This is an unedited version of the news item in Computer Fraud and Security Bulletin vol. 9 no. 6 (1987) pp. 1-3.

Martin Kochanski cracks Fortress

Martin Kochanski, a partner in a small Kent-based computer security software house, informs us that he has managed to decrypt Fortress, an access control package for PC-DOS and MS-DOS microcomputers that uses automatic encryption. Originally developed by RAM Software Ltd of Bradford, Fortress is marketed worldwide by leading chartered accountants Deloitte Haskins & Sells (see "RAM signs development agreement with Deloitte Haskins & Sells" in the September 1986 issue of Computer Fraud & Security Bulletin).

Martin Kochanski published a paper in the specialist US journal Cryptologia in January 1987 describing how he decrypted five security packages - Borland's SuperKey, Janus Sovereign's Padlock, Stralfors' PC III (these three available in the UK), K+L Software's N-Code (US), and BCS's Crypt (West Germany).

Kochanski gave further details in the January 1987 issue of UK computer magazine PC User. His credentials are excellent: he has written a security product which his company, Business Simulations Ltd, markets under the name "Ultralock". Kochanski is a talented programmer and mathematician and another of his products, Cardbox, has been, an industry standard database for several years. He carries out tests of selected security systems as part of a market evaluation process.

Fortress uses encryption as the bottom layer of its access control feature. All files are automatically encrypted when they are placed in Fortress. Other features are: user access profiles - each user has his own menu of tasks which only he can access through his ID and password; supervisor functions - users' activities and attempted break-ins are logged and users are required to change their passwords at irregular intervals. Kochanski describes Fortress as the weakest security package he has seen so far. However elaborate a package's use of passwords, if the encryption is not secure, then someone can read the disk.

Breaking into Fortress was quite simple. Kochanski created a file containing nothing but zeros. He then used Fortress to encrypt the file, and analysed the pattern in the digits and letters Fortress had turned his file into. He then spent an hour working out the algorithm used by Fortress and another hour writing the program which broke into Fortress and decrypted his file. Kochanski added that his program could be used to decrypt a data disk without a Fortress password. "Fortress of course is not supposed to let you in without a password."

Like the other security package mentioned in this article, Fortress will prevent the casual observer (say an office colleague) from powering up your PC and reading a file. He would see garbage and probably give up. In their documentation, Deloittes admit that Fortress can be cracked as "no security system is 100% tamper-proof". The purpose of Fortress is to provide a reasonable level of security, as commonly obtainable on mainframe machines. The company admits that "the dedicated and skillful fraudster will always break a security system, provided he has enough time and machine power available. If information on file is highly sensitive, then appropriate physical security measures must complement the security software".

Deloittes1 Phil Canning says that Kochanski's claim to have cracked Fortress is rather like someone locking himself out of his own house and then using a sledge-hammer to break down the door. Kochanski obtained a copy of Fortress, used his own PC, and created the source document which he encrypted. Thus it was much easier for him to break the code than it would have been for someone stealing an encrypted data disk from an organization. Effectively, Kochanski has broken into his own system, says Canning. The algorithm is only part of the security provided by Fortress, Canning adds. If the access control system is set up properly, a hacker would not get anywhere near the algorithm. Moreover, if users are unhappy, Deloittes can put in a new algorithm as no algorithm is going to remain unbroken for ever.

In Fortress, the password is a key and is not stored on disk. Canning explains, "You can't scan for it". Most encryption packages encrypt the files but not the directory: Fortress encrypts both, says Canning. He stresses that security is an overall environment and not just a piece of software.

Martin Kochanski has sent us this reply to Phil Canning's comments:

1. He stresses that his program will work on any copy of Fortress, not just his own copy (each copy of Fortress has a unique set of code built into it);

2. "If you think it is worth buying Fortress to protect your files, a thief may think it is worth buying Fortress to attack them";

3. Kochanksi's program deduces the key from the data stored on the disk: it does not have any key programmed into it;

4. The algorithm is the foundation of whatever security Fortress provides. A security system cannot be more secure than its foundation;

5. Fortress's encryption of directories makes breaking into an encrypted disk much simpler than it would have been if only the files had been encrypted.

In the May issue of Computer Fraud & Security Bulletin, we will publish detailed replies from both Martin Kochanski and Phil Canning.