. More information about the three approved cryptographic algorithms can be found at NIST Special Publication 800-21[ [1] ].

This evaluation deals mainly with Disk Encryption (includes external devices such as CD/DVDs, USB Drives and etc.) and usually uses symmetric key algorithms.

Usually in Disk Encryption, the symmetric key that the disk is encrypted to is placed in the RAM, so any file accessed by the system is transparently decrypted for use. Any file saved to the disk is also transparently encrypted before being saved to the disk. In theory all files in the drives/disk is actually always encrypted. However, anyone that has access to the running computer will also have access to the files. Therefore Disk Encryption protections usually apply to disks that are not in use, such as when the computer is shutdown.

Assumption

Lady using a tablet
Lady using a tablet

Comprehensive

Writing Services

Lady Using Tablet

Plagiarism-free
Always on Time

Marked to Standard

Order Now

Our assumption is that DSTA roughly knows the processes of encryption and decryption and have done some basic research regarding the 4 Crypto-Systems that were chosen for this evaluation.

Caution

Backup all data prior to encryption. Failure to do so might cause possible loss of important data, as it can never be recovered. Although a possible way to recover the data is to try and crack the key that was used during the encryption process, however an attempt would take millions of years to complete depending on the size of the key. It is therefore wise to both back up the data, and if possible back up the key that was used. Of course the backed up key will need to be protected from unauthorized access, but that is out the scope of this evaluation.

Evaluation at a glance

DM-Crypt

DiskCryptor

TrueCrypt

eCryptfs

Version Used for Evaluation

V1.1.3

V 0.9.593.106

V 7.0a

V 83

Operating Mode (Encryption Layer)

Whole Disk, Partition, File, Hibernation File

Whole Disk, Partition,

Hibernation File

Whole Disk, Partition, File, Hibernation File (Windows Only)

File and Folder Only

Operating System Support

Linux

Windows Only

Windows, Linux, Macintosh

Linux Only

Licensing / Copyrights

GPL v2

GPL v3

TrueCrypt Collective License

GPL v2

User Friendliness

Console Based Only

GUI Based,

Console Mode Available

GUI Based,

Console Mode Available (Linux Only)

Console Based Only

Encryption Algorithms Available

AES

Serpent

Twofish

Blowfish

AES

Serpent

Twofish

AES

Serpent

Twofish

AES

Blowfish

DES3 EDE

Cast5

Cast6

Twofish

Encryption and Decryption Modes

CBC

LRW

XTS

XTS Only

XTS Only

CBC with Secret IVs Only

Encryption of Swap Space (Virtual Memory)

Yes

Yes

Yes

No

Key manageability

LUKS partition stores all the keys

Header may be backup and restored

Header can be backup and restored, rescue disk option is also available

N/A

Crypto-Systems Overview

DM-Crypt/CryptSetup

DM-Crypt, also known as Device Mapper Crypt, is only designed to work on Linux based distributions. DM-Crypt is based on the Device-Mapper Infrastructure and therefore is a native module of the Linux 2.6+ Kernel. Thus the user is able to load the modules to be used when needed. The Device-Mapper Infrastructure serves as a generic framework to map one block device to another. It works as an intermediary by processing data passed in from a virtual block device, and passing the resultant data on to another block device (hard disks, CD/DVDs, etc), sort of providing a common interface for different block devices with different filesystems to communicate with other block devices. DM-Crypt uses Linux Crypto-APIs to facilitate its encryption and decryption processes.

In addition to that, DM-Crypt also addresses some reliability problems of CryptoLoop, which was its predecessor. DM-Crypt currently relies on either one of the two available frontends to create/delete and activate/deactivate encrypted volumes, and manage authentication. The two currently available frontends are CryptSetup and CryptMount. Our evaluation will be based on CryptSetup frontend. CryptSetup [ [2] ] is used to conveniently setup DM-Crypt volumes and encryption and decryption procedures.

More information can be found at DM-Crypt Homepage. [ [3] ]

DiskCryptor

DiskCryptor was developed by Ntldr, a forum name. When it was first released, it was the first open source (GPL Licensed [ [4] ]) full disk encryption system for MS Windows that offers encryption of all disk partitions, including the system partition. One of the few problems we experienced with DiskCryptor is that its main homepage is Russian; however they do have an English version of the homepage. In addition their official forum is manned by mainly Russians, and it's uncommon to find English posts, but help can still be found if you're patient enough to wait for a reply.

Lady using a tablet
Lady using a tablet

This Essay is

a Student's Work

Lady Using Tablet

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Examples of our work

DiskCryptor is simple to use, however there are not much features in comparison to other Crypto-Systems but it still provides a good solution for hard disk encryption.

More information can be found at DiskCryptor English Homepage. [ [5] ]

TrueCrypt

TrueCrypt is currently by far the most famous hard disk encryption software in comparison to the popularity of other solutions. There is an extensive documentation about all the functions and features of the product at their homepage. In addition they have a wide user volunteer base to help out with development and identification of bugs. It has a lot of unique features that is not present in other Crypto-Systems such as the concept of plausible deniability [ [6] ], in which a secret volume can be created inside a false outer volume to hide sensitive data in a situation where the owner needs to reveal the volume password in the case of a real life physical attack.

Other than that TrueCrypt provides a nice and detailed User Interface to enable any user to easily and safely use the application. TrueCrypt also provides an extensive PDF Manual included in the installation file if the user ever needs any help offline.

More information can be found at TrueCrypt Homepage. [ [7] ]

eCryptfs

eCryptfs (the Enterprise Cryptographic Filesystem) is a POSIX-compliant encrypted filesystem (Portable Operating System Interface [for UNIX] is the name of a family of related standards specified by the IEEE to define the application programming interface) that has been included in Ubuntu since version 9.04. It is a form of disk encryption software similar to Microsoft's BitLocker Drive Encryption and Apple's FileVault; however eCryptfs is only intended for use in Linux.

Unlike other Linux encryption solutions such as DM-Crypt, eCryptfs is a kernel-native stacked cryptographic filesystem instead of full disk encryption. Filesystem encryption has certain advantages and disadvantages over block-level encryption. Stacked filesystems layer on top of existing mounted filesystems that are referred to as lower filesystems. eCryptfs is a stacked filesystem that encrypts and decrypts the files as they are written to or read from the lower filesystem.

eCryptfs aims to provide the flexibility of a Pretty Good Privacy (PGP) application as a transparent kernel service. For that reason, the OpenPGP (RFC 2440) specification inspires the basic key handling techniques in eCryptfs. This includes the common procedure of using a hierarchy of keys when performing cryptographic operations.

More information can be found at eCryptfs Homepage. [ [8] ]

Evaluation Criteria

The evaluation criteria of the various Crypto-Systems are as follows.

Operating System Support

Portability of Crypto-System

Licensing Mode/Copyrights

The Operating Mode

Mode of Encryption & Decryption

Implementation Quality

Installation and Management of Crypto-System

Algorithms and Key Lengths supported

Data Recoverability (in the event of the loss of user's key)

Configurable access control mechanism for cryptographic module

Acceptable Performance

Swap Space Encryption

Key Management aspects

Evaluation Platform

Hardware

The evaluation of the software is under the assumption that DSTA will be running a workstation based on Intel-x 86 (32 bit) dual-core processor platforms with at least 2GB of memory.

Software

Operating Systems used in our testing is Fedora Core 10 (32 bit) for the Linux platform and Windows Vista Ultimate (32 bit) and Windows 7 Ultimate (32 bit) for the Windows platform.

Operating System Support

Based on the latest version of the Crypto-Systems used [ [9] ], these are the list of Operating Systems that the Crypto-Systems support.

Operating System

DM-Crypt

DiskCryptor

TrueCrypt

eCryptfs

Windows

X

Linux (Kernel v2.4 and above)

X

Macintosh

X

X

X

Legend

Operating System

Version

Service Pack

Bitness

Windows

2000

SP0-SP4

32

XP

SP0-SP3

32

Server 2003

SP0-SP2

32

Vista

SP0-SP2

32, 64

Server 2008

SP0-SP2

32, 64

7

32, 64

Server 2008 R2

64

Macintosh

Mac OS X 10.4

Tiger

Mac OS X 10.5

Leopard

Mac OS X 10.6

Snow Leopard

Using LUKS Extension

DM-Crypt/CryptSetup

There is a special third party feature for DM-Crypt. By using the LUKS (Linux Unified Key Setup) extension, DM-Crypt encrypted drives/partitions/files can be read and written to on the Windows platform via a third party software called, FreeOTFE (Free on the Fly Encryption).

The actual creation of a DM-Crypt encrypted volume however has to be done on Linux. It cannot be encrypted in windows. Only drives/partitions/files encrypted in Linux with LUKS extension can be read/seen in windows or copied to windows by using FreeOTFE. It supports all versions of MS Windows from Windows 2000 onwards (including Windows 7), and Windows Mobile 2003 and later (including Windows Mobile v6.5).

LUKS is the first cross-platform standard for transparent hard disk encryption and is a specification for how encrypted content is stored in the filesystem, which makes it possible to build LUKS-compatible tools for any OS. [ [10] ]

FreeOTFE can be used in "portable mode", which allows it to be kept on a USB drive or other portable media, together with its encrypted data, and carried around. This allows it to be used under Microsoft Windows without installation of the complete program to "mount" and access the encrypted data through a virtual disk.

It requires installing drivers to create virtual disks. Like most open source software which uses device drivers the user must enable test signing when run under Windows Vista x64 and Windows 7 x64 systems.

How it works:

On the Ubuntu side:

Grab cryptsetup and cryptmount: sudo apt-get install cryptsetup cryptmount

Wipe the disk or make some partitions: sudo cfdisk /dev/sdb [NOTE: check your drive's actual path with dmesg as you don't want to be wiping something like your primary drive]

Create an encrypted partition: sudo luksformat /dev/sdb [NOTE: pick a passphrase that you can remember because if you forget it kiss your data goodbye]

On the Windows side:

Plug in the USB drive and go to Computer Management >> Disk Management, find the drive, and remove the assigned drive letter, FreeOTFE will assign a free letter to the drive when it mounts it

Unzip it into a directory and start it in Portable Mode

File >> Linux Volume >> Mount partition and enter your passphrase [11] 

For Cryptsetup, the tool is straightforward to use, but unfortunately works on the partition-level only, so you cannot simply create an encrypted directory inside your home folder and move it with ease, as TrueCrypt and eCryptfs permit.  [12] 

2) Crypto-System Portability

Portability is one of the key concepts of high-level programming. Portability is the software codebase feature to be able to reuse the existing code instead of creating new code when moving software from an environment to another. The prerequisite for portability is the generalized abstraction between the application logic and system interfaces. When one is targeting several platforms with the same application, portability is the key issue for development cost reduction. [13] 

TrueCrypt

Portability for TrueCrypt is standard as it supports the 3 major operating systems. Both 32 bit and 64 bit OS of the Windows family are supported. For Mac users, Mac OS X 10.4 Tiger or newer is needed to run TrueCrypt. For the Linux community, as long as the kernel version is 2.4 and above, TrueCrypt is supported. It does not support floppy disks. TrueCrypt is able to run from an external device without being installed on the machine instead, running an application called PortableApps from the external drive, carrying it everywhere you go. TrueCrypt has both command-line interface and a GUI client. TrueCrypt doesn't allow encrypting an existing folder; you can only create a new volume and copy existing content into it. [14] 

Operating Systems

Service Pack

Bitness

2000

SP0-SP4

32

XP

SP0-SP3

32

Server 2003

SP0-SP2

32

Vista

SP0-SP2

32, 64

Server 2008

SP0-SP2

32, 64

7

32, 64

Server 2008 R2

64

Mac OS X 10.4

Tiger

Mac OS X 10.5

Leopard

Mac OS X 10.6

Snow Leopard

Linux

Kernel 2.4,2.6 & above

32bit,64bit

TrueCrypt has both command-line interface and a GUI client.

You must also pre-choose the total size of the volume -- this is one of TrueCrypt's weak points; it creates the entire volume at a fixed size that cannot be expanded if necessary later. In addition to that TrueCrypt does not allow encrypting an existing folder; the only way to solve the problem is to create a new volume and copy existing content into it. [15] 

More information can be found at (TrueCrypt Foundation, 2010)

3) Licensing Mode / Copyrights

DM-Crypt/CryptSetup

http://www.gnu.org/licenses/old-licenses/gpl-2.0.html

DiskCryptor

http://www.gnu.org/licenses/gpl-3.0.html

TrueCrypt

http://www.truecrypt.org/legal/license

eCryptfs

http://www.gnu.org/licenses/gpl-2.0.html

4) Operating Mode

What is an Operating Mode?

The solutions to provide data security in the form of cryptographic filesystems in the kernel space are primarily based on two approaches. Volume encryption and Filesystem level encryption. In volume encryption approach, the data written to the storage device mounted as a volume is encrypted as a whole. A single cryptographic key is used to encrypt both data and metadata of all the files over the entire storage device. Filesystem level encryption approach is used to encrypt filesystem objects (files, directories and metadata), rather than the storage device as a whole. Different keys are used in this approach for different filesystem objects.

Operating Mode Support (Encryption Layer)

Full Disk Enc (Whole Disk)

Partition Enc

Filesystem Level Enc (Folder or File)

Volume Enc

Hidden Volume Enc

DM-Crypt

?

DiskCryptor

X

X

X

TrueCrypt

eCryptfs

X

X

X

X

A filesystem (often also written as "filesystem") is a method of storing and organizing computer files and their data. Essentially, it organizes these files into a database for the storage, organization, manipulation, and retrieval by the computer's operating system.

Full disk encryption (or whole disk encryption) uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or\ disk volume. Full disk encryption prevents unauthorized access to data storage. The term "full disk encryption" is often used to signify that everything on a disk is encrypted, including the bootable operating system partitions. However they must still leave the master boot record (MBR) unencrypted. There are hardware-based full disk encryption and hybrid full disk encryption systems that can truly encrypt the entire boot disk, including the MBR.

Partition Encryption software usually works on basic disks. It is a more flexible way of encrypting data, because it allows the user to open (enter password and get access to) different encrypted partitions independently. Note that if a partition occupies the whole hard drive, it works for the user as Whole Disk Encryption.

Filesystem-level encryption, often called file or folder encryption, is a form of disk encryption where individual files or directories are encrypted by the filesystem itself. This is in contrast to full disk encryption where the entire partition or disk, in which the filesystem resides, is encrypted.

Volume Encryption software works with volume as with a single portion of data. Volume is always in one of the two definite states: if password is not entered, the whole volume is not accessible. If the user enters the proper password and opens the volume, all its parts, even stored on different hard drives, become accessible. A volume stores a complete filesystem structure and a complete tree of the user's files. As in the modern world single volume stores data scattered on a number of physical disks, it is more convenient and safe to manage a volume, rather than work with every physical drive separately. Note that if Volume Encryption software encrypts a volume consisting of a single partition, for the user it will give the same result as Partition Encryption software. If a single partition occupies the whole hard drive, Volume Encryption will be equal both to Whole Disk Encryption and Partition Encryption.

The following are some benefits of full disk encryption:

Nearly everything including the swap space and the temporary files is encrypted. Encrypting these files is important, as they can reveal confidential data.

With full disk encryption, the decision of which individual files to encrypt is not left up to users' discretion. This is important for situations in which users might not want or might forget to encrypt sensitive files.

Support for pre-boot authentication.

Immediate data destruction, as simply destroying the cryptography keys renders the contained data useless. However, if security towards future attacks is a concern, purging or physical destruction is advised.

The advantages of filesystem-level encryption include:

Flexible file-based key management so that each file can be and usually is encrypted with a separate encryption key.

Individual management of encrypted files. E.g. incremental backups of the individual changed files even in encrypted form, rather than backup of the entire encrypted volume.

Access control can be enforced through the use of public-key cryptography, and the fact that cryptographic keys are only held in memory while the file that is decrypted by them is help open.

(Volume Encryption, 2010)

Swap Partition

A swap partition is a placeq on the drive where virtual ram resides, allowing the kernel to easily use disk storage for data that does not fit into the physical Ram. The general rule for swap partition size was 2x the amount of physical RAM. Over time as computers have gained ever larger memory capacities, this rule has become increasingly deprecated.

DM-Crypt/CryptSetup

DM-Crypt is a partition based cryptographic module. Rather than encrypting a whole device, it actually only encrypts various partitions on the block device. It is also able to encrypt the entire disk partitions including the root filesystem which is more complex. However, Linux doesn't provide a tool to help encrypt the root filesystem during the install or later. You'll have to have some hands-on configuration. DM-Crypt also supports encrypting a file-based volume when used with losetup utility included with all major Linux distributions. It works by first creating a file to hold the users data and later mounting it on a loop device using the device mapper infrastructure.

The cons of DM-Crypt are all data that is written to the disk underneath (including metadata) is encrypted. It lacks an advanced key management scheme due to the usage of just a single key for the whole volume. Incremental backups are hard to implement. These limitations of dm-crypt restrict its use to a smaller segment of users, rather than it being used in large corporate where file sharing and incremental back-ups happen regularly.

DiskCryptor

DiskCryptor is able to encrypt entire hard drive partitions, including the system partition as well as flash drives or individual partitions in real time without affecting performance or destroying any existing data. It can also create encrypted CDs/DVDs (through the use of disk images .ISO files). Other encryption options include encrypting the swap space and hibernation files (if hibernation is supported on the OS).

TrueCrypt

TrueCrypt supports encryption of system partitions and storage devices such as thumbdrive or other removable media. Furthermore it allow users to create a encrypted container to store sensitive data. TrueCrypt uses Block Device Encryption [16] . TrueCrypt supports a concept called plausible deniability, by allowing a single hidden volume to be created in another volume. In addition the Windows version of TrueCrypt supports two kinds of plausible deniability. One kind of it is Hidden volumes and hidden operating systems. Another is that TrueCrypt also has the ability to create a hidden operating system. TrueCrypt also uses a public API to encrypt hibernation and crash dump files in a safe documented way. [17] 

eCryptfs

eCryptfs uses a Stacked Filesystem encryption. This software only performs encryption on per-file basis. Each of the files are encrypted with its own File Encryption Key (FEK) that is then wrapped by the File Key Encryption Key (FKEK) derived from the mount-wide key (either using a passphrase or external key modules). eCryptfs is stackable and can be used on top of an existing filesystem; requires no special on-disk storage allocation effort. eCryptfs allows selective encryption of the contents of only the sensitive files. eCryptfs cannot keep all filesystem metadata confidential. Since stacked filesystem encrypts on a per-file basis, attackers will know the approximate file sizes. Individual encrypted files can be accessed transparently by applications; no additional work needed on the part of applications before moving the files to another location. However it is not designed to protect swap space.

5) Encryption and Decryption Modes

What are Encryption and Decryption Modes? With a symmetric key block cipher algorithm, the same plaintext block will always encrypt to the same ciphertext block when the same symmetric key is used. If the multiple blocks in a typical message are encrypted separately, an adversary could easily find certain kinds of data pattern in the plaintext, such as repeated blocks which would be apparent in the ciphertext.

Encryption modes have been defined to address this problem by combining the basic cryptographic algorithm with feedback rules and a variable initialization values (commonly known as initialization vectors) for the information derived from the cryptographic operation.

Listed below are the operating modes that the various crypto-systems support.

Encryption Mode

CBC

CFB

OFB

CTR

LRW

XTS

DM-Crypt /CryptSetup

X

X

X

Disk Cryptor

X

X

X

X

X

True Crypt

X

X

X

X

X

eCryptfs

X

X

X

X

X

Legend

CBC

Cipher Block Chaining

CFB

Cipher Feedback Mode

OFB

Output Feedback Mode

CTR

Counter Mode

LRW

It is derived from the names Liskov, Rivest, Wagner, tweakable narrow-block mode - the authors of the encryption mode.

XTS

XEX-based Tweaked CodeBook mode (TCB) with CipherText Stealing (CTS)

Cipher Block Chaining (CBC)

The CBC mode is a confidentiality mode whose encryption process features the combining (chaining) of the plaintext blocks with the previous ciphertext blocks. The CBC mode requires an IV (Initialization Vector) to combine with the first plaintext block. The IV need not be secret, but it must be unpredictable. Below is a simple diagram of how CBC works.

Legend

CIPHK,

Encryption Algorithm (E.g. 3DES, AES)

CIPH-1K

Decryption Algorithm (E.g. 3DES, AES)

⊕

Exclusive Or (It is a type of logical disjunction on two operands that results in a value of true if exactly one of the operands has a value of true.)

More information can be found at NIST Special Publication 800-38A

(Morris Dworkin, 2001)

Liskov, Rivest, Wagner (LRW)

LRW is a tweakable narrow block encryption cipher that acts on "narrow" blocks of 16 bytes (128bits). Narrow-block algorithms operate on relatively small portions of data and therefore have the advantage of more efficient hardware implementation.

Tweak block chaining (TBC) is similar to cipher block chaining (CBC). An initial tweak T0 plays the role of the initialization vector (IV) for CBC. Each successive message block Mi is encrypted under control of the encryption key K and a tweak Ti¡1,

Legend

M1

Plaintext

T0

Tweak

EK

Encryption Algorithm (E.g. 3DES, AES)

More info can be found at (Moses Liskov, Ronald L. Rivest, and David Wagner)

From the year 2004 to the year 2006, drafts of the P1619 standards were using AES in LRW mode. In the Aug 30, 2006 meeting of the SISWG, a straw poll showed that most members would not approve P1619 "as is". Consequently, LRW-AES has been replaced by the XEX-AES tweakable block cipher in P1619.0 Draft 7 (and renamed to XTS-AES in Draft 11).

Source from (Wikipedia)

XEX-based Tweaked CodeBook mode (TCB) with CipherText Stealing (CTS) (XTS)

XTS-AES is currently considered by SISWG for the IEEE P1619 Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices.

XTS is based on XEX (Xor-Encrypt-Xor), which was designed by Rogaway to allow efficient processing of consecutive blocks (with respect to the cipher used) within one data unit (e.g. a disk sector). It also uses cipher text stealing to handle sectors not containing a number of bytes equal to an integer multiple of the AES block size. XTS uses a tweak operand, which is similar to an initialization vector (IVs). However an IV must be random, whereas a tweak doesn't have to be.

The tweak aims to provide variability of the ciphertext, whereas the key provides security against an adversary recovering the plaintext.

From IEEE P1619 (Storage Working Group, 2007)

Ciphertext Stealing (CTS)

Ciphertext Stealing is the technique of altering processing of the last two blocks of plaintext, resulting in a reordered transmission of the last two blocks of ciphertext and no ciphertext expansion. This is accomplished by padding the last plaintext block (which is possibly incomplete) with the high order bits from the second to last ciphertext block (stealing the ciphertext from the second to last block). The (now full) last block is encrypted, and then exchanged with the second to last ciphertext block, which is then truncated to the length of the final plaintext block, removing the bits that were stolen, resulting in ciphertext of the same length as the original message size.

More info can be found at IEEE P1619 (Storage Working Group, 2007)

DM-Crypt/CryptSetup

DM-Crypt supports 3 modes of operation. These modes are CBC, LRW and XTS. CBC is still the default encrypting mode for encryption, however it is not recommended due to a vulnerability to watermarking attacks. As such, the user should always supply the parameter to specify the mode of operation, algorithm and key length to avoid such vulnerabilities.

Watermarking Attack

It is an attack on disk encryption methods where the presence of a specially crafted piece of data (E.g. a decoy file) can be detected by an attacker without knowing the encryption key. More information pertaining to watermarking attacks can be found at (Watermarking Attack Wikipedia)

DiskCryptor

DiskCryptor only employs XTS as the mode of operation for encryption and decryption. On multiprocessor systems encryption operations can run in parallel, where DiskCryptor automatically chooses optimal parallel mode based on system configuration.

(Ntldr & Jet-Phryx, 2010)

TrueCrypt

TrueCrypt uses XTS for encrypted partitions, drives and virtual volumes. XTS makes use of two different keys (independent keys), usually generated by splitting the supplied block cipher's key in half. While XEX mode uses a single key for two different purposes. XTS has to be created with TrueCrypt version 5.0 and later. [18] CBC w/ predictable IVs and LRW is also used but with legacy support (can be use older versions of TrueCrypt). [19] For CBC, only TrueCrypt versions 1.0 through 4.0. As for LRW, only TrueCrypt versions 4.1 through 4.3a.

eCryptfs

Mode of encryption for eCryptfs is Stacked Filesystem Encryption. Unlike most of the other cryptographic software, eCryptfs is actually a real filesystem. This allows the user to encrypt on top of an existing partition unlike Block Device Encryption which creates a physical block device. Only supports CBC with secret IVs. CBC with secret IVs: The CBC mode where initialization vectors are statically derived from the encryption key and sector number. The IVs are secret, but they are re-used with overwrites. Methods for this include ESSIV and encrypted sector numbers (CGD).

Initialization Vector Support

An Initialization Vector (IVs) is a continuously changing number (block of bits) used in combination with a secret key to encrypt data. Initialization Vectors are used to prevent sequence of text that is identical to a previous sequence from producing the same exact ciphertext when encrypted. Therefore making it more difficult for a hacker using a dictionary attack to find patterns and break a cipher. For example, a sequence might appear twice or more within the body of a message. If there are repeated sequences in encrypted data, an attacker could assume that the corresponding sequences in the message were also identical. The IV prevents the appearance of corresponding duplicate character sequences in the ciphertext. 

The size of the IV depends on the encryption algorithm and on the cryptographic protocol (E.g. TLS) in use and is normally as large as the block size of the cipher or as large as the encryption key. The IV must be known to the recipient of the encrypted information to be able to decrypt it. If the IV is chosen at random, the cryptographer must take into consideration the probability of collisions, and if an incremental IV is used as a nonce (number used once), the algorithm's resistance to related-IV attacks must also be considered.

Summary of cipher modes.

Name

Parallelisable

IV Requirements

Comments

CBC

No

Salt

-

CFB

No

Salt

-

OFB

No

Nonce

Unsuitable for hard disk encryption

CTR

Yes

Extended Requirements

Unsuitable for hard disk encryption

LRW

Yes

Tweak

Replaced by XTS

XTS

?

Salt or Nonce

SISWG Candidate

Legend

Nonce

A number used only once.

Tweak

A non-random predictable value that can be reused.

Salt

Generated randomly.

ESSIV

Encrypted Salt-Sector Initialization Vector

A unique unpredictable item.

5) Key Manageability

Uses PBKDF2 (Password-Based Key Derivation Function) is a key derivation function that is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. It replaces an earlier standard, PBKDF1, which could only produce derived keys up to 160 bits long.

DM-Crypt

Empty.

DiskCryptor

Empty.

TrueCrypt

TrueCrypt offers no centralized key management (creates, distributes and stores encryption keys while maintaining the organization's ability to recover data) or key escrow services (keeps encryption keys used in cryptography-based communication). As such, a lost or forgotten password will result in irreversible data loss.

eCryptfs

In terms of per-file key management, eCryptfs uses methods of PGP (Pretty Good Privacy) and takes the obvious and conceptually trivial step of applying those methods within filesystem service in the kernel.

6) Crypto algorithm(s) and key length supported

List of crypto algorithm(s) supported.

DM-Crypt

DiskCryptor

TrueCrypt

eCryptfs

DES

X

X

X

X

3DES

X

X

X

AES

Blowfish

X

X

Twofish

Serpent

X

X

Cast5

X

X

X

Cast6

X

X

X

Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA) block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. Because of the availability of increasing computational power, the key size of the original DES cipher was becoming subject to brute force attacks; Triple DES was designed to provide a relatively simple method of increasing the key size of DES to protect against such attacks, without designing a completely new block cipher algorithm.

Advanced Encryption Standard (AES) is a symmetric-key encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256, adopted from a larger collection originally published as Rijndael. Each of these ciphers has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively. The AES ciphers have been analyzed extensively and are now used worldwide, as was the case with its predecessor, the Data Encryption Standard (DES).

Blowfish is a keyed, symmetric block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard now receives more attention.

In cryptography, Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but was not selected for standardisation. Twofish is related to the earlier block cipher Blowfish.

Like other AES submissions, Serpent has a block size of 128 bits and supports a key size of 128, 192 or 256 bits. The cipher is a 32-round substitution-permutation network operating on a block of four 32-bit words. Each round applies one of eight 4-bit to 4-bit S-boxes 32 times in parallel. Serpent was designed so that all operations can be executed in parallel, using 32 1-bit slices. This maximizes parallelism, but also allows use of the extensive cryptanalysis work performed on DES.

In cryptography, CAST-128 (alternatively CAST5) is a block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has also been approved for Canadian government use by the Communications Security Establishment. The algorithm was created in 1996 by Carlisle Adams and Stafford Tavares using the CAST design procedure; another member of the CAST family of ciphers, CAST-256 (a former AES candidate) was derived from CAST-128. According to some sources, the CAST name is based on the initials of its inventors, though Bruce Schneier reports the authors' claim that "the name should conjure up images of randomness" (Schneier, 1996).

In cryptography, CAST-256 (or CAST6) is a block cipher published in June 1998. It was submitted as a candidate for the Advanced Encryption Standard (AES); however, it was not among the five AES finalists. It is an extension of an earlier cipher, CAST-128; both were designed according to the "CAST" design methodology invented by Carlisle Adams and Stafford Tavares. Howard Heys and Michael Wiener also contributed to the design.

Glossary

CBC - Cipher block chaining (CBC) is a common chaining mode in which the previous block's ciphertext is Xored with the current block's plaintext before encryption.

Block Cipher - It is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take (for example) a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext.

Block device - Block special files or block devices correspond to devices through which the system moves data in the form of blocks. These device nodes often represent addressable devices such as hard disks, CD-ROM drives, or memory-regions.

Crypto API - It is a cryptography framework in the Linux kernel, for various parts of the kernel that deal with cryptography, such as IPSec and DM-crypt. It was introduced in kernel version 2.4.12 and has since expanded to include essentially all popular block ciphers and hash functions.

Cryptmount - It is a software tool for managing encrypted filesystems under the GNU/Linux family of operating systems. It uses the device mapper and DM-Crypt infrastructure to provide transparent encryption of filesystems stored in disk partitions or within ordinary files.

Cryptoloop - It is a disk encryption module for Linux which relies on the Crypto API in the 2.6 Linux kernel series.

Cryptsetup - It is used to conveniently setup DM-Crypt managed block devices under Linux.

Device mapper - A generic framework used to map one block device into another.

ESSIV - Encrypted Salt-Sector Initialization Vector (ESSIV) is a method for generating initialization vectors for block encryption to use in disk encryption.

LRW - A tweakable narrow-block encryption cipher (LRW) is an instantiation of the mode of operations introduced by Liskov, Rivest, and Wagner.

LUKS - Linux Unified Key Setup or LUKS is a disk-encryption specification created by Clemens Fruhwirth and originally intended for Linux.

Water-marking attack - It is an attack on disk encryption methods where the presence of a specially crafted piece of data (e.g., a decoy file) can be detected by an attacker without knowing the encryption key.

XOR - The logical operation exclusive disjunction, also called exclusive or (symbolized XOR, EOR, EXOR), is a type of logical disjunction on two operands that results in a value of true if exactly one of the operands has a value of true. A simple way to state this is "one or the other but not both."

XTS - It is XEX-based Tweaked CodeBook mode (TCB) with Ciphertext Stealing (CTS)