2011-03-25

Data Sanitization

I found some interesting materials to the topic of data sanitization:

Magnetic Media - (Peter Gutmann - oldies but interesting):
- note the old drives, low density, MFM/LCC - able to recover complements by osciloscipe reading
- read epilogue - 35-vodoo overwriting scheme not necessary for modern drives, radom data would do the trick

Semiconductors (Peter Gutmann - SRAM, DRAM,EEPROM, FLASH ...)

And recommended tools :D by Peter:

Data remanence
- Feasibility of recovery

Microscopy of HDD data
- micro imaging would take at least weeks on todays high density high volume drives

-------------

DoD 5220.22-M NISPOM
8-306. Maintenance - Clearing and Sanitization Matrix
d. Overwrite all addressable locations with a character, its complement, then a random character and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION.

AR380-19

Degausser for HDD - maybe we could use one for broken drives:
http://www.mediaduplicationsystems.com/Degausser_Hard_Drive_Degaussers_s/103.htm
http://www.datalinksales.com/detail/Model%201100.html/1100%20degauss%20wand

Additional topics:
HPA and DCO protected areas on ATA drives

-------------
My personal conclusions:
Working drives:
- even one verified zero overwrite the drive should be good enough for "For Internal Use" data.
- actually this is what "ATA Secure Erase" does
- even one random data overwrite the drive should be good enough for pretty much everything
- I find it highly non-economical to invest so much money and effort to read overwritten data
- DoD 5220.22-M with 3 overwrites - to be on safe side from audit


Broken drives:
- if suffering from badblocks "ATA Enhanced Secure Erase" still might help - although no fancy logs or reports of results
- hammer and drill is your friend :) for completely non-working discs
- I was surprised that HDD degaussers are quite affordable

2011-03-02

Using java keytool to import private key into JKS java keystore

I got question how to import the private key to JKS keystore.
According to some resources it is not possible with standard tools.

Answer is to use the -importkeystore option of java keytool. Keytool allows conversion between the different keystore types which are currently known to your java virtual machine.
For example you can import key+certificate from PKCS12 format (extensions .p12 or .pfx in Windows world).

keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -destkeystore server.jks -deststoretype jks


If you have key and certificate in PEM format you can easily convert it to pkcs12 with openssl
#Join key, certificate and certs of certification authority to one file
cat server_key.pem server_cert.pem server_cacert.pem > server.pem
#Convert to PKCS12
openssl pkcs12 -export -out server.p12 -in server.pem



Relevant links:
http://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html
http://www.herongyang.com/crypto/Key_Formats_PKCS8_PKCS12_4.html
http://mindprod.com/jgloss/keytoolexe.html#EXPORTING
http://www.agentbob.info/agentbob/79-AB.html