From 8b41a5fa458a921eb82da5744ef26b0219834876 Mon Sep 17 00:00:00 2001 From: Alexey Avramov Date: Wed, 16 Oct 2024 20:16:00 +0900 Subject: [PATCH] Update MANPAGE --- docs/MANPAGE.md | 113 +++++++++++++++++-------------- docs/tird.1 | 175 ++++++++++++++++++++++++++++-------------------- 2 files changed, 168 insertions(+), 120 deletions(-) diff --git a/docs/MANPAGE.md b/docs/MANPAGE.md index 011a478..c200436 100644 --- a/docs/MANPAGE.md +++ b/docs/MANPAGE.md @@ -12,13 +12,13 @@ tird - encrypt files and hide encrypted data **tird** *(an acronym for "this is random data")* is a tool for encrypting files and hiding encrypted data. -Using **tird** you can: +With **tird**, you can: -1. Create files with random data. Use them as containers or keyfiles. +1. Create files filled with random data to use as containers or keyfiles. 2. Overwrite the contents of devices and regular files with random data. This can be used to prepare containers and to destroy residual data. -3. Encrypt file contents and comments with modern cryptographic primitives. The encrypted file format (cryptoblob) is padded uniform random blob (PURB): it looks like random data and has randomized size. This reduces metadata leakage through file format and length, and also allows cryptoblobs to be hidden among random data. -4. Create steganographic (hidden, undetectable) user-driven file systems inside container files and devices. Unlike VeraCrypt and Shufflecake containers, **tird** containers do not contain headers at all: the user specifies the location of the data in the container and is responsible for ensuring that this location is separated from the container. -5. Resist coercive attacks (keywords: key disclosure law, rubber-hose cryptanalysis, xkcd 538). **tird** provides some forms of plausible deniability out of the box even if you encrypt files without hiding them in containers. +3. Encrypt file contents and comments with modern cryptographic primitives. The encrypted file format (cryptoblob) is a padded uniform random blob (PURB): it looks like random data and has a randomized size. This reduces metadata leakage through file format and length, and also allows cryptoblobs to be hidden among random data. You can use keyfiles and passphrases at your choice to enhance security. +4. Create steganographic (hidden, undetectable) user-driven file systems inside container files and devices. Unlike VeraCrypt and Shufflecake containers, **tird** containers do not contain headers at all; the user specifies the location of the data in the container and is responsible for ensuring that this location is separated from the container. +5. Resist coercive attacks (keywords: key disclosure law, rubber-hose cryptanalysis, xkcd 538). **tird** provides some forms of plausible deniability out of the box, even if you encrypt files without hiding them in containers. # COMMAND-LINE OPTIONS @@ -38,49 +38,64 @@ print debug messages [05] Set a fake MAC tag? [06] Input file path [07] Output file path -[08] Start position -[09] End position -[10] Comments -[11] Keyfile path -[12] Passphrase -[13] Proceed? -[14] Output file size +[08] Output file size +[09] Start position +[10] End position +[11] Comments +[12] Keyfile path +[13] Passphrase +[14] Proceed? ``` For a detailed description of these options, see . # GOALS -- Providing protection for individual files, including: - - symmetric encryption and authentication; - - minimizing metadata leakage; - - preventing access to data in case of user coercion; - - plausible deniability of payload existence; - - hiding encrypted data. -- Providing a stable encryption format with no cryptographic agility for long-term data storage. -- Simplicity and no feature creep: refusal to implement features that are not directly related to primary security goals. +- **File Protection:** Ensuring protection for individual files, including: + - Symmetric encryption and authentication. + - Minimizing metadata leakage. + - Preventing access to data in cases of user coercion. + - Plausible deniability of payload existence. + - Hiding encrypted data. +- **Stable Format:** Ensuring a stable encryption format with no cryptographic agility for long-term data storage. +- **Simplicity:** Ensuring simplicity and avoiding feature creep: refusal to implement features that are not directly related to primary security goals. # USAGE -You don't need to remember command line options to use **tird**. - -Just start **tird**, select a menu option, and then answer the questions that **tird** will ask: +You don’t need to memorize command-line options to use **tird**. Just start **tird**, select a menu option, and then answer the questions that **tird** will ask: ``` $ tird + + MENU + ——————————————————————————————————————————— + 0. Exit 1. Info & Warnings + 2. Encrypt 3. Decrypt + 4. Embed 5. Extract + 6. Encrypt & Embed 7. Extract & Decrypt + 8. Create w/ random 9. Overwrite w/ random + ——————————————————————————————————————————— +[01] Select an option [0-9]: ``` -# HIDDEN USER-DRIVEN FILE SYSTEM AND CONTAINER FILE FORMAT +# HIDDEN USER-DRIVEN FILE SYSTEM AND CONTAINER FORMAT -You can encrypt files and write cryptoblobs over containers starting with arbitary positions. After finishing writing the cryptoblob, you will be asked to remember the location of the cryptoblob in the container (positions of the beginning and end of the cryptoblob), which can be used in the future to extract the cryptoblob. In this way, you can create a hidden user-driven file system inside a container. +You can encrypt files and embed cryptoblobs into containers starting at arbitrary positions. After writing the cryptoblob, you will need to remember its location in the container (the starting and ending positions), which will be used later to extract the cryptoblobs. In this way, you can create a **hidden, headerless, user-driven** file system inside a container: -It is hidden because it is impossible to distinguish between random container data and random cryptoblob data, and it is impossible to determine the location of written cryptoblobs without knowing the positions and keys. +- It is **hidden** because it is impossible to distinguish between random container data and cryptoblob data, as well as to determine the location of written cryptoblobs without knowing the positions and keys. +- It is **headerless** because containers do not contain any headers; all data about cryptoblob locations must be stored separately by the user. +- The starting position of the cryptoblob in the container is **user-defined**, and the **user must** store both the starting and ending positions separately from the container. This is why this "file system" is called a **user-driven file system**. -Containers do not contain any headers, all data about cryptoblob locations must be stored separately by the user. +Any file, disk, or partition larger than ~1 KiB can be a valid container. Cryptoblobs can be embedded into any area. -The location of the start of the cryptoblob in the container is user-defined, and the location of the start and end positions of the cryptoblob must be stored by the user separately from the container. This is why this "file system" is called a user-driven file system. +Examples of valid containers include: -Container structure (as an example): +1. Specially generated files with random data. +2. Disk areas containing random data. For example, you can overwrite a disk with random data, format it in FAT32 or exFAT, and use a large portion of the disk, leaving a few dozen MB from the beginning. The disk will appear empty unless you add some files to it. +3. **tird** cryptoblobs, as they contain unauthenticated padding of random data by default, which can be used to embed smaller cryptoblobs. +4. VeraCrypt containers, even those that already contain hidden volumes. + +**Example of Container Structure:** ``` +—————————+—————————————+— Position 0 @@ -102,7 +117,7 @@ Container structure (as an example): +—————————+—————————————+ ``` -# DEBUG +# DEBUG MODE Start **tird** with the option **--debug** or **-d** to look under the hood while the program is running: @@ -112,11 +127,11 @@ $ tird -d Enabling debug messages additionally shows: -- opening and closing file descriptors; -- real paths to opened files; -- moving file pointers using the seek() method; -- salts, passphrases, digests, keys, nonces, tags; -- some other info. +- Opening and closing file descriptors. +- Real paths to opened files. +- Moving file pointers using the seek() method. +- Salts, passphrases, digests, keys, nonces, tags. +- Some other information. # TRADEOFFS AND LIMITATIONS @@ -126,26 +141,27 @@ Enabling debug messages additionally shows: - **tird** does not support Reed–Solomon error correction. - **tird** does not support splitting the output into chunks. - **tird** does not support the use of standard streams for payload transmission. -- **tird** does not support low-level device reading and writing when used on MS Windows (devices cannot be used as keyfiles, cannot be overwritten, cannot be encrypted or hidden). +- **tird** does not support low-level device reading and writing when used on MS Windows (devices cannot be used as keyfiles, cannot be overwritten, and cannot be encrypted or hidden). - **tird** does not provide a graphical user interface. - **tird** does not provide a password generator. -- **tird** can only encrypt one file per iteration. Encryption of directories and multiple files is not supported. -- **tird** does not fake file timestamps (atime, mtime, ctime). -- **tird** encryption speed is not very fast (up to 180 MiB/s in my tests). +- **tird** can handle (encrypt/embed) only one file in one pass. Encryption of directories and multiple files is not supported. +- **tird** does not fake file access, modification, and creation timestamps (atime, mtime, ctime). +- **tird**'s encryption speed is not very fast (up to 180 MiB/s in my tests). # WARNINGS -- The author is not a cryptographer. +- The author does not have a background in cryptography. - **tird** has not been independently audited. -- **tird** probably won't help much when used in a compromised environment. -- **tird** probably won't help much when used with short and predictable keys. -- Sensitive data may leak into the swap space. +- **tird** is unlikely to be effective when used in a compromised environment. +- **tird** is unlikely to be effective when used with short and predictable keys. +- Sensitive data may leak into swap space. - **tird** does not erase sensitive data from memory after use. -- **tird** always releases unverified plaintext (violates The Cryptographic Doom Principle). +- **tird** always releases unverified plaintext, violating The Cryptographic Doom Principle. - Padding is not used to create a MAC tag (only ciphertext and salt will be authenticated). - **tird** does not sort digests of keyfiles and passphrases in constant-time. -- Overwriting file contents does not mean securely destroying the data on the media. -- Development is not complete, there may be backward compatibility issues in the future. +- Overwriting file contents does not guarantee secure destruction of the data on the media. +- You cannot prove to an adversary that your random-looking data does not contain encrypted data. +- Development is not complete; there may be backward compatibility issues in the future. # REQUIREMENTS @@ -153,10 +169,9 @@ Enabling debug messages additionally shows: - PyCryptodomex >= 3.6.2 - PyNaCl >= 1.2.0 - # TUTORAL -Step-by-step guides and examples you can see here . +Step-by-step guides and examples you can find here . # SPECIFICATION @@ -168,7 +183,7 @@ Please report bugs at . # FEEDBACK -Feel free to post any questions, reviews, or criticisms at . +Please feel free to ask questions, leave feedback, or provide critiques at . # AUTHOR diff --git a/docs/tird.1 b/docs/tird.1 index 98ff5c2..91eb8e4 100644 --- a/docs/tird.1 +++ b/docs/tird.1 @@ -13,31 +13,31 @@ tird - encrypt files and hide encrypted data \f[B]tird\f[R] \f[I](an acronym for \[lq]this is random data\[rq])\f[R] is a tool for encrypting files and hiding encrypted data. .PP -Using \f[B]tird\f[R] you can: +With \f[B]tird\f[R], you can: .IP "1." 3 -Create files with random data. -Use them as containers or keyfiles. +Create files filled with random data to use as containers or keyfiles. .IP "2." 3 Overwrite the contents of devices and regular files with random data. This can be used to prepare containers and to destroy residual data. .IP "3." 3 Encrypt file contents and comments with modern cryptographic primitives. -The encrypted file format (cryptoblob) is padded uniform random blob -(PURB): it looks like random data and has randomized size. +The encrypted file format (cryptoblob) is a padded uniform random blob +(PURB): it looks like random data and has a randomized size. This reduces metadata leakage through file format and length, and also allows cryptoblobs to be hidden among random data. +You can use keyfiles and passphrases at your choice to enhance security. .IP "4." 3 Create steganographic (hidden, undetectable) user-driven file systems inside container files and devices. Unlike VeraCrypt and Shufflecake containers, \f[B]tird\f[R] containers -do not contain headers at all: the user specifies the location of the +do not contain headers at all; the user specifies the location of the data in the container and is responsible for ensuring that this location is separated from the container. .IP "5." 3 Resist coercive attacks (keywords: key disclosure law, rubber-hose cryptanalysis, xkcd 538). \f[B]tird\f[R] provides some forms of plausible deniability out of the -box even if you encrypt files without hiding them in containers. +box, even if you encrypt files without hiding them in containers. .SH COMMAND-LINE OPTIONS .SS -d, \[en]debug .PP @@ -55,13 +55,13 @@ print debug messages [05] Set a fake MAC tag? [06] Input file path [07] Output file path -[08] Start position -[09] End position -[10] Comments -[11] Keyfile path -[12] Passphrase -[13] Proceed? -[14] Output file size +[08] Output file size +[09] Start position +[10] End position +[11] Comments +[12] Keyfile path +[13] Passphrase +[14] Proceed? \f[R] .fi .PP @@ -69,64 +69,93 @@ For a detailed description of these options, see . .SH GOALS .IP \[bu] 2 -Providing protection for individual files, including: +\f[B]File Protection:\f[R] Ensuring protection for individual files, +including: .RS 2 .IP \[bu] 2 -symmetric encryption and authentication; +Symmetric encryption and authentication. .IP \[bu] 2 -minimizing metadata leakage; +Minimizing metadata leakage. .IP \[bu] 2 -preventing access to data in case of user coercion; +Preventing access to data in cases of user coercion. .IP \[bu] 2 -plausible deniability of payload existence; +Plausible deniability of payload existence. .IP \[bu] 2 -hiding encrypted data. +Hiding encrypted data. .RE .IP \[bu] 2 -Providing a stable encryption format with no cryptographic agility for -long-term data storage. +\f[B]Stable Format:\f[R] Ensuring a stable encryption format with no +cryptographic agility for long-term data storage. .IP \[bu] 2 -Simplicity and no feature creep: refusal to implement features that are -not directly related to primary security goals. +\f[B]Simplicity:\f[R] Ensuring simplicity and avoiding feature creep: +refusal to implement features that are not directly related to primary +security goals. .SH USAGE .PP -You don\[cq]t need to remember command line options to use +You don\[cq]t need to memorize command-line options to use \f[B]tird\f[R]. -.PP Just start \f[B]tird\f[R], select a menu option, and then answer the questions that \f[B]tird\f[R] will ask: .IP .nf \f[C] $ tird + + MENU + \[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em] + 0. Exit 1. Info & Warnings + 2. Encrypt 3. Decrypt + 4. Embed 5. Extract + 6. Encrypt & Embed 7. Extract & Decrypt + 8. Create w/ random 9. Overwrite w/ random + \[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em] +[01] Select an option [0-9]: \f[R] .fi -.SH HIDDEN USER-DRIVEN FILE SYSTEM AND CONTAINER FILE FORMAT -.PP -You can encrypt files and write cryptoblobs over containers starting -with arbitary positions. -After finishing writing the cryptoblob, you will be asked to remember -the location of the cryptoblob in the container (positions of the -beginning and end of the cryptoblob), which can be used in the future to -extract the cryptoblob. -In this way, you can create a hidden user-driven file system inside a -container. +.SH HIDDEN USER-DRIVEN FILE SYSTEM AND CONTAINER FORMAT .PP -It is hidden because it is impossible to distinguish between random -container data and random cryptoblob data, and it is impossible to -determine the location of written cryptoblobs without knowing the -positions and keys. +You can encrypt files and embed cryptoblobs into containers starting at +arbitrary positions. +After writing the cryptoblob, you will need to remember its location in +the container (the starting and ending positions), which will be used +later to extract the cryptoblobs. +In this way, you can create a \f[B]hidden, headerless, user-driven\f[R] +file system inside a container: +.IP \[bu] 2 +It is \f[B]hidden\f[R] because it is impossible to distinguish between +random container data and cryptoblob data, as well as to determine the +location of written cryptoblobs without knowing the positions and keys. +.IP \[bu] 2 +It is \f[B]headerless\f[R] because containers do not contain any +headers; all data about cryptoblob locations must be stored separately +by the user. +.IP \[bu] 2 +The starting position of the cryptoblob in the container is +\f[B]user-defined\f[R], and the \f[B]user must\f[R] store both the +starting and ending positions separately from the container. +This is why this \[lq]file system\[rq] is called a \f[B]user-driven file +system\f[R]. .PP -Containers do not contain any headers, all data about cryptoblob -locations must be stored separately by the user. +Any file, disk, or partition larger than \[ti]1 KiB can be a valid +container. +Cryptoblobs can be embedded into any area. .PP -The location of the start of the cryptoblob in the container is -user-defined, and the location of the start and end positions of the -cryptoblob must be stored by the user separately from the container. -This is why this \[lq]file system\[rq] is called a user-driven file -system. +Examples of valid containers include: +.IP "1." 3 +Specially generated files with random data. +.IP "2." 3 +Disk areas containing random data. +For example, you can overwrite a disk with random data, format it in +FAT32 or exFAT, and use a large portion of the disk, leaving a few dozen +MB from the beginning. +The disk will appear empty unless you add some files to it. +.IP "3." 3 +\f[B]tird\f[R] cryptoblobs, as they contain unauthenticated padding of +random data by default, which can be used to embed smaller cryptoblobs. +.IP "4." 3 +VeraCrypt containers, even those that already contain hidden volumes. .PP -Container structure (as an example): +\f[B]Example of Container Structure:\f[R] .IP .nf \f[C] @@ -149,7 +178,7 @@ Container structure (as an example): +\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]+\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]\[em]+ \f[R] .fi -.SH DEBUG +.SH DEBUG MODE .PP Start \f[B]tird\f[R] with the option \f[B]\[en]debug\f[R] or \f[B]-d\f[R] to look under the hood while the program is running: @@ -162,15 +191,15 @@ $ tird -d .PP Enabling debug messages additionally shows: .IP \[bu] 2 -opening and closing file descriptors; +Opening and closing file descriptors. .IP \[bu] 2 -real paths to opened files; +Real paths to opened files. .IP \[bu] 2 -moving file pointers using the seek() method; +Moving file pointers using the seek() method. .IP \[bu] 2 -salts, passphrases, digests, keys, nonces, tags; +Salts, passphrases, digests, keys, nonces, tags. .IP \[bu] 2 -some other info. +Some other information. .SH TRADEOFFS AND LIMITATIONS .IP \[bu] 2 \f[B]tird\f[R] does not support public-key cryptography. @@ -188,37 +217,38 @@ transmission. .IP \[bu] 2 \f[B]tird\f[R] does not support low-level device reading and writing when used on MS Windows (devices cannot be used as keyfiles, cannot be -overwritten, cannot be encrypted or hidden). +overwritten, and cannot be encrypted or hidden). .IP \[bu] 2 \f[B]tird\f[R] does not provide a graphical user interface. .IP \[bu] 2 \f[B]tird\f[R] does not provide a password generator. .IP \[bu] 2 -\f[B]tird\f[R] can only encrypt one file per iteration. +\f[B]tird\f[R] can handle (encrypt/embed) only one file in one pass. Encryption of directories and multiple files is not supported. .IP \[bu] 2 -\f[B]tird\f[R] does not fake file timestamps (atime, mtime, ctime). +\f[B]tird\f[R] does not fake file access, modification, and creation +timestamps (atime, mtime, ctime). .IP \[bu] 2 -\f[B]tird\f[R] encryption speed is not very fast (up to 180 MiB/s in my -tests). +\f[B]tird\f[R]\[cq]s encryption speed is not very fast (up to 180 MiB/s +in my tests). .SH WARNINGS .IP \[bu] 2 -The author is not a cryptographer. +The author does not have a background in cryptography. .IP \[bu] 2 \f[B]tird\f[R] has not been independently audited. .IP \[bu] 2 -\f[B]tird\f[R] probably won\[cq]t help much when used in a compromised +\f[B]tird\f[R] is unlikely to be effective when used in a compromised environment. .IP \[bu] 2 -\f[B]tird\f[R] probably won\[cq]t help much when used with short and +\f[B]tird\f[R] is unlikely to be effective when used with short and predictable keys. .IP \[bu] 2 -Sensitive data may leak into the swap space. +Sensitive data may leak into swap space. .IP \[bu] 2 \f[B]tird\f[R] does not erase sensitive data from memory after use. .IP \[bu] 2 -\f[B]tird\f[R] always releases unverified plaintext (violates The -Cryptographic Doom Principle). +\f[B]tird\f[R] always releases unverified plaintext, violating The +Cryptographic Doom Principle. .IP \[bu] 2 Padding is not used to create a MAC tag (only ciphertext and salt will be authenticated). @@ -226,10 +256,13 @@ be authenticated). \f[B]tird\f[R] does not sort digests of keyfiles and passphrases in constant-time. .IP \[bu] 2 -Overwriting file contents does not mean securely destroying the data on -the media. +Overwriting file contents does not guarantee secure destruction of the +data on the media. +.IP \[bu] 2 +You cannot prove to an adversary that your random-looking data does not +contain encrypted data. .IP \[bu] 2 -Development is not complete, there may be backward compatibility issues +Development is not complete; there may be backward compatibility issues in the future. .SH REQUIREMENTS .IP \[bu] 2 @@ -240,7 +273,7 @@ PyCryptodomex >= 3.6.2 PyNaCl >= 1.2.0 .SH TUTORAL .PP -Step-by-step guides and examples you can see here +Step-by-step guides and examples you can find here . .SH SPECIFICATION .PP @@ -250,8 +283,8 @@ See . Please report bugs at . .SH FEEDBACK .PP -Feel free to post any questions, reviews, or criticisms at -. +Please feel free to ask questions, leave feedback, or provide critiques +at . .SH AUTHOR .PP Alexey Avramov