From: Chris McDonald STEWS-IM-CM-S (1/28/93) To: orvis%llnl.gov@wsmr-simtel20.ar, Mail*Link¨ SMTP Product Test 33 ****************************************************************************** PT-33 April 1991 ****************************************************************************** 1. Product Description: Ft. Knox is a commercial program with two major functions: (a) sanitization of Macintosh systems and media; and (b) file encryption either with the Data Encryption Standard (DES) algorithm or with the proprietary OnesCrypt algorithm. 2. Product Acquisition: Ft. Knox is available from Transfinite Systems Company, Inc., Post Office Box N, MIT Branch Post Office, Cambridge, MA 02139. The telephone number is 617-969-9570. The price of the program is $195.00 for commercial users; $139.00 for U.S. government. I have been unable to find any secondary sources. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN: 258- 7548, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained the product directly from Transfinite in March 1991. The version received was 1.0.5. I conducted tests from March through April 1991 on a Macintosh IIcx running system 6.0.5 with a 80MB hard drive. I have also tested the program on a variety of formatted removable diskettes. b. When a user "drags" a file to the TRASHCAN on a Macintosh system, the data on that file is still on a disk until overwritten. Files on the Macintosh can have two forks, a data fork and a resource fork. A file can have either one or both forks. Most documents have only data forks, and most applications have only resource forks. The data fork stores data such as text for word processing or data for databases and spreadsheets. The resource fork stores information about dialog boxes, windows, icons, etc. c. Ft. Knox can overwrite both data and resource forks. The user double-clicks on the Ft. Knox program file and then has five menu items displayed: (1) FILE; (2) EDIT; (3) DISK; (4) SCSI; and (5) SPECIAL. The selections tested included (1), (2), (3) and (5). The manual states: "Although SCSI level sanitization is potentially more secure than disk volume sanitization, unless there is some reason to suspect that your system has been tampered with, disk volume operations may be adequate and are generally more convenient". There is a further warning notice which convinced me that selection (4) was not for me during this evaluation: "Both SCSI sanitize and overwrite should be used with caution. They destroy any drivers on the SCSI disk and special software will be required to restore the device to normal usability." d. A user must understand the distinction between certain terms to properly use Ft. Knox menu options. The DoD Magnetic Remanence Security Guideline (CSC-STD-005-85) provides these definitions: (1) Clear = a procedure used to erase data stored on media, but lacking the totality of a declassification procedure. (2) Declassify = a procedure to totally remove all classified or sensitive information stored on magnetic media followed by a review of the procedure performed. (3) Overwrite = a procedure to remove or destroy data recorded on magnetic media by recording patterns of unclassified data over or on top of the data stored on the media. (4) Sanitize = a procedure to erase or overwrite data stored on magnetic media for the purpose of declassifying the media. For the declassification or sanitization of classified national defense information a user must invoke a specific overwrite pattern should he or she choose this method of declassification. A user may have an option, however, in the declassification or sanitization of unclassified sensitive information. In fact, agency standards could vary on the specific clearing or overwriting requirements for unclassified magnetic media. e. Ft. Knox under menu items File, Disk and SCSI provides three alternatives: (1) Deletion with no overwrite which permits recovery of the information with a disk utility program. (2) Overwrite with a one time 16-bit random pattern which does not permit recovery of the information with a disk utility program, but which may offer some chance of recovering magnetic remnants of the data. (3) Sanitization with a 16-bit random pattern so that at least three different values are written over the information followed by a verification that these overwrites have occurred. f. I tested all of these options with no apparent problems. I used Fedit, version 1.05+, MacSnoop and MacTools Deluxe to verify the correct operation of Ft. Knox's overwrite and sanitization routines. I was unable to recover any data subjected to an overwrite or sanitization procedure. It is beyond my technical capabilities and assigned job responsibilities to perform any type of technical magnetic remanence examination of storage media. I can only observe that Ft. Knox appears to successfully implement the DoD guideline procedures. g. The encryption/decryption features of Ft. Knox were impressive. The user has the option to employ two different implementations of the Data Encryption Standard (DES), or a proprietary algorithm, OnesCrypt. By default the DES and the proprietary implementations use the Cypher Feedback Mode (reference Federal Information Processing Standards Publication 81, "DES Modes of Operation"). A user has the option to use the Electronic Codebook Mode of DES under the SPECIAL menu. The Ft. Knox manual and FIPS 81 describe the distinctions between the two. h. The user selects encryption/decryption under the FILE menu item. I thought I would see the selections labelled as "encrypt/decrypt". I guess this is just too conventional because the actual selections are: 2 (1) Abcd->%4#x (2) %4#x->Abcd i. Encryption and decryption is by individual file. A user selects the file and then receives a window which prompts for an encryption/decryption key, for the encryption/decryption algorithm to be used, and for the destination of the encrypted/decrypted output. A user may select a key from 1 to 31 characters, or may select a Random button in the window to obtain a 16 character key. There is a window option to display or to suppress the key entered. A user must successfully enter the key twice to perform an operation. The default is for a file to be encrypted/decrypted to a different output file. If one specifies that a file to be encrypted/decrypted to itself, a temporary output file with the name "Ft.Knoxtemp" with the date and time appended will be created. When the operation is complete, Ft. Knox will delete the input file and then rename the output file to have the input file's name. Finally, the manual warns: "In all cases you should record or clearly memorize the file key, if you ever wish to be able to decode the file!" j. I tested all of the encryption/decryption options with no problems encountered. The manual indicates that one can encrypt a file as many times as one wishes, so long as one decrypts it with the same keys and algorithms and in the opposite order to get back to the original unencrypted file. I found that the default DES encryption added some bytes to the encrypted file, but nothing which was unmanageable for my particular disk environment. I performed several double-encryption operations, to include using DES for the first encryption and then using the proprietary algorithm for the second. There was no problem so long as the keys and algorithms were entered correctly for the decryption operation. k. There is a potential hazard, not described fully in the manual, when one chooses to encrypt a file to itself. Ft. Knox "deletes" the input file and then renames the output file with the input file's name. "Deletion", however, will permit the recovery of the unencrypted input. Since the default in encryption operations is for the program to write its output to a different file, a user is aware that he or she has both an encrypted and unencrypted version of the same information. I thought it would have been reasonable to have expected Ft. Knox to overwrite or to sanitize the input file when a user consciously chooses an option. In the default mode a user would encrypt and then overwrite or sanitize the input file for maximum security, essentially a two-step procedure. When a user chooses the option of encrypting a file to itself, a three-step procedure arises. One encrypts the file; restores the "deleted" input file; and then overwrites or sanitizes the input file. Unless I missed something in the manual or in the operation of the program, this seems to me unnecessarily complex. If one wishes to fully utilize the advantages of encryption, then I would always recommend the default. 5. Product Advantages: a. Ft. Knox appears to perform as advertised. 3 b. The declassification and sanitization of storage media is a critical concern for most government agencies. Even the private sector has shown an increased interest in this issue. Ft. Knox addresses this concern. c. Software encryption of information offers an additional tool to achieve data confidentiality and data integrity. 6. Product Disadvantages: a. Ft. Knox has no formal certification or endorsement from the National Security Agency or from the Department of Defense. Sometime ago NSA announced that it would no longer certify software declassification or sanitization programs. Therefore, approval of the program will probably require the authorization of respective information system security officers, or whoever within an organization is responsible for data security. Different agencies will logically have different approval policies and procedures. b. Although Ft. Knox has a variety of file and disk options for overwrite and sanitization operations, version 1.0.5 does not have an option for overwriting or sanitizing unallocated memory space. One has to choose a disk or SCSI option to address temporary files and residual data. c. The encryption of a file onto itself results in the deletion, not overwrite or sanitization of the input file. 7. Comments: There are several commercial programs available to overwrite Macintosh disks (i.e., MAC Tools Deluxe, SUM, VIPER, and Ft. Knox). I have MAC Tools Deluxe and VIPER under evaluation at the present time. There have also been in depth reviews of these and similar products in trade publications and magazines for those who have an immediate requirement for some type of acquisition. Ft. Knox in my limited tests performed well. Whether it is the most cost effective solution is for individual users to decide for themselves. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 4 ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;28 Jan 1993 20:38:46 U Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #12441) id <01GU2D4JDJWWERWZ7S@icdc.llnl.gov>; Thu, 28 Jan 1993 20:38 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #12441) id <01GU2D439ICWERWZ9H@icdc.llnl.gov>; Thu, 28 Jan 1993 20:37 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA14379; Thu, 28 Jan 93 20:38:05 PST Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA14372; Thu, 28 Jan 93 20:37:55 PST Received: from wsmr-emh03.army.mil by WSMR-SIMTEL20.ARMY.MIL with TCP; Thu, 28 Jan 1993 21:37:03 -0700 (MST) Resent-date: Thu, 28 Jan 1993 20:38 PST Date: Thu, 28 Jan 93 21:19:44 MST From: Chris McDonald STEWS-IM-CM-S Subject: Product Test 33 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: orvis%llnl.gov@wsmr-simtel20.army.MIL Resent-message-id: <01GU2D4JDJWWERWZ7S@icdc.llnl.gov> Message-id: <9301290437.AA14372@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"orvis%llnl.gov@wsmr-simtel20.army.MIL" ======================================================================