Monday, 2 April 2012

Military grade data protection

Garibaldi biscuits
Have you ever been impressed by software that claims to offer military-grade protection?

It's fairly common practice for disk wiping and encryption software to make such claims. But what does 'military grade' actually mean?

The short answer is, it doesn't really mean anything.

At best it could mean that, at some stage in the past, a military organisation has approved the use of an item. This could be an encrypted USB drive or a packet of Garibaldi biscuits (aka Biscuits Fruit AB).

Another possibility is that the military has some standards in place, to which all equipment that it uses must comply.

Bullets are one good example. The British Army uses a standard sized bullet that works in its regular rifles and machine guns. In fact, this ammunition is compatible with the US Army's M16 rifle and with other weapons used by NATO countries.

File/disk encryption

The sort of software and hardware that consumers have access to is not equivalent to the high-end equipment that the military uses for important tasks.

However, even specialist chips are not invulnerable so 'military-grade' does not mean uncrackable.

Disk wiping

One classic claim made by disk wiping software is that it conforms to the Department of Defense's standards for data sanitisation. In fact you may often see reference to an impressive-looking 'standard' called DoD 5220.22-M.

This claim has always been fairly meaningless and, since mid-1997, it's been entirely irrelevant. Here's why:
  1. Not all data is equally sensitive. Highly secret data is treated quite differently to that which is less important. DoD 5220.22-M doesn't cover a specific security level of data.
  2. An old standard is not necessarily the best practice today. It possibly wasn't even that great an idea when it was first formalised. Governments and the military do not always use the best equipment on the market.
Governmental organisations may have to destroy disks physically if they contain certain levels of sensitive data. In less sensitive cases they may use strong magnetic fields to wipe data. Currently PC software is unable to achieve either of these goals.

Imagine you see an advert for disk-wiping software that promises military-grade data destruction. It invokes DoD 5220.22-M to support its claim. It's fair to assume that if the US Department of Defense has formalised a standard, and if this software conforms to it, then its users would be about as secure as anyone in the world.

This is an incorrect assumption.

Disk wiping software overwrites data one or more times to make it hard to recover. Before June 1997 DoD 5220.22-M supported this technique as a valid one - although it didn't specify whether or not this was appropriate for secret or unimportant files.

After June 1997 the only supported methods of disk sanitisation was either using magnetic fields or physical destruction. If you download the current DSS Clearing and Sanitization Matrix you'll see that magnetic disks must be degaussed (a/b) or physically destroyed (l).

An example

There are plenty of developers that market their tools in this rather misleading way. I'll demonstrate this using LSoft Technologies' Active@ KillDisk, but there are plenty of others that do the same.

[Possibly the most honest I've seen is the Linux utility scrub, which has documentation including caveats.]

The KillDisk site claims that:
"If you use FDISK, FORMAT utilities, or DELETE standard operating system command for data removal, there is always a chance to recover deleted files (using undelete or unformat tools) and use against the owner's will."
Directly under this correct statement is this line:
→ DoD 5220.22 M compliant ←
The clear implication is that by using this tool you remove the aforementioned chance of data recovery.

The above link leads to an outdated Clearing and Sanitization Matrix, which permits the use of overwriting on magnetic disks when sanitising. It does, however, note that:
On another page the site lists some useful definitions, without providing any context:
3 - US DoD 5220.22-M
The write head passes over each sector three times. The first time with zeros (0x00), second time with 0xFF and the third time with random characters. There is one final pass to verify random characters by reading.
4 - US DoD 5220.22-M (ECE)
The write head passes over each sector seven times. The first time with zeros (0x00), second time with 0xFF and the third time with random characters, the fourth time with 0x96, and then first three passes repeated again. There is one final pass to verify random characters by reading.
So what should you do?

If you want to wipe your hard disk before selling it, then a disk wiping program is probably good enough. However, if it contained data that you never, ever want anyone to discover then destruction is the only real answer.

If you want to destroy the data on a hard disk, so that it can never be recovered, you might want to explore the following options:

Destroy the platters:

Destroy the entire disk: