****************************************************************************** PT-46 August 1992 ****************************************************************************** 1. Product Description: Citadel is a commercial access control and malicious program detector/disinfector product for the Macintosh. It also provides additional utilities for encryption and for media sanitization. 2. Product Acquisition: Citadel is available from Microcom, Inc., P.O. Box 51489, Durham, NC 27717. The telephone number is 919-490-1277. The price from the vendor has varied from between $50.00 to $99.00 depending upon special promotions and upon whether a customer has already purchased other Microcom products. Site licenses are available. There are also a variety of mail order firms which offer significant savings on a single copy purchase. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-5712, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained my copy directly from Microcom under a promotional offer for those customers who had purchased other Microcom products. I discovered that Citadel includes a complete copy of Microcom's Virex program. Virex provides virus and trojan horse signature detection and disinfection as well as tools to potentially detect "new" malicious" code. Since I have previously evaluated Virex under Product Test 10, revised February 1992, this review will forego any additional analysis. Product testing of Citadel occurred on a Mac IIcx, OS 6.0.5, and extended from June 1 through August 10, 1992. The version tested was 1.0 which is System 7 compatible. b. Citadel provides these features: (1) Hard drive protection through the use of a password which includes the ability to require a password if one attempts to boot the system from a floppy drive. (2) Floppy drive protection through the use of a password to protect or to disable a floppy drive and prevent the removal of files or the potential introduction of unauthorized or malicious software. (3) Screen locking either automatically after a pre-selected period of time or manually through the use of a user configured Hot Key. (4) Software encryption of files or folders either with the Data Encryption Standard algorithm or with a proprietary algorithm. (5) Sanitization or erasure of files through overwriting, to include a utility to overwrite previously deleted files. (6) Virus and malicious program facilities with Virex. (7) Security Administration for those situations where one wishes to install Citadel on multiple systems. c. Citadel consists of three separate disks: an Administrator Disk, a User Disk, and a Utilities Disk. All three are necessary for a successful installation. Although the Administrator's Guide had only four pages devoted to installation, the instructions were accurate and concise. I did find the installation process to be somewhat convoluted with numerous disk insertions required. There is also the issue that, when installation is complete, Citadel has an INIT, a Desk Accessory (DA), and an Application. For non-system 7 users installation of a Desk Accessory can become an exercise in frustration if one has not previously done such an installation. System 7 users need only drag a copy of the Citadel DA into their system folder. d. The Administrator's Guide recommends that a user scan with the Virex component before proceeding with installation. While this added a few minutes to the installation, it is possible to abort the scanning if one has confidence that the system is "clean". Upon the completion of installation one restarts the system to activate the Citadel INIT modules. e. The first issue after restart is to configure the INIT. One does this by accessing the Citadel INIT through the Control Panel under the Apple Menu. I tested these features with the following results. (1) Locking the Hard Drive. One selects this option by clicking on the Lock button and then choosing the drive or drives to be locked. The procedure is simple with a good illustration in the Administrator's Guide. The documentation states that one can Unlock the drive with the Administrator's Disk in the event one forgets the password necessary to unlock the drive(s). (2) Selection of Passwords. One chooses the password to Lock/Unlock a drive or drives. There is no mechanism for an Administrator to construct rules for password composition or length. The only standard is that a password must have a minimum of 8 characters. The user has the option to require that a separate and distinct password be entered to totally remove password protection. Password protection functioned effectively to deny access to the drive unless I entered the correct access code. I confirmed that one has to choose at least 8 characters for any password. If one chooses the "Citadel INIT Required to Mount Disk" feature, the hard drive will be completely inaccessible from another startup volume. For example, when I attempted to boot the system from the floppy drive with this feature enabled, the hard drive was invisible. Even with a disk utility such as MacTools Deluxe, I was unable to access the hard drive or any information on it. (3) Audit Trail. The Audit Trail options include a record of the date, time, number of access attempts, and whether access was granted or denied. Since Citadel has no mechanism to assign User or Logon names, the record was somewhat meaningless at times. For example, when I consciously made 8 incorrect password attempts and then entered the correct password, the audit trail recorded "9 attempts" with a a record of access granted. There is no mechanism to limit the number of incorrect attempts so one pays no penalty for 2 an incorrect password, nor is one discouraged from initiating attempts unless one has attempted to boot the system from the floppy drive as discussed in (2) above. (4) Floppy Drive Protection. One has an option to protect or to disable a floppy drive to prevent the download of a file and perhaps to preclude the introduction of a computer virus or a malicious program. For those environments where a complete lockout might be unacceptable, one can configure the option to allow a user to unlock the floppy drive by entering a password. The option worked as documented. I did note that submission of an incorrect password to unlock the floppy drive was not recorded in the Audit Trail. (5) Screen Locker. One can choose an automatic screen locking capability based upon minutes of inactivity, or enable a Hot Key to manually activate locking, or both alternatives. Both configurations functioned normally. Once again I noted that submission of an incorrect password to unlock the screen was not recorded in the Audit Trail. f. File encryption is available with the Citadel INIT or with the Citadel Desk Accessory (DA). I tested both alternatives with these results. (1) One must encrypt by creating "vaults" and then choosing from a menu those files to be encrypted and placed in a specific vault. This ensures that every encryption and decryption process is a two-step procedure. One must first open or create a vault, and then perform an encryption/decryption operation. (2) Each vault must have a password for access control. This same password serves as the encryption/decryption key for individual files. The selection of the password is at the user's discretion. After a user has chosen a password and entered it again for verification, the user selects from three encryption options: Full, 1/2 or 1/4 DES encryption. The Administrator's Guide gives few details on these options other than to comment that 1/2 and 1/4 implementations are faster but less secure. There is no description of what DES mode of operation the Full option implements. Consequently, it is not possible to comment on the strength of the encryption process. Users should be aware that software implementations of DES have not as yet been evaluated by the National Institute of Standards and Technology, and that many organizations mandate only hardware implementations for the protection of unclassified sensitive information. It should also be noted that 1/2 and 1/4 DES implementations are simply not DES under Federal Information Processing Standards (FIPS). (3) I created three different vaults and encrypted/decrypted dozens of files. I choose the Full DES option, and found that encryption rendered the contents of a file unintelligible. Attempts to retrieve the encryption key with various disk utilities were unsuccessful. The encryption process has no mechanism for file compression so the size of the encrypted file is equal to the unencrypted source file. One has the option to erase the source folder or file during the encryption process, or to manual erase the source file after 3 encryption has occurred. The same feature is available on the decryption side as well. Finally, one can choose to make a vault invisible at the desktop level. In this case one must choose the Citadel Open Vault dialog box which in turn requires the user to submit a password. I tested all of these features which performed as documented with two exceptions. If I chose the erase folder or file feature during the encryption process, the system hung every time with the Shredder program already installed through the Control Panel. When I turned Shredder off, the feature functioned normally. I discuss Shredder in paragraph g below. I also found that, even if one made a vault invisible, one could still use a disk utility program to infer information about the files contained in the vault. While the information gathered might be of limited value, such as the existence of a file and its size, a vault was not totally invisible. g. Shredder is a program to write zeros to a file before the Finder deletes it. Through the Control Panel a user can turn Shredder on and off; require confirmation before shredding occurs; initiate triple shredding to meet US government standards; animate the cursor during shredding; shredding files deleted while in the Finder and while in other applications; and playing sound during shredding. I tested all of the options with these results. (1) The sound and animation can become grating if one has a large number of files to be shredded. (2) The Administrator's Guide does not provide any specifics on triple shredding. If Shredder is only writing zeros, then this procedure may not satisfy certain government agency requirements for the sanitization of classified national defense information. (3) The feature to shred files while within applications was an extremely nice feature. For example, temporary files created in printing a Microsoft Word file could be shredded immediately without having to wait to sanitize the entire free space on the hard drive. Shredder does have a companion program, DiskCleaner, to overwrite free space on a disk. DiskCleaner automatically utilizes triple shredding, but obviously would require a longer time to sanitize a large disk drive. (4) Shredder worked as documented. Attempts to retrieve shredded files with various disk recovery tools were unsuccessful. There was a conflict with one particular option in the encryption menu discussed in paragraph f above. 5. Product Advantages: a. Citadel provides effective access control, malicious program defenses, software encryption, and sanitization procedures. b. Installation, configuration and deinstallation of the program is generally simple. There is an emergency unlock procedure available in the event one cannot access a protected volume. c. The vendor has an established reputation for customer support and marketing. 4 6. Product Disadvantages: a. User logon names, password composition rules, and limits on incorrect logons are not available. b. Government users will require a waiver under FIPS 46-1 to protect unclassified sensitive information using the product's Full software DES implementation. Such users will also require additional information on Shredder to verify that it does meet standards for the sanitization of classified national defense information. c. If a user forgets an encryption password, the Security Administrator cannot recover it according to the documentation. Therefore, significant problems could develop if users are not well-trained. d. Citadel offers no file or folder protection, other than encryption. If one requires read, write and execute permissions on files and folders, than one would have to look elsewhere. 7. Comments: Citadel is one of the few products which has combined so many protection features into one package. This has both advantages and disadvantages. The disadvantages in this instance have more to do with perceived omissions in implementation, rather than with the intention of any specific protection mechanism. The Administrator's Guide, while adequate, needs to address encryption and shredding in greater detail so that questions raised in this evaluation report might be answered without a telephone call to technical support. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.]