Contents: (Back to The Far Horizon Site)
Welcome
How KOH works
What KOH works with and what
it doesn't work with
Installing KOH
Maintaining KOH on your system
Is KOH really that secure?
How can I get the sources, or an original
distribution CD?
Distributing KOH
-------------------------------------------------------------------------------
Welcome (Back to Contents)
Welcome to KOH Version 2.0, the world's
best full-disk encryption system. It's
FREE and FANTASTIC!
Unlike other encryption systems, KOH offers true full disk encryption. Using KOH,
* You can hide all of your personal data.
* You can hide the operating system files and all program files.
* You can hide all of your file names and all of the directory structures and information which the operating system uses to keep track of your data.
* You can hide your boot sector, the master boot record and partition table.
* You can even hide the actual encryption code and algorithms you are using.
* You can use installable encryption subsystems that you write yourself. KOH is not tied to a particular algorithm, so you can select your algorithms according to your needs, and if your needs change, you can change.
* You can use multiple encryption algorithms at the same time for added security.
KOH accomplishes all of this by using technology first developed by computer virus authors in the 1990s. In some ways it acts like a computer virus, hiding in memory. It can copy itself like a virus too, but it doesn't ever replicate unless you ask it to.
Understand, however, that KOH is a technically advanced program that is for technically minded people who need hard-core security first and foremost. For this reason you should read this document before attempting to install KOH!
FAILURE TO READ THIS FIRST MAY LEAD TO LOSS OF ALL DATA ON YOUR HARD DRIVE!!
Not that KOH is a dangerous program . . . but running KOH and initially encrypting everything on your drive can take time . . . hours, even more than a day for a huge drive. What if the power goes out half way through the process? Or what happens if you enter your passphrase and promptly forget it.
Or what happens if a malicious program or piece of software overwrites your critical data for KOH after a month of use?
You can avoid problems by understanding how KOH works and what you are doing when you use it. Don't be a point-and-click dummy who refuses to read the manual.
-------------------------------------------------------------------------------
How KOH Works (Back to Contents)
KOH takes over the master boot record on your hard drive, and a small amount of space that is usually left blank on the drive, which lies before the first partition and where the operating system lives. Because of this, KOH is the first thing to execute after the BIOS startup routines when you turn your computer on. KOH then installs itself in memory and acts as if it were part of the BIOS.
KOH installs its encryption/decryption routines at this time and begins to encrypt and decrypt everything you asked it to when you installed it. Using KOH you can encrypt the whole hard disk, or a single partition, as you desire. If you install more than one encryption algorithm, KOH will automatically use the first algorithm to encrypt the second, the first and second to encrypt the third, etc.
Once KOH has set up shop, it loads the original Master Boot Record on your hard drive and executes it. That, in turn, loads the operating system and your usual environment. The difference is that KOH is in memory, decrypting every sector as it is read from your hard drive into memory. Your programs and operating system see nothing different from an unencrypted system, but if somebody gets hold of your computer, every sector of data on your hard disk is simply jibberish unless they have the passphrase you enter when you install KOH. When your programs write data to your disk, KOH is working silently in the background encrypting everything as it is written. If you ever find yourself in a critical situation where your security could be compromised, just turn your computer off. Everything on it is safely encrypted and no one can get at it without the passphrase.
-------------------------------------------------------------------------------
What KOH Works With and Doesn't Work With (Back to Contents)
KOH works well with all versions of DOS from various companies and with Windows 95, Windows 98 and Windows ME. KOH does NOT work with Windows XP and Windows Visa. This is due partly to Microsoft and partly to our choice.
Really, XP and Vista were part of the motivation for resurrecting KOH, which was originally written back in the 1990s pre-Windows era, and making Version 2. Back in the 90s Microsoft chose to invent and promote Windows in order to accommodate the many people who were not very computer literate. Now, in the 21st century they seem intent on making everyone into a point and click dummy who doesn't or can't understand the inner workings of the machine and leaves the details to the big M. One of those "details" is what the machine is really doing on a network. Plainly speaking, the newer Windows operating systems are inherently insecure. There have been many allegations of back doors in these operating systems. And they have "front doors" that continually seek to access the internet and send information to Microsoft.
It would seem that Microsoft is at present the world's one great monopoly that operates with the blessing of the US government. One might wonder why. Obviously, if there were back doors, Microsoft's universal operating system would be a great boon to information mining by government officials who had the keys to that back door.
More and more the world seems headed toward a paradigm of computer security that basically goes like this: "Good people can trust Big Corporations and Big Government. Your private information is safe in big brother's hands. He wouldn't hurt you if you are good. Only bad people - drug dealers, terrorists and tax evaders - want to hide things from their noble leaders."
Puke. The basic assumption behind KOH is that your data is your own. You and you alone can control who can see it or use it. In the history of the world, all of the greatest criminals have always been government leaders and their henchmen. They commit the atrocities that are told down through the ages. They clothe their darkness in light, and get millions of brain-dead, heart-dead idiots cheering as the stomp on the faces of the gentlefolk. A close second goes to the big companies that work for them. They are the first people you'd better hide things from. Don't think the world has changed for a new millenium. The twentieth century was the most brutal of all human history. The twenty first will be more brutal still. Already we live in a world where inadvertently making a copy of a movie or song that you weren't authorized to could get you ten years in prison - especially if they're out to get you for something else.
Okay, okay. Enough sermonizing. The bottom line is that if you want to use XP or Vista, I don't want to give you an illusion of security that isn't there. You may not like the new paradigm of computer security, but odds are whoever you buy a security program from is headed down this road. If they don't really know what's going on underneath Windows, then you can bet they've already made that compromise. And they can't know unless they've spent months pouring over the source code for Windows . . . source code which is Microsoft Top Secret.
The bottom line is, if you want security, (a) dump XP and Vista (and 2000 and NT for that matter), and (b) disconnect from the internet. If you need internet connectivity, use two computers, one "public" with internet connectivity and one "private" that is compartmentalized and off the internet.
-------------------------------------------------------------------------------
Installing KOH (Back to Contents)
To install KOH, you need only run the install program. If you are viewing this file from the KOH Boot CD, the install program will run automatically as soon as you finish viewing this file. The install program will ask you several technical questions about how you want KOH installed on your hard disk. Nothing will be installed until the very end, so if you make a mistake or think twice about something, just exit the installer at the end and start over.
After you read this section you may want to reboot your compter and study its configuration a little before installing KOH. You may also want to BACK UP YOUR COMPUTER!! KOH takes a long time to install and if the power fails or someone kics the plug, you could lose all of your data! Back up before installing KOH. Then, if your install is successful, destroy the backup because it is ia security compromise!
Let us go over the various options which the installer gives you, so you can answer its questions knowledgably.
Selecting A Drive
First, the installer will search your computer to see which hard drives are available to install KOH on. Generally speaking, KOH requires a hard drive that has Long Block Access (LBA). Most modern hard drives have this capability, but older drives may not. (Older drives can still use KOH Version 1.03.) The installer will provide you with a list of drives it has found and that it can install KOH on. The first step is to select which drive you want to use.
Note that hard drives on your system will be identified by a physical device number. These generally differ from the drive letters you are used to. Drive letters correspond to logical partitions, and you may have one or more drive letters being serviced by one physical hard disk. Generally speaking, Drive 0 corresponds to the C: drive, and possibly others. If you are unsure of your computer's configuration, you can generally examine it by going into the BIOS of your computer. Your computer's startup screen generally displays directions for getting there. Generally, you will want to install KOH on the boot drive, Drive Number 0. It must be run during the boot process if it is to encrypt and decrypt your data. However, you might install to another drive if you plan to move that drive in another computer, or if you boot from it sometimes using the BIOS boot menu in your computer.
KOH can also install on flash drives as long as the BIOS on your computer supports them.
Selecting a Partition or Whole Disk
Once you select a drive, the installer will ask you if you want to encrypt the whole drive. If you choose to encrypt the whole drive, then every partition on that drive will be encrypted. This may include multiple drive letters and even multiple operating systems.
If you choose not to encrypt the whole drive, KOH can instead encrypt a single partition. The installer will display a list of partitions which can be encrypted. Select one. (Generally your C: drive will be the first partition, and many drives today have only one partition.
Naturally it is best if you know your hard drives before you begin installing KOH. That way you will know exactly what you want KOH to do and how to tell it to do that.
Special Options for KOH
KOH provides two options for additional security. KOH always uses a virus technique called stealthing to hide itself from prying eyes. If you use a disk editor while KOH is running to examine the Master Boot Record, it will appear that KOH is not installed in your computer. The oroginal Master Boot Record will be seen sitting at absolute sector 0, just as it always does.
However, suppose someone boots your computer from another drive, or puts that drive in another computer, trying to gain access to your data. In this situation KOH can be seen sitting there on the disk. The whole partition where you store your data will be encrypted. However the information about where that partition is will be available for all to see. KOH allows you to encrypt even this partition information, so a snoop will have no idea where to even begin looking for something. This can help foil a brute force attack when the plaintext is thought to be known.
This added dimension of security has two parts to it, and you must enable both options here for it to work. The first option, hiding the Partition Table, sets KOH up so that no partition information is stored in the first sector of KOH, which gains control when the BIOS starts executing code from the disk. This sector cannot be encrypted, so the only way to hide the data is to eliminate it from this area.
You won't want to do this if you encrypt only one partition and then want to sometimes boot from another drive and use the unencrypted partition on the drive where KOH resides. Simply put, another drive won't be able to see the unencrypted partition.
The second step to this added dimension of security is to encrypt the original Master Boot Record. WHen KOH loads and sees that it is encrypted, KOH will decrypt it using your passphrase. Thus, when KOH is running, the Master Boot Record will still look completely normal and in the right place. But if someone trys to access it going around KOH, they won't be able to. It will just be jibberish.
Select Encryption Algorithms
Next, the installer will ask you to select encryption algorithms. KOH 2.0 makes it possible to use installable encryption algorithms. It reserves 10 sectors of space for these algorithms, and makes it possible to install more than one algorithm at a time. With the source for KOH, you can learn to write your own encryption algorithms too. You can even interface to a hardware encryption card to spped encryption up.
When you run the installer KOHINST, it will search the current directory for encryption subsystems, and display a list of them. To select an encryption subsystem just type the number associated to it. The installer will make sure you don't use too much disk space.
In KOH, the encryption subsystems aer made more secure by encrypting the subsystems themselves when you install multiple systems. The first subsystem will encrypt the actual code of the second and third subsystems, additionally, the second subsystem will encrypt the third subsystem, etc. In this way unauthorized persons will not even be able to find out what kind of encryption you are using without cracking at least part of it.
If you install only one subsystem, it will not be encrypted. That is certainly faster, and if you use a good algorithm it is still very secure.
On the basic install disk for KOH you will find the following encryption subsystems:
PR32SUB.COM - 32 bit pseudo-random number generator based encryption. This is a very simple and fast algorithm that is useful for demonstration purposes, and for when only a little bit of casual security is necessary. If you want to write your own subsystem, start with this as a base.
DESSUB.COM - Single 56-bit DES algorithm using the Cipher Block Chaining mode. This is much more secure. It is perhaps one of the most cryptographically analyzed algorithms around. Yet it can be cracked using very large computers dedicated to the purpose because it is only a 54 bit key. It was used by the US government from the 1970s to the 1990s.
3DESSUB.COM - 168 bit triple DES algorithm using the Cipher Block Chaining mode. This is still a very secure algorithm, and for all intents and purposes, uncrackable. It is, however, somewhat slow.
IDEASUB.COM - The 128 bit International Data Encryption Algorithm. This was developed privately and appears to be a very secure algorithm. This is a very fast implementation.
We hope to add more algorithms that are both secure and fast with time. If you develop one and wish to share it, please contact us at thefarhorizon.com!
Ordering the Encryption Subsystems
Finally, the installer will let you order the subsystems you have chosen, picking which one will be first, second, etc. This is important because the subsystems will encrypt one another. Thus you can decide which will be most visible and which least.
Writing KOH to Disk
After you have made all of your selections, the KOH installer will ask you if you are sure you want to install with configuration. If you choose yes, it will write KOH and the encryption subsystems to your disk. Up to this point, noting has been written, and you can back out without any trouble.
System Reboot and Encrypt
Once you have successfully run the installer, you must reboot your computer from the drive on which you installed KOH. KOH itself will then finish the installation process.
When you boot up, KOH will ask you if you want to encrypt the hard drive yet. Normally you should always answer this question yes. If you choose not to encrypt, and let Windows boot, then Windows or your anti-virus software may see KOH and attempt to destroy it. That's because until you finish the installation, KOH is not hiding itself from the operating system and user programs on your disk.
If you choose to encrypt, KOH will ask you two things. First, it will ask you to generate a sequence of random numbers by pressing keys randomly. To generate a good random number it is best to take your time and do this slowly. Next KOH will ask you for a passphrase. You can enter a passphrase up to 128 characters in length. Once this is done, KOH will proceed to encrypt the partition you chose, or the whole disk, as you selected during the install. KOH will display a progress indicator, the hex number of the sector being encrypted, so you can see how far it has gotten. Do not under any circumstances interrupt the encryption process once it has started. If you do, your data will be at least partially destroyed! You may want to make sure your computer is supplied with backup power from an Uniterruptable Power Supply while you encrypt so that a momentary power glitch will not damage it.
When KOH finishes encrypting the drive, it is completely installed and ready for use. Whenever you start up your computer KOH will ask for your passphrase. Without it, your data is safely encrypted. (So don't forget your passphrase!)
-------------------------------------------------------------------------------
Maintaining KOH on Your System (Back to Contents)
Once KOH has been installed in your computer, it will run without problems for years to come.
In view of the fact that KOH uss the Master Boot Record to load itself, it is possible that a computer virus that is designed to overwrite the Master Boot Record could damage KOH. This damage could be catastrophic if your cryptographic key, which is stored in encrypted form, gets overwritten. Accordingly, a utility program VPROTECT is included with KOH. VPROTECT makes a backup copy of KOH in its installed form on your computer. You should store this backup copy somewhere besides your encrypted hard drive for safety. In the event you have a problem, VPROTECT will also restore the backup copy to your computer. This backup copy contains nothing that is not already visible on your hard drive and it will not compromise your security in any way.
KOH itself has two hot keys to aid in maintenance of your system. Typing Ctrl-Alt-H will uninstall KOH from your drive, and typing Ctrl-Alt-K will allow you to change your passphrase. To avoid letting unauthorized personnel change things, KOH requires you to enter your passphrase in order to use these options. To use these options without visibility problems you should be in a text mode, such as at a full-screen DOS prompt, when you type them.
KOH can change your passphrase in a fraction of a second because it stores an encryption key in a sector on the hard drive, and encrypts it with your passphrase, but it is the encryption key, not the passphrase, that is used to encrypt every sector on your disk. The process of changing the password thus just requires one sector read and one sector write. This is important because at some time you may have to change your passphrase quickly. Just remember, Ctrl-Alt-K, "K" for KOH!
-------------------------------------------------------------------------------
Is KOH Really That Secure? (Back to Contents)
Although KOH is a state of the art encryption system with a lot of features not boasted by other programs, don't be lulled into throwing all of your security concerns on KOH. Only a live, wary human is capable of thwarting the threat of another intelligent human. KOH is one of your tools in keeping your information secure, but the buck stops with you, so to speak. If your data is compromised, you lose.
KOH could be attacked in a number of ways, and you must be aware of this. The simplest possible attack is via a network or the internet. When your computer is up and running, KOH will decrypt your data for anyone who requests it. If you run a program, the program will be decrypted, and the data that program works with will be decrypted when read, encrypted when written. However, if someone on the internet can get a program to run on your computer, KOH will decrypt the data for it too - and potentially allow that program to send all kinds of data to an enemy.
The only real defense against this kind of attack is to STAY OFF THE INTERNET! Have one computer for the internet, and keep your secure computer off. It's best not to even have a network card or modem of any kind in it.
The second possible kind of attack would be the installation of a password stealer or key stealer. These could even be installed in your keyboard. The best way to avoid such things is to insure the physical security of your computer.
Finally, realize that any program you run in your computer can do funny things. If you don't have the source code for it or you haven't studied that source in detail, you just really don't know. For example, an anti-virus program might scan memory and see KOH and decide to send an image of the memory - including your secret key - to the anti-virus company. Also remember that Windows is rumored to have all kinds of back doors.
In the end, you have to maintain tight control on your computer. Avoid the internet, avoid automatic downloads, and avoid strangers bearing gifts.
If you are concerned that the copy of KOH you have may be corrupted or compromised, then order an original CD from www.thefarhorizon.com.
-------------------------------------------------------------------------------
How Can I Get the Sources or an Original Distribution CD for KOH? (Back to Contents)
In the spirit of all the best cryptography software, the source code for KOH is available for inspection. Good cryptography gets better when people study it and loacate and address faults in it. We want you to get KOH, to study it, to attack it, and to tell us if you find any problems.
In the interest of maintaining control of the source code, we ask that you do not distribute source, but rather refer people to our website,
www.thefarhorizon.com
if they want copies of the sources, and an original distribution of the executables. At the website you may order a copy of the sources on CD and an original install CD, for a nominal fee. Understand that although KOH is free, a considerable amount of work went into building it - work that could have been devoted to more lucrative activities. As such, your support through buying source CDs helps to make further development possible. The author is also availble for consulting and programming jobs.
All of KOH's source is written in 80x86 assembler.
-------------------------------------------------------------------------------
Distributing KOH (Back to Contents)
We want to encourage the free distribution of KOH. It is our way of taking a stab at tyrrany and the looming police state. We only ask that you distribute it as a stand-alone CD or as the ISO file of the distribution CD, which is available at www.thefarhorizon.com.
Please pay us a visit sometime and send us our comments. We'd like to know how KOH is helping you!