To meet these requirements, I use a combination of Dropbox (http://www.dropbox.com), Keepass (http://keepass.info/), and Truecrypt (http://www.truecrypt.org/). I use Dropbox as a portable ‘Program Files’ directory where I install portable versions of Keepass and Truecrypt. This allows me to have my ‘Program Files’ directory replicated on all systems where the Dropbox client is installed (for backup purposes, I usually have my Dropbox account synchronized to 2 different systems).

I use Truecrypt to create an encrypted partition on the USB drive (using AES for encryption and HMAC-SHA-512 as a hash algorithm). The volume key used to encrypt/decrypt the partition is then stored as a password in my Keepass database (which is also stored in my Dropbox).

As long as the Dropbox is synchronized between my test systems, switching from one system to the other is as simple as plugging the USB drive in and launching Truecrypt/Keepass from my Dropbox.

Here’s my step by step instructions to replicating this setup on a Windows XP/Vista/7 system (I assume you already have Dropbox installed on your system):

1. Create a ‘Programs’ directory in your Dropbox folder. In this folder, create 2 subdirectories, ‘Keepass’ and ‘Truecrypt’.
2. Copy the portable versions of these programs into their respective folders (Truecrypt does not have an explicit ‘portable’ distribution, rather download the setup file here and choose the ‘Extract’ option when running the setup, Keepass on the other hand provides a portable version that can be downloaded here).
3. Launch Keepass and create a new password entry for the portable drive. I suggest using the Password generator function to generate the password. Note that since this password is used as an encryption key, I recommend selecting all available characters for generating the password and using the maximum key length (64 characters).
4. Plug in the portable USB drive that will contain the encrypted partition (note: this has only been tested with USB hard drives; I have not tested this with smaller USB flash drives).
5. Launch TrueCrypt and use the ‘Create Volume’ button to launch the new volume creation wizard. I recommend writing down the path to the volume being created to make it easier to mount later. For my personal setup, I chose to create a regular (non-hidden) partition using AES and SHA-512 for encryption and as a hash algorithm. When prompted for the volume password, use the password entry created in Keepass.
6. The volume is now created!

To actually mount the encrypted partition, start Truecrypt and select an available drive entry. Select the encrypted volume from the Volume list then click ‘Mount’. When prompted, enter the password from the Keepass password entry.

Note that regardless of which system was used to create the encrypted partition, you can mount it on any other system as long as you have access to Truecrypt and your volume password.

In cryptography, this problem is referred to as ‘data integrity.’ Cryptographic systems solve this problem by creating a representation of the information that is unique. This representation is referred to as a ‘hash’ (or checksum). A good way to think of a hash is as a digital fingerprint that looks totally different for each set of data that it represents. Functions that are used to create hashes from information are called hash functions. There are a couple of important points about hash functions:

• The result of the hash function MUST be unique for each message that it processes. That is, you should never be able to get the same result from a hash function if you feed in two different messages.
• The result of the hash function MUST not look anything like the message that it processed.
• It MUST be impossible, given the result of a hash function, to determine what the original message was.
• The result of the hash function is usually smaller than the message that it processed.

If you wanted to exchange a message with another person and be sure that the message hasn’t been changed along the way, you could use a hash function as follows:

1. Create a message.
2. Feed that message into a hash function.
3. Send the message to the recipient along with the hash.
4. The recipient feeds the message into the same hash function used by the sender.
5. The recipient compares their hash with the sender’s hash. If they are identical, the recipient is sure that the message wasn’t changed.

Of course this exchange isn’t secure as the hash could be changed in transit as well, but it illustrates how such a system works. I’ll explain how to make this exchange secure in a future post. To find out more about the basics of hash functions, read more.

So, how exactly do hash algorithms work? They work by mixing and mashing the messages being hashed. The mixing and mashing is done by dividing a message into a set of chunks. These chunks are then mixed together using math operations (this step varies greatly depending on the hash function being used).

Here’s an example of a very simple hash function. In this function, note that letters are represented using numbers (ASCII codes, so A=65, B=66, C=67 … Z=90). Note that when using ASCII characters to represent numeric values, you have to have numeric values in the range of 65 to 90 in order to be able to print them as characters.

• Divide your message into sets of 8 letters. If the number of letters in your message is not evenly divisible by 8, add as many ‘i’s to your message as needed to make it divisible by 8 (this is called ‘padding’).
• Replace the letters with numbers (ASCII values which can be found here).
• Now, arrange the sets of 8 numbers in a vertical column; ex. if your message has 24 letters, you should have 3 rows of 8 numbers arranged in a column.
• Starting at the top row, add the first number in the first 2 rows together. Since this number is going to be larger than 90, we need to do a little more math to make it fall in the range of 65 – 90. So we will take this sum and divide it by 26. This will ensure that the number is in the range of 0 – 26. Next, we’ll take this remainder value and add 65 to it. This way, we can be sure the final value will be in the range of 65 – 90. This final value then becomes the first value in a new row. Repeat this step for all of the characters in the first two rows.  (For readers of my previous post on clock arithmetic, this calculation is just modular arithmetic, specifically we are calculating the value mod 26).
• The new row that you’ve created now replaces the first 2 rows. Repeat the previous step until you’ve added all the rows together.
• The final row that results from doing these operations represents the hash value for the message.

Here’s an example where I calculate the hash of the value “walter goulet is here”

The message “WALTER GOULET IS HERE” looks like this encoded in ASCII (the value 32 is a space character.)

87 65 76 84 69 82 32 71 79 85 76 69 84 32 73 83 32 72 69 82 69

Note that there are only 21 characters in this message, so we need to add 3 “I”s to the end for padding. The ASCII code for ‘I’ is 73. So, the padded message looks like this:

87 65 76 84 69 82 32 71 79 85 76 69 84 32 73 83 32 72 69 82 69 73 73 73

Next, we break the message into sets of 8 numbers:

1. 87 65 76 84 69 82 32 71
2. 79 85 76 69 84 32 73 83
3. 32 72 69 82 69 73 73 73

Now, we add rows 1 and 2 together by adding each number in the same position together, dividing it by 26 to get the remainder, and add the value ’65′ to the result. Let’s perform this operation on rows 1 and 2:

87 + 79 = 166; 166 / 26 = 6 remainder 10; 10 + 65 = 75

65 + 85 = 150; 150 / 26 = 5 remainder 20; 20 + 65 = 85

and so on for each number in rows 1 and 2. The new row, after repeating this for each number, becomes

75 85 87 88 88 75 66 89

The new row is then added to row number 3 above using the same process.

1. 75 85 87 88 88 75 66 89
2. 32 72 69 82 69 73 73 73

After repeating this operation, the new row is:
68 66 65 79 66 83 74 71

After replacing these numeric values with their letter values, the final result is:
D  B  A  O  B  S  J  G
This value is our hash value for the message “WALTER GOULET IS HERE”.

As an exercise, try changing a letter in the original message. You’ll see that when you do, the final hash output will change as well. Note that this toy hash function isn’t nearly as strong as real hash functions used in security technologies, but the basic ideas are the same

For interested readers, here’s a Ruby program implementing the hash function described above. Play around with different messages to see how the hashing works and to spot potential problems from this simplistic hash function.

#!/usr/bin/ruby -w

msgstr = String.new(ARGV[0])

msgarr = Array.new

arrindex = 0

msgstr.upcase!

# Pad the input message string if it's length is not divisible by 8

if((numchar = msgstr.length.modulo(8)) != 0)

        padchars = 8 - numchar

        padchars.times do

                msgstr = msgstr + "I"

        end

end

# Break the message into 8 character (or byte) words

strsize = msgstr.length

while(strsize > 0)

        if(strsize.modulo(8) == 0)

                msgarr[arrindex] = msgstr.slice!(0..7)

                arrindex = arrindex + 1

        end

        strsize = strsize  - 1

end

# Add the rows

while(msgarr.length > 1)

        row1 = msgarr.shift

        row2 = msgarr.first

        0.upto(7) do |x|

                row2[x] = ((row1[x] + row2[x]) % 26) + 65

        end

end

print msgarr.first

print "n"

Another simple way to think of modular arithmetic is clock arithmetic. Consider the problem when you are looking at an analog 12 hour clock. You need to figure out what time it is going to be 7 hours from now. If the current time is 3 o’clock PM, you add 7 hours and end up with 10 o’clock PM. But, what if it’s 8pm? You don’t simply add 7 hours as there is no such thing as 15 o’clock pm. Instead, when you pass 12 o’clock AM, you restart your counting. So 8 o’clock PM + 7 hours = 12 o’clock AM + 3hrs = 3 o’clock AM.

So what does clock arithmetic have to do with security? Going back to our original sequence of numbers, notice that you cannot possibly determine that these numbers all represent the same mathematical value without having a key piece of information, the modulo value (which in this case is 12). When you think about it, this property is useful from a secrecy perspective because you have 2 pieces of information that have a common value, but you can’t tell what that common value is unless you know some other information. This basic property of modular arithmetic forms the basis of many of the key negotiation and encryption algorithms in use today.

So, for fun, here’s a simple cryptosystem (secure enough to keep your 10 year old little sister from reading your journal) that uses this property. Note this cryptosystem doesn’t authenticate the two parties, but it at least allows them to exchange a pair of secret keys no matter who is listening.

• Alice and Bob want to exchange a secret message, but they can only talk to each other over an open communication channel.
• Beforehand, Alice and Bob agree to use the current time as the modulo value for determining the secret value. For example, if the current time is 4pm and Alice and Bob want to agree on a secret key, they will divide their values by 4. Note that the method they are using for choosing a modulo value must remain secret for this system to work.
• Alice sends her value to Bob in an open channel. Bob calculates the value she sent modulo the current time. The result is Alice’s encryption key.
• Bob sends his value to Alice again in an open channel.
• Alice calculates the value she got from Bob modulo the current time. The result is Bob’s encryption key.
• Now, Alice and Bob can communicate securely using each other’s encryption key to encrypt messages being sent back and forth (using some pre-determined encryption algorithm).

To see the system in action:

1. The current time is 9pm.
2. Alice picks a value of 84.
3. Bob picks a value of 1156.
4. Alice and Bob send a message to each other via a open channel (normal phone call, ads in the newspaper, or even yelling at each other in a park!).
5. Alice get’s Bob’s value of 1156 and calculates 1156 / 9 = 128 remainder 4. 4 is Bob’s encryption key.
6. Bob get’s Alice’s value of 84 and calculates 84 / 9 = 9 remainder 3. 3 is Alice’s encryption key.
7. Now Bob and Alice can encrypt their messages using their respective encryption keys.

The real beauty of this type of system is that no matter who learns the values that Alice and Bob selected in steps 2 & 3, they will never be able to figure out how they are related without knowing what the modulo value is. In a future post, I’ll expand on this a bit more to show how modular arithmetic is used in non-toy cryptosystems.