From: Seok Hong Date: Tue, 17 Jan 2017 01:47:31 +0000 (+0900) Subject: Add AntiForensics X-Git-Tag: submit/tizen/20170213.020148~22 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=421c90d5a5dd299475c7e5444f56b1e7269f7459;p=platform%2Fcore%2Fsecurity%2Fode.git Add AntiForensics Change-Id: I9a48648c96507e5d0a964c8afa4ea8a1729b8743 Signed-off-by: Seok Hong --- diff --git a/server/CMakeLists.txt b/server/CMakeLists.txt index 49d0d73..79ab042 100644 --- a/server/CMakeLists.txt +++ b/server/CMakeLists.txt @@ -29,6 +29,7 @@ SET(SERVER_SRCS main.cpp key-manager/key-store.cpp key-manager/key-manager.cpp key-manager/key-generator.cpp + key-manager/anti-forensics.cpp ) SET(DEPENDENCY klay diff --git a/server/key-manager/anti-forensics.cpp b/server/key-manager/anti-forensics.cpp new file mode 100644 index 0000000..4f32bce --- /dev/null +++ b/server/key-manager/anti-forensics.cpp @@ -0,0 +1,128 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +#include +#include + +#include +#include + +#include +#include + +#include "anti-forensics.h" + +#define SECTOR_SHIFT 9 +#define SECTOR_SIZE (1 << SECTOR_SHIFT) + +namespace ode { + +static void RNG(unsigned char *buf, size_t resultSize) +{ + ::RAND_bytes(buf, resultSize); +} + +static void XORBlock(const unsigned char *src1, const unsigned char *src2, unsigned char *dst, size_t size) +{ + for (size_t i = 0; i < size; i++) + dst[i] = src1[i] ^ src2[i]; +} + +static void hashBuf(unsigned char *src, unsigned char *dst, uint32_t iv, + size_t size) +{ + char *ivChar = (char *)&iv; + iv = htonl(iv); + + uint32_t digestSize = 168 / 8; // use SHA1 in default + unsigned char buf[digestSize] = {0x00, }; + + SHA_CTX context; + if (!::SHA1_Init(&context)) + throw runtime::Exception("SHA1 Init Failed"); + if (!::SHA1_Update(&context, ivChar, sizeof(uint32_t))) + throw runtime::Exception("SHA1 Update IV Failed"); + if (!::SHA1_Update(&context, src, size)) + throw runtime::Exception("SHA1 Update Source Failed"); + if (!::SHA1_Final(buf, &context)) + throw runtime::Exception("SHA1 Final Failed"); + + ::memcpy(dst, buf, size); +} + +static void diffuse(unsigned char *src, unsigned char *dst, size_t size) +{ + uint32_t digestSize = 168 / 8; // use SHA1 in default + uint32_t blocks = size / digestSize; + uint32_t padding = size % digestSize; + + uint32_t i; + for (i = 0; i < blocks; i++) { + hashBuf(src + (digestSize * i), + dst + (digestSize * i), + i, + (size_t)digestSize); + } + + if (padding) { + hashBuf(src + (digestSize * i), + dst + (digestSize * i), + i, + (size_t)padding); + } +} + +AntiForensics::data AntiForensics::AFSplit(const AntiForensics::data &src, + uint32_t blockSize, uint32_t blockNumbers) +{ + if (blockSize != src.size()) + throw runtime::Exception("Source size check failed"); + + data buf(blockSize + 1, 0); + data dst(blockSize * blockNumbers, 0); + + uint32_t i; + for (i = 0; i < blockNumbers - 1; i++) { + RNG(dst.data() + (blockSize * i), blockSize); + XORBlock(dst.data() + (blockSize * i), buf.data(), buf.data(), blockSize); + diffuse(buf.data(), buf.data(), blockSize); + } + + XORBlock(src.data(), buf.data(), dst.data() + (blockSize * i), blockSize); + + return dst; +} + +AntiForensics::data AntiForensics::AFMerge(const AntiForensics::data &src, + uint32_t blockSize, uint32_t blockNumbers) +{ + if (blockSize * blockNumbers != src.size()) + throw runtime::Exception("Source size check failed"); + + data buf(blockSize, 0); + data dst(blockSize, 0); + + uint32_t i; + for (i = 0; i < blockNumbers - 1; i++) { + XORBlock(src.data() + (blockSize * i), buf.data(), buf.data(), blockSize); + diffuse(buf.data(), buf.data(), blockSize); + } + + XORBlock(src.data() + (blockSize * i), buf.data(), dst.data(), blockSize); + + return dst; +} + +} // namespace ode diff --git a/server/key-manager/anti-forensics.h b/server/key-manager/anti-forensics.h new file mode 100644 index 0000000..9b0dec8 --- /dev/null +++ b/server/key-manager/anti-forensics.h @@ -0,0 +1,36 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +#ifndef __ANTI_FORENSICS_H__ +#define __ANTI_FORENSICS_H__ + +#include +#include + +namespace ode { + +class AntiForensics final { +public: + AntiForensics() = delete; + + typedef std::vector data; + + static data AFSplit(const data &src, uint32_t blockSize, uint32_t blockNumbers); + static data AFMerge(const data &src, uint32_t blockSize, uint32_t blockNumbers); +}; + +} // namespace ode + +#endif // __ANTI_FORENSICS_H__ diff --git a/server/key-manager/key-manager.cpp b/server/key-manager/key-manager.cpp index 2bff609..7d3c647 100644 --- a/server/key-manager/key-manager.cpp +++ b/server/key-manager/key-manager.cpp @@ -17,9 +17,11 @@ #include "key-manager.h" #include "key-generator.h" +#include "anti-forensics.h" #define MASTER_KEY_LENGTH (256 / 8) #define ITERATION_COUNT 1000 +#define LUKS_STRIPES 3 namespace ode { @@ -65,11 +67,13 @@ const KeyManager::data KeyManager::getMasterKey(const data& password) const store.getPasswordIteration(), store.getMasterKeyLength()); - data masterKeyCandidate = KeyGenerator::AESDecrypt( + data splittedMasterKey = KeyGenerator::AESDecrypt( store.getEncryptedMasterKey(), derivedPassword, KeyGenerator::SHA256(derivedPassword)); + data masterKeyCandidate = AntiForensics::AFMerge(splittedMasterKey, store.getMasterKeyLength(), LUKS_STRIPES); + data masterKeyCandidateDigest = KeyGenerator::PBKDF(masterKeyCandidate, store.getMasterKeyDigestSalt(), store.getMasterKeyDigestIteration(), @@ -93,8 +97,10 @@ void KeyManager::setPassword(const data& masterKey, const data& password) { store.getPasswordIteration(), store.getMasterKeyLength()); + data splittedMasterKey = AntiForensics::AFSplit(masterKey, masterKey.size(), LUKS_STRIPES); + store.setEncryptedMasterKey(KeyGenerator::AESEncrypt( - masterKey, + splittedMasterKey, derivedPassword, KeyGenerator::SHA256(derivedPassword))); } diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 4fc8129..eff1d8b 100755 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -19,10 +19,12 @@ SET(TEST_SRC main.cpp ext4-engine.cpp dmcrypt-engine.cpp ecryptfs-engine.cpp + af.cpp ../server/file-footer.cpp ../server/engine/ext4-engine.cpp ../server/engine/ecryptfs-engine.cpp ../server/key-manager/key-generator.cpp + ../server/key-manager/anti-forensics.cpp ) ADD_EXECUTABLE(${PROJECT_NAME} ${TEST_SRC}) diff --git a/tests/af.cpp b/tests/af.cpp new file mode 100644 index 0000000..e5e99ab --- /dev/null +++ b/tests/af.cpp @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include "../server/key-manager/anti-forensics.h" + +#define LUKS_STRIPES 3 // this constans will be placed in key-manager + +TESTCASE(AntiForensics) +{ + try { + typedef ode::AntiForensics::data data; + + std::string Key = "Master_Key"; + data MasterKey(Key.begin(), Key.end()); + data SplittedMasterKey = ode::AntiForensics::AFSplit(MasterKey, MasterKey.size(), LUKS_STRIPES); + data UnSplittedMasterKey = ode::AntiForensics::AFMerge(SplittedMasterKey, MasterKey.size(), LUKS_STRIPES); + + // check size + TEST_EXPECT(MasterKey.size(), UnSplittedMasterKey.size()); + + // check data + for (unsigned i = 0; i < MasterKey.size(); i++) + TEST_EXPECT(MasterKey[i], UnSplittedMasterKey[i]); + + // display unsplitted master_key + for (unsigned char c : UnSplittedMasterKey) + std::cout << c; + std::cout << std::endl; + // + } catch (runtime::Exception &e) { + TEST_FAIL(e.what()); + } catch (...) { + TEST_FAIL("UNKNOWN ERROR"); + } + + +} \ No newline at end of file