TrueCrypt — Learn the Art of Encryption

When did you last feel that you ought to have secured that important file so nobody else could view it without your permission? Ever lost your pen drive with loads of family photos or important spreadsheets? Do you often worry that Big Brother may be watching your uploads to the cloud? If the answer to all those questions is a “Yes”, the solution is encryption!

Many commercial encryption products can protect files, folders and partitions. Probably the most discussed is “Bitlocker”, which is bundled free with MS Windows 7 Ultimate. And if you have ever wondered if there is open source encryption software — there is and it’s called TrueCrypt.

As mentioned on TrueCrypt.org, it is a software system to establish and maintain an on-the-fly-encrypted volume (data storage device). On-the-fly implies that data is automatically encrypted right before it is saved, and decrypted right after it is read, without user intervention. No data stored on an encrypted volume can be decrypted without the correct password/keyfile(s) or correct encryption keys. The entire file system is encrypted.

Files can be copied to and from a mounted TrueCrypt volume just like with any normal disk (for example, by simple drag-and-drop operations). The software works as expected, is simple, and has a GUI for ease of use. Apart from these properties, I would say that its most important feature is the security TrueCrypt offers. It’s so secure that even FBI hackers failed to recover data from TrueCrypt encrypted volumes. Surprised? Here are some more facts: it is available under the GPL, works on almost all operating systems, including Linux, Mac OS and MS Windows 2000, and later versions.

Continue reading at your own risk… you may soon fall in love with TrueCrypt!

The basics of encryption

So let’s take a quick look at the basics of encryption. Everybody knows what a password is, and how it operates. Anybody can visualize encryption key to be same as the password. However, technically, there are a few differences. Look at the following table for a comparison.

Password	Encryption key
Typically, a combination of a few characters to be entered before gaining access.	A combination of characters, generally slang or a pass-phrase or random character sequence required to decrypt the message.
Does not change the contents of the original resource.	Is used to actually change the data by using encryption techniques.
If lost, protection can typically be removed with ready-made tools such as spreadsheet and document password crackers/removers, to reveal the actual data.	It is practically impossible to retrieve (decrypt) data from an encrypted file unless the key is known. The only way is brute force, which can also be ineffective for a key with sufficient strength.

(Be careful — lose the encryption key, and you lose all the data!)

Basically, there are three encryption mechanisms: the symmetric key, asymmetric key and hashing. For this article, we need to understand two of them.

Symmetric key encryption converts data from clear text (original format) to cipher text (encrypted format) using an encryption algorithm and an encryption key. The same key is used to convert encrypted data back to clear text. To keep data safe, one must guard the key.

A hash algorithm is used on data to produce a unique value (a string of unique characters). If the same algorithm is used on modified data, the generated checksum differs, thus confirming the loss of original data integrity. One important property of the hash value is that it cannot be used to recreate the original data.

TrueCrypt uses both these functions: symmetric key encryption and a hash algorithm. Now, let’s understand more about TrueCrypt.

Installation

Download the latest stable version available, which is 7.1, for your OS. The basic installation is simple and straight forward; I will walk you through the steps for SuSE 11.1.

Untar the downloaded binaries and launch the setup. Proceed through various screens and complete the installation by accepting the license. The application browser will show the installed package.

Usage

Launch TrueCrypt, select a slot and click the Create Volume button to launch the volume creation wizard. After selecting Standard TrueCrypt Volume, enter the desired filename (DemoVolume), as shown in Figure 1.

Figure 1: TrueCrypt main screen and volume creation wizard

Next, select the location where you wish to create the volume. The next screen asks you to select the encryption and hash algorithms. (You may also select a combination of algorithms.) To estimate the encrypted file write speed, you may want to benchmark your system. The test machine had 49 and 51 MBps encryption and decryption speeds.

Select the desired encryption and hash algorithm, followed by the volume size, as required. To create DemoVolume, I chose AES encryption SHA-512 hash and the size of 10 MB. Continue and provide a strong pass-phrase (I used KhulJaSimSimkhuljasimsim), choose the filesystem type, and format the volume.

Mount this volume (see Figure 2) by selecting DemoVolume and entering the corresponding pass-phrase. The mounted volume will be accessible just like any other. Files can be copied to it with a file browser. Once data is copied, simply dismount this volume. Your data is now saved in a TrueCrypt encrypted volume file, which you can email, copy on a pen drive, or even synchronise with cloud-based storage services.

Figure 2: Mount volume

You can use this tool to encrypt complete partitions, a pen drive or any data storage device to secure your data, just like creating a new volume of the required size. Do use this utility, and let your friends know about it. Also, do consider making a donation to this fantastic project.

Block Outgoing Traffic

PCop has an inherent lacuna in a very important area — it does not filter outgoing traffic based on TCP/UDP ports, but allows all outbound traffic (from the Green to the Red zone) on all ports. “URL Filter” addresses the filtering of websites only. An interesting add-on for this functionality is “Block Outgoing Traffic”, also called BlockOutTraffic or simply BOT.

With this, IPCop can filter outbound traffic based on Green IP/MAC addresses, Internet IP addresses and various services (ports), offering granular control over outgoing traffic, to conform with corporate Internet access policies. To achieve this, BOT creates iptables rules via the Web-based GUI.

It enables IPCop to divide the Green network into groups based on their IP (or MAC) addresses. These groups are then configured to access only the desired services such as HTTP, FTP, telnet, SSH, DNS, etc., either singly or by forming service groups. Control can be further tightened by allowing the services or their groups only to required Internet
addresses.

The parameters of a typical request from the internal network to the Internet include:

• Source: the IP address and the MAC address
• Destination: the IP address and MAC address (that of the default gateway)
• Source: Port number (TCP or UDP)
• Destination: Services

BOT allows the administrator to configure various groups by different parameters, as elaborated in Table 1.

Group type	Group parameter
Internal computers (devices)	IP or MAC address
Destination	IP address
Services	Services required to access destination

Note that source port number is considered not effective for filtering outgoing traffic, since it is generated by the requesting device.

To establish the access policy, BOT creates iptables rules to allow various groups of internal devices to access various groups of Internet destinations using groups of services.

Now let’s configure a typical Internet access control scenario, to help understand BOT installation and configuration, which appears tricky only until you understand the underlying concept.

We assume the IPCop box was configured as in the previous articles, with TCP 445 for Web access, TCP 800 as proxy port, and the IP address192.168.51.254. Download the BOT binaries.

As explained in earlier articles, copy the BOT binaries to the IPCop box using SCP. (Remember that the non-standard IPCop SSH port is 222 TCP.)  Log on to the IPCop console locally or via SSH and untar the binaries and install BOT:

mkdir BOT mv ./BlockOutTraffic-3.0.0-GUI-b3.tar.gz ./BOT cd BOT tar -xzf BlockOutTraffic-3.0.0-GUI-b3.tar.gz ./setup

This completes the basic setup. Log out from the console/SSH. Further configuration is via the Web-based GUI, so visit it and select Firewall –> Block Outgoing Traffic. You should see something like what is shown in Figure 1.

Figure 1: BOT screen

Click Editto enter the settings menu. Here, you must enter the administrator PC’s MAC address and the IPCop proxy port. This is a security feature restricting IPCop Web GUI access only to this PC. Before saving the setting, re-verify both entries; if you enter the wrong values, you will be locked out of the IPCop Web-based GUI.

Figure 2: MAC address and proxy port configuration

Next, click Enable BOT. You should see something like what’s shown in Figure 3.

Figure 3: BOT enabled

Note: If you are locked out by incorrect MAC/proxy port entries, to regain access, you will require physical console access to the IPCop box, and will then have to run the following commands:

iptables -F BOT_INPUT # iptables -F CUSTOMFORWARD

After this, access the IPCop Web GUI and correct the MAC address/proxy port. Disable and immediately enable BOT.

Test configuration

Now, let’s do a test configuration to allow Internet access as detailed in Table 2. This configuration example assumes that all client browsers are configured to use IPCop proxy port 800.

Group name	IP address	Services allowed	Service group	Service ports
MailAccess	192.168.51.0/27	POP3, SMTP	MailingServices	110 and 25
WebAccess	192.168.51.32/27	Internet access	InternetServices	IPCop Proxy

The first one allows email (POP3 and SMTP) access from the Green network to the outside (the Internet); the other from the Green network to the IPCop proxy (for Web browsing). Go to the administrator GUI’s Firewall –> Advanced BOT Configmenu option to create groups and access rules (Figure 4).

Figure 4: Advanced BOT configuration

And then:

1. Create the MailAccess list of internal PCs. Under Address Settings, configure MailAccess as Name, 192.168.51.0 as the IP address and 255.255.255.224 (CIDR /27) as the subnet mask.
2. Create the WebAccess list of internal PCs. Under Address Settings, enter WebAccess, 192.168.51.32 and 255.255.255.224 respectively. Figure 5 shows the created rules.
   

   Figure 5: Creating groups
3. Create the IPCop Proxy custom service. Under Services Settings, enter Service Name as IPCopProxy, Port as 800 (the port defined in Services –> Proxy or Advproxy) and select the TCP Protocol.
4. Create the MailingServices group. Under Service Grouping, supply MailingServices as theService Group Name. Select and add the POP and SMTP services from Default Services, as shown in Figure 6.
   

   Figure 6: Creating the MailingServices group
5. Now, the final step is to create Access Control rules. Proceed to Firewall –> Block Outgoing Traffic and click on New Rule. Create the rule by selecting the following parameters:
   • Source: Default network: Custom Address — MailAccess
   • Destination: Other Network/Outside: Default networks: Any
   • User Services: Service Groups: MailingServices
6. Click Rule enabled, add a meaningful remark for this rule, like “MailAccess PCs can use MailingServices” and click Next. Here, you can review the rule. Click Save to create the rule.

Internet access is to be allowed only through the IPCop Proxy. Create an access rule for the WebAccess PCs, to permit access to the IPCop Proxy service:

• Source — Custom addresses — WebAccess
• Destination — IPCop Access — User Services — Custom services: IPCopProxy
• Rule Enabled
• Remark — WebAccess PCs can access IPCop Proxy

Save the rule.

All BOT rules are available for viewing, editing and duplicating from the Firewall –> Block Outgoing Traffic link. This completes BOT configuration. The access controls in Table 2 are implemented. WebAccess PCs can browse the Internet, but cannot access emails via email clients, while MailAccess PCs can use mail clients but cannot browse the Internet.

Configuration verification

Try browsing the Web from a PC with an address not mentioned in the WebAccess range, say 192.168.51.25. The browsing does not work, and the log confirms this by showing GREEN DROP under the Chain column. The log shows Dst Port as 800, by its default service, MDBS_DAEMON.

Now, try browsing the Internet from a PC with an address in the WebAccess range, say 192.168.51.35 — and as expected, it works. You can also check Logs –> Proxy Logs in the IPCop Web GUI to confirm this. You can further check POP and SMTP access from email clients on computers in the two groups, and see if it works as desired.

Figure7: Firewall Log denying Internet Access

Troubleshooting

A few services may stop functioning after enabling BOT. This is because BOT blocks all traffic that is not explicitly allowed. Go to your BOT settings and enable the logging of packets that have not matched a BOT rule. Re-enable BOT and try your service again. Then look into the IPCop firewall logs under Logs –> Firewall Log for the blocked traffic — to get hints about which rule is missing. Now you should be able to create the missing BOT Accept rule.