The trick is to subtract 4 from the Capabilities in the registry. Not easy, but it can be done. The only thing is that it keeps coming back after every boot ! And it looks like the value cannot be edited under Vista. Here is how to fix it for good.

What has to be done (but doesn’t work)

Find the drive that shows up in the safely remove hardware icon in your registry. It will be somewhere under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\. My DVD drive was here :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\CdRomHL-DT-ST_DVDRAM_GMA4082Nj_______________PM01____

There is a numerical an alphanumerical key under that with a DWORD Capabilities value.

It is a bit field. The bit 0010 (4 in decimal) is the REMOVABLE bit. Clear it by subtracting 4 from the value you have. The value I had was 6, so now I am down to 2.

If you try to do that, you will get an access denied. That’s ok, we will get around that. For now, right click on the key name and copy it (the key named 5&3392c8c4&0&0.0.0 in my example).

Same idea, that works manually under Vista

You need to have the TCB privileged enabled to modify that registry key. Running regedit as an administrator (or elevated, if you have UAC) will not work. You can fix the value with this command line :

psexec -s reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\CdRomHL-DT-ST_DVDRAM_GMA4082Nj_______________PM01____\5&3392c8c4&0&0.0.0" /v Capabilities /t REG_DWORD /d 2 /f

You will have to replace the key name with what you found in your registry. Running psexec -r regedit might work, but who wants to do that every time the computer boots ?

Permanent fix

I hardly ever run as an administrator, so putting the above command in a script was out of the question. The solution was to create a Task using Windows Task Scheduler. I set it to run at startup, under the SYSTEM account. Don’t forget the /f (force) flag, or else the job will appear to hang, waiting a confirmation from you.

Create a new task. In the “General” tab, click Change User or Group and enter “SYSTEM” . Trigger on startup and enter the same command as above, but without psexec -s. Your task is running reg.exe, with everything right of that (in the command line, earlier) as optional arguments.

Good luck and HTH !

• Strong cryptography
  Thank TrueCrypt for 256 bits AES in XTS mode. I think 256 bits is overkill, but 128 is not offered. I don’t see any performance hit on my modest, stock Fujitsu E8210 laptop.
• Need to know (reduced data exposure)
  Data is not available in clear text when I don’t need it. In other words, when I work, I have my files, when I play they stay encrypted
• Easy encrypted backup
  My backups are merely a copy to a file server.
• Single sign-on to any encrypted volume
  The pre-boot authentication password (or pass phrase, your call) is the only one you’ll ever have to enter, and yet, that password is never stored anywhere. Not even in encrypted memory. It’s only in your head.
• Supports encrypted USB drive
  USB drives get the same single sign-on, need to know and backup features. Doesn’t matter wheter you use file based or whole volume, although using a file based container allows you to store regular data on any computer, instead of carrying to drives.
• Platform independent
  Works on all platforms that TrueCrypt supports

It does not feature, but could be extended to :

• Plausible deniability
• Two factor authentication to encrypted files (TrueCrypt version 6.1 required)
• Step-up authentication to encrypted files
• Operating system logon integration (stay tuned for that one…)
• Full operating system backup

Here is a simplified view of my setup. A laptop, a usb drive and a simple NAS server (I have a Linksys NAS200, but any remote file share or ftp will do).

1. A keyfile is stored on your encrypted partition.
   I generated a keyfile with cryptographic random noise. Let’s call it Entropy.dat. Your pre-boot password and operating system logon will give you access to that key file. It is used to single sing-on to any container. That keyfile is never backed up, excluded it from all your backups.
2. A volume header of your container (with password authentication) is backed up
   For any file based volume you create, backup a header that has a password authentication, no keyfiles. Write that password behind a picture of yourself with your kids and send it to your mother. It will be on the her fridge if ever you need it.
3. Backup a rescue disk ISO file
   This is regular TrueCrypt procedure for full disk encryption.

To set yourself up like this, follow these steps :

1. Follow TrueCrypt’s guidelines to enable full disk encryption.
2. Create a file based TrueCrypt volume, with a strong password that you will remember or write down.
3. Backup that volume header.
4. Select (or generate) a keyfile.
5. Change the volume password to      (nothing, leave the password field blank)
6. Select the keyfile of step 4 and click Ok

Repeat steps 4-5-6 for each file based container. Copy to that container the files you want to be able on a need to know basis. When you need the files, mount the container. I wrote a batch file that mounts a file based container and shows a popup with my Notifu utility (Windows only).

@echo off
REM Mounts a file based TrueCrypt container and displays a pop-up
"C:\Program Files\TrueCrypt\TrueCrypt.exe" /v C:\users\your_username\Clients.tc /l X /q /k "%USERPROFILE%\entropy.dat" /m ts
start "" notifu /m "TrueCrypt drive X was mounted successfully from file Clients.tc" /p "Secure drive mounted" /d 5000 /i "C:\Program Files\TrueCrypt\TrueCrypt.exe"
start "" /MIN "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q background

The batch is a little different for USB drives.

@echo off
REM Mounts a file based TrueCrypt container located on a USB drive and displays a pop-up
setlocal
REM I use this setup on many machines, and the USB drive is not
REM always given the same letter...
if exist f:\mobile.tc set TCFILE=f:\mobile.tc
if exist e:\mobile.tc set TCFILE=e:\mobile.tc
start "TrueCrypt" /MIN "C:\Program Files\TrueCrypt\TrueCrypt.exe" /v %TCFILE% /k "%USERPROFILE%\entropy.dat" /l U /a /q /m rm /m ts
start "" notifu /m "TrueCrypt drive U was mounted successfully from file %TCFILE%" /p "Secure drive mounted" /d 5000 /i "C:\Program Files\TrueCrypt\TrueCrypt.exe"
start "" /MIN "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q background
endlocal

Feel free to use it and adapt it to your needs !

• Fixed a bug where registry keys and groups had to be present to work.
• Fail safe behaviour reverts to normal MSGINA.dll if anything goes wrong
• Better detection of the user logged in coming back to unlock
• Registered as a logon process (Paralint shows in the Event log instead of Winlogon)
• Added an option to generate a debug output (off by default, see Sample.reg)
• Corrections and clarification in the documentation
• Automated build, test and release scripts

Next up ? I am not sure. I am thinking about a self-service application, like a companion product, and when I get that to work, find a way to integrate that concept with Aucun. Something like after N bad logon, you are redirected to the self service application.

Enjoy !

After a few lines in, I realized that I would be less work to order the tests in a way that would minimize the change to the configuration between any two tests. In other words, when a n+1 test case required a change to the registry, then the user group membership should not change, and vice-versa. That would also make it easy to investigate a failed test, because only one thing would change between any two tests.

Then it hit me.

Well actually, I had to stop and think for a while. Kind of like my mind restoring a dusty old tape archive… I remembered that mathematician Richard Hamming had a code for that. It’s a numbering scheme where only 1 bit changes between any two numbers. The number of bits that change is the Hamming distance between two numbers. Using four information bits to represent each possible use case, I came up with the following table. The first two rows (MSB, in blue) are user membership to a group, and the two last rows (LSB, in green) is the presence of that group in the registry. Ordering my tests that way gave me a constant Hamming distance of 1.

The only drawback to this is that all the typing I saved writing my test batch file, I wasted on this blog post !

Pretty neat, although I doubt a regular user will be able to make sense of any of that… In my case, it shows that from the last time I was online at home (IP 66.x.x.x) and the next time I was online at work (IP 199.x.x.x), there were only seven hours.

And yes, I took time to sleep, wake up the kids and have breakfast with them.

Time for coffee now !

I found a detailed explanation of the MSCASH format. Here is how you make your own MSCASH hashes to do close to reality benchmarks of your favourite password cracking tool.

The format is MD4(MD4(password) + username). password and username are in Unicode. In the explanation linked above, we have the classical "user" and "password" combination. Using notepad, type your password. Save the file using Unicode format. The first two bytes of the file will be FF and EF, a flag called the byte order mark (BOM). Delete them using an hexadecimal editor. It should look like this :

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00  p.a.s.s.w.o.r.d.

Now calculate the first hash with openssl, with a binary output :

openssl dgst -md4 -binary password.unicode.txt > md4.password

Type and save your user name in Unicode format, remove the BOM, and concatenate the Unicode user name to the first hash.

copy /b md4.password + user.unicode.txt md4.password.user

The file should look like this (the first 16 bytes is the md4 hash of the password) :

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  88 46 F7 EA EE 8F B1 17 AD 06 BD D8 30 B7 58 6C  ˆF÷êî.±...½Ø0·Xl
00000010  75 00 73 00 65 00 72 00                          u.s.e.r.

Now just hash that last file, again with openssl :

openssl dgst -md4 md4.password.user
MD4(md4.password.user)= 2d9f0b052932ad18b87f315641921cda

You can now use that MSCASH hash for your benchmarks. I hope you find it usefull. I might write a program in C to automate this, If I see good traffic on this post. Spread the word !

For example, this command line now works :

notifu /p Concatenate /p " this" /m "Hello" /m ", " /m "World"

Nothing is added to your parameters. If you want a space, you must add it.

Note to self : Got to fix my release script… A simple update takes longer to post online than to code !

notifu /m "\"Theo Est\" test@example.com"

Thanks to Sof for the heads up !

If you have access to security.xml and need to know the passwords it contains, compile and run this tool. It supports :

• Encoded passwords on the command line (as many as you like)
• Passwords piped in (default if no arguments are passed)
• With or without the leading {xor}
• It builds with Visual C++ and GNU g++ (tested with mingw32 version only)
• A crude but working parsing so you can pipe the result of a grep, like this :
  grep -i password security.xml | waspass

You can get the source from my Subversion server with this command :

svn co http://src.paralint.com/spikes/waspass/trunk waspass

I am also posting the full source inline, just to show off that cool javascript code parser I just installed…

#include <stdio.h>
#include <string.h>

// get those 2 functions from
// http://src.paralint.com/spikes/waspass/trunk/waspass/base64.c
extern "C" int base64_init(void);
extern "C" int base64_decode(char *d, unsigned dlen, const char *s);

int decode_password(char *encoded_password);

//Cass decode_password, reading from the command line or stdin
int main(int argc, char* argv[])
{
	printf("Reverses WebSphere XOR password encoding.\n");
	printf("http://www.paralint.com/\n\n");

	base64_init();

	//Should we parse stdin
	if(argc == 1)
	{
		char line[2048];
		while(!feof(stdin))
		{
			fgets(line, sizeof line, stdin);
			decode_password(line);
		}
	}
	//Or read encoded passwords from the command line ?
	else for(int i=1; i<argc; ++i)
	{
		decode_password(argv[i]);
	}

	return 0;
}

//Takes an encoded password like KzY4Oi0= and outputs the original password
//Supports minimal parsing: a password is the text between } and " (quote)
//either are optionnal and will be replaced by begining or end of line if
//missing
int decode_password(char *encoded_password)
{
	char *p;
	char encoded[1024];

	//naive remove the {xor} flag if present
	p = strchr(encoded_password, '}');
	if(p) ++p; else p = encoded_password;

	//naive truncate of the string
	strtok(p, "\"");

	printf("%s ", p);
	base64_decode(encoded, sizeof encoded, p);
	p = encoded;

	//stop at the trailing quote, allowing a brutal pipe from grep
	while(*p && (*p != '\"'))
	{
		putc(*p++ ^ '_', stdout);
	}

	printf("\n");

	return p - encoded;
}

To help with the rest, I made this chart.

The colors in that chart indicate operations that are related to each other. To put it in words:

• If you use a public key for encryption, you will use your private key for decryption.
• If you use a private key for encryption, you will use a public key for decryption

But most students need some time to reach the asymmetric cryptography enlightenment. When they do reach it, I have to convince them that it is not the silver bullet it looks like. I found that remembering this chart helps them cram study for an exam.

Hope this helps !