TS-509 Filesystem AES Encryption Passphrase

Discussion on setting up QNAP NAS products.
singeroi
First post
Posts: 1
Joined: Mon May 11, 2009 7:54 pm

Re: TS-509 Filesystem AES Encryption Passphrase

Post by singeroi »

thanks for the input.. very informative.. :)
simulation assurance vie
sontom115
First post
Posts: 1
Joined: Fri May 22, 2009 9:33 am

Re: TS-509 Filesystem AES Encryption Passphrase

Post by sontom115 »

this is an interesting discussion.. thank you for sharing :D

fiscalite assurance vie
marcmarc
Starting out
Posts: 20
Joined: Sun Jun 21, 2009 1:06 am
Location: Berlin & Frankfurt
Contact:

Re: TS-509 Filesystem AES Encryption Passphrase

Post by marcmarc »

Hi guys,

I am a newly Qnap owner, specifically the TS-239 Pro.
As I am using the encryption feature and I am also a security guy, I started to reverse engineer the qnap encryption implementation to ensure that the security is fine.

I have no clue why they make a big secret of how it works. its actually simple.

sorry guys, this post included wrong information. please read the new post below




issue 1 - minor: A good way to generate random data is to use collect some time, mac, ip address, source port of the http connection to the web gui, etc., concatinating that and running it through SHA1-256. This is then a secure enough seeding of the random number generator which is to be used. then generate random data, but before this is used, run it again through e.g. SHA1-256. And the result of that hashing is then the key to be used.

issue 2 - major: After cryptsetup was called (or an error occured beforehand) the files are deleted ... by calling unlink(). This is bad. by debugging the filesystem or using forensic tools (e.g. coroners toolkit, autopsy/sleuthkit, etc.) it is possible to recover the files in /tmp/ and by that gain access to the encrypted filesystems!
This is a serious security issue.
And the solution so simple:
before unlinking, just do a _secure_delete(FILENAME)

and here is an example function:

void _secure_delete(char *filename) {
int fd;
char buf[128];

fd = open(filename, O_RDWR | O_SYNC);
memset(buf, 0, 128);
write(fd, buf, sizeof(buf));
fsync(fd);
close(fd);
sync()
fd = open(filename, O_RDWR | O_TRUNC | O_SYNC);
fsync(fd);
close(fd);
sync();
/* unlink(filename); // do it here or afterwards ... */
}

it just overwrites the first 128 bytes with null-bytes which is enough for this special application in a secure way.
ah, and I just coded it down from mind, so it might not compile directly for one reason or another ;-)
Last edited by marcmarc on Thu Sep 10, 2009 5:34 pm, edited 4 times in total.
11vie
First post
Posts: 1
Joined: Mon Jul 06, 2009 10:03 am

Re: TS-509 Filesystem AES Encryption Passphrase

Post by 11vie »

Really cool! thanks a lot for this one..



rachat credit
marcmarc
Starting out
Posts: 20
Joined: Sun Jun 21, 2009 1:06 am
Location: Berlin & Frankfurt
Contact:

Re: TS-509 Filesystem AES Encryption Passphrase

Post by marcmarc »

I sent the issue of course to the customer support and got this reply:
Good day, Thank you for your suggestion for our product.
We will plan to impprove the security of the implementation in next version.
so when the next version is out I will check the implementation again.
QNAPJackyC

Re: TS-509 Filesystem AES Encryption Passphrase

Post by QNAPJackyC »

Hi,

Thanks for your digging and suggestion for our product.

We had fixed this major problem.
And we plan to release this impprove the security of the implementation in 3.1.2 version.
B.R.

Jacky Chen.
HenrikAx
New here
Posts: 8
Joined: Wed Sep 02, 2009 8:32 pm

Re: TS-509 Filesystem AES Encryption Passphrase

Post by HenrikAx »

Hi,

As a new owner of a TS-239 (I'm still waiting for HD's to arrive), I was wondering if the security fix applies to the latest firmware version 3.1.1 Build0815?
I'm a bit confused about the firmware release date (2009/8/17), your post date (9/01), and "we plan to release".

Best Regards,
Henrik
QNAPJackyC

Re: TS-509 Filesystem AES Encryption Passphrase

Post by QNAPJackyC »

Hi HenrikAx,

Yes.
I think the security fix will apply to the latest firmware version 3.1.2.


Best Regards,

Jacky Chen.
HenrikAx
New here
Posts: 8
Joined: Wed Sep 02, 2009 8:32 pm

Re: TS-509 Filesystem AES Encryption Passphrase

Post by HenrikAx »

Hi Jacky

Thanks for the clarification.

BR,
Henrik
marcmarc
Starting out
Posts: 20
Joined: Sun Jun 21, 2009 1:06 am
Location: Berlin & Frankfurt
Contact:

Re: TS-509 Filesystem AES Encryption Passphrase

Post by marcmarc »

The change notes of the new image do not mention the fix.
either it was forgotten to put there (bad) or it did not make it in the new image yet (bad too).
i will check the implementation in the new image next week when I have time for it.
marcmarc
Starting out
Posts: 20
Joined: Sun Jun 21, 2009 1:06 am
Location: Berlin & Frankfurt
Contact:

Re: TS-509 Filesystem AES Encryption Passphrase

Post by marcmarc »

view here for an important update!
http://forum.qnap.com/viewtopic.php?f=11&t=18863
barba
First post
Posts: 1
Joined: Sat May 04, 2013 7:55 pm

Re: TS-509 Filesystem AES Encryption Passphrase

Post by barba »

I'm going to blow some air back into this discussion.

I _HAD_ a ts-509 for many years, however i have now sold it, but i still have my drives.

4*1.5 was used for a raid5, and a 1*1.5 tb drive was single drive, which was encrypted, there was never any encryption set on the raid devices.
So i put the 4*1.5 into my linux machine, assuming i would be able to mount md0, but it asks me for the luks key!

i tried entering the key i use in the webui but it didnt work.
I compiled crypt from crypt.c (however this gives me segfault?) but it returns an output when i use the qnap key together with my own key, but i cant unlock the volume anyway.

am i ** out of luck now?.
Post Reply

Return to “Turbo Station Installation & Setup”