 |
 |
 |
 |
 |
 |
 |
| DigiSecret Help Documentation |
|
| |
|
||||||||||
|
|
 |
1. General information. When an archive is being created, the following actions are performed on the source files:
When files are being extracted from the encrypted archive, the following actions are performed on the archive:
In each case all three actions are performed in one pass. The processed data is written directly to the destination archive, so that the archiving/extraction process is carried out without creating any temporary files. Along with other mechanisms implemented in DigiSecret, this ensures high efficiency of all file operations. The implemented data compression algorithm provides a better compression ratio than the ZIP algorithm for most of the files. The compression speed is comparable with the ZIP algorithm, and it is considerably higher than the speed of other popular archiving utilities on the market. DigiSecret uses the following algorithms for data encryption:
The implementation of the algorithms was checked against the publicly available test vectors:
The following hash calculation algorithms are used in the application:
The implementation of the algorithms was checked against the publicly available test vectors:
2. Creating an archive. DigiSecret can create two types of archives: DGS (a standard encrypted archive) and EXE (a self-extracting encrypted archive). The data storage format is completely identical for both types of the archives. Moreover, the EXE archive extraction code is based on the same engine as the one used in DigiSecret itself. This helps us maintain the same security and efficiency standards when extracting the data from both DGS and EXE files. At the same time, the size of the self-extracting archive is increased very insignificantly (by about 70 Kb) compared to DGS. Data encryption is initialized with a user-defined passphrase and a random Initialization Vector (IV). The passphrase entered by the user is not used as the encryption key directly. Rather, it is used as an input value for the functions that performs 1,000 SHA-1 hash iterations to produce the key that matches the maximum key space for the chosen cipher, which makes dictionary attacks more complicated. The IV is created using a Pseudo-Random Number Generator (Mersenne Twister: A 623-Dimensionally Equidistributed Uniform Pseudo-Random Number Generator). The derived IV is saved with the archive and is later used for encryption algorithm initialization when extracting the data. All the encryption algorithms used in DigiSecret operate in the Cipher Block Chaining (CBC) mode. In order to ensure data integrity, DigiSecret calculates the SHA-1 hash value of the files included in the archive. This hash value is stored in the archive so that the program could detect possible data corruption when extracting the files. The name, real size, creation date and attributes of the archived files are also encrypted and stored in the archive. 3. Extracting data from an archive. The decryption process is initialized the same way as the encryption, i.e. using the hashed passphrase and the IV stored in the archive. During data decryption and decompressing, the SHA-1 hash value of the extracted data is calculated. If the calculated hash value doesn't match the value stored in the archive, the unpacked file is immediately shredded with multiple passes even though the data contained in the file is incorrect. In case any errors occur while the data is extracted (e.g. lack of free space on the disk), the incorrect file is also shredded. If you open a DigiSecret archive and work with the files without explicitly extracting them, DigiSecret decrypts them and places their copies into the system TEMP folder (typically C:\winnt\temp orC:\Documents and Settings\Usename\Local Settings\Temp). If the files have been modified by the time you close the archive, DigiSecret will prompt you to update the files in the archive. If you click Yes, then the files in the archive will be updated. The decrypted copies in the TEMP folder are always shredded when the archive is closed. 4. Sending and Receiving Files When sending/receiving data via TCP/IP protocol, the files being sent are encrypted using the passphrase. Additionally, before sending the encrypted data to the recipient, the program verifies if the passphrases entered by the sender and recipient match (otherwise the decryption will fail). In order to perform such verification, the program calculates the passphrase checksum using many rounds of SHA-1and finally one round of RipeMD-160 and uses the first 10 bytes of the resulting value as the checksum. The checksum is long enough to ensure with almost 100% probability that the passphrase is the same on both ends, and at the same time is useless for potential attempts to reconstruct the encryption key. If the entered passphrases don't match, the recipient is prompted to enter a different passphrase. 5. Shredding The file deletion implemented in DigiSecret allows you to erase the files from the hard drive or a floppy disk and makes it virtually impossible to recover the data. Although it is believed that it is impossible to completely erase data from magnetic media, shredding the files using the Full scheme makes data recovery prohibitively expensive even for the most powerful and well-funded adversaries. If you believe that your opponents may have practically unlimited budgets and the most advanced technical means, it is recommended that you physically destroy the media containing the sensitive information The shredding process in the Full mode includes the following operations:
The table below lists the data patterns used to overwrite the file in the Full mode (35 passes). Other modes (Basic, Normal, Medium) use a smaller number of passes, starting from the beginning of the table.
The deterministic patterns between the random writes are permuted before the write is performed, to make it more difficult for an opponent to use knowledge of the erasure data written to attempt to recover overwritten data. The patterns were obtained from the article "Secure Deletion of Data from Magnetic and Solid-State Memory" by Peter Gutmann. |
