ScramDisk Volumes Can Have Their Passwords "Reset"

Written: 2nd January 2000
Last updated: 24th January 2000

Summary

Since ScramDisk creates two copies of a key part of each volume it creates within the volume file, it is possible to "reset" the passwords on a ScramDisk volume to whatever they were when the volume was originally created.

Explanation

When ScramDisk creates a new volume, it generates a random "master key" which is used for encrypting/decrypting data read/written to the volume. This master key is encrypted with the user's password(s), and then two copies of the encrypted master key are then written to the volume file. The first starting from offsets 0x0000 (0 decimal) within the volume, and the second from 0x1800 (6144 decimal). The size is 1024 bytes for initialization vectors and whitening values plus the encryption key length.

When the user changes their password(s), only the first copy of the encrypted master key is re-encrypted with the new password(s) before being written back to the volume file.

This raises a serious security problem; it is trivial for an attacker to swap the two key blocks around, and mount the volume using the original password(s) used when the volume was originally created.

Additionally, it is quite possible (and indeed probable) that some users first starting out with ScramDisk, may initially have created one or more volume files to try the software out with, and see how ScramDisk works. Since any such volumes would obviously not be used to secure any valuable information, a simple "low security", easily remembered password may well have been used (for example, the word "password" may have been used). Later, the same user may have gained enough confidence in ScramDisk to warrant changing the password to something more secure (e.g. a random collection of alphanumeric characters), before writing sensitive information to the volume, and generally trusting ScramDisk to secure their data.

Having done so, and beginning to use the encrypted volume more seriously, the user may mistakenly believe that after changing the original "low security" password, their data is safe, while not realising that it is still possible to access the volume by swapping the two key blocks over, and then using the original password.

It should be noted that ".WAV" files with ScramDisk data do not have this second table, and are therefore do not have this problem.

An explanation as to why this error in ScramDisk occured is perhaps best given by the author:

"The only reason the backup data was not updated on password changes is because of an oversight on my part, when I added password changes, which (v)2.00 did not support."
- Aman

Demonstration

  1. Download the demonstration key-block-swapper (which includes full source code) from here
  2. Create a new ScramDisk volume, using the password "password ONE"
  3. Mount the volume
  4. Change the password on this volume to "password TWO"
  5. Dismount the volume

    Optional: Try to mount the volume using "password ONE" as the password. Observe that this password will not work.

  6. Run the demonstration previously downloaded in step 1.
  7. Enter the filename of the volume file, select "Swap key blocks", and click "Modify".

    The (1024+32) bytes at offsets 0x000 and 0x1800 will then be swapped over

  8. Try to mount the volume using the "password ONE" as the password. The volume should mount correctly.

Notes

Workaround: There are two ways of addressing this problem:

  1. When creating a new volume file, do so using a series of four passwords that each have 40 chars and consist of a meaningless jumble of characters, including letters (both upper and lowercase), numbers, and punctuation (e.g. "{P239asSDHJ54( (%$lp34654~@:'d.fw#a';34d"). Make a note of the passwords you use, and after creating the volume change the passwords to something else.

    Do remember to destroy your note of the original passwords afterwards!

  2. The demonstration software (see "Demonstration" section for download) has the option of overwriting the second key block with either pseudorandom data, or the first 1056 (i.e. 1024+32) bytes from a user-specified file. Either way, the attack mentioned in this document will no longer be feasible.

Please see also ScramDisk Volumes Can Contain Duplicate Information

Email me at: sdean12@mailcity.com

Return to the Attacking OTFE; Known Security Flaws in Certain OTFE Systems page