East Stroudsburg University of Pennsylvania
Center for Computer Security and Information Assurance
The following cryptographic applications have been reviewed by the listed ESU students as part of the CPSC 460, Applied Computer Cryptography course.
I read Chris Mellor’s review of BeCrypt’s Disk Protect.He gave it an ok review, pointing out some major weaknesses. I think he might have been a bit too harsh in his criticism, and will explain why after I explain how DISK Protect works. What disk protect does is it gets a password from you , but does not use said password as the encryption key, it recieves an additional input for the key, which is 16 characters long. From then on, the program encrypts the entire filesystem, and performs authentication at an extremely low level environment, before Windows even attempts to begin booting. It asks you for your password, then uses that to decrypt an encrypted version of the 16 character key (ascii, so 128 bit key), and then uses said key to decrypt the filesystem (which is encrypted in AES), so that windows may start booting. Everytime a file is written or read encryption and decryption occurs This is very secure, because one cannot even access anything on the drive partition (filesystem), without having the password. Consider a normal PC Windows XP system. Even with a password on the account, someone can easily use OPHCrack to boot linux from a CD, and then brute force the password in 15 minutes, (on average, depending on password strength). This renders such a system quite vunerable. With DISK Protect installed, even if you booted with a CD into another operating system, you still would not be able to extract the SAM database for brute force cracking of Windows passwords, because the ciphertext, and the filesystem that points to it, would be in itself, ciphertext on top of that. This combined with the fact that if you guess more than 3 times, DISK Protect’s password, it digitally shreds the 16 char key, thus electronically “throwing away the key”. This makes the entire filesystem unreadable, and in effect, quickly digitally shreds the entire drive. For our legal case with Boucher v. DOJ, this tool would have been useful for him, so that he could just guess 3 times, and then the 5th Amendment no longer matters, because the key has been destroyed, and never entered his mind.
The major weakness of the software that Mellor points out, is that if a bug occurs where the filesystem is corrupted, you cannot even boot to a CD to re-install Windows, effectively “bricking” the entire hard disk. This I have trouble believing. Since this software installs only on the hard disk, and not on the EEPROM on the motherboard that contains the BIOS, how would one not be able to boot from a CD by changing the boot order in the BIOS. I think that Mellor is innacurate in this assessment, and it makes the software look worse than it actually is. Yes, a bug that makes you lose all your data would be catastrophic and undesireable, but that’s what backups are for. Bricking a hard disk, or an entire system sounds much worse, because it sounds like hardware is being damaged. This is untrue, you would never have a bricked hard disk from this software, you could always reformat, which is why I thought that Mellor was too harsh.
Mellor, Chris. “DISK Protect review.” TechWorld. 10 Jan. 2006. 29 Oct. 2008. http://www.techworld.com/storage/reviews/index.cfm?reviewid=363
Peltier, Justin. “BeCrypt Disk Protect.” SCMagazine. 1 Jan. 2007. 29 Oct. 2008. http://www.scmagazineus.com/BeCrypt-Disk-Protect/Review/171/
DESLOCK+ is a security service available at www.deslock.com.
DESLOCK is available for personal or business use and uses a USB token as the
key. The difference between the business and personal versions is that the
business contains an administrator override system that allows the
administrator to set the permissions on functions available to the user such as
the ability to create more keys or change the name of the token. DESLOCK uses up to a 64 bit key either in
software or on a USB token to encrypt and decrypt. The token also has a small
area on the disk for user data. DESLOCK
also has a secure deletion function similar to the windows trash can but uses
government-grade multiple-pass overwrites to destroy data. It also includes a tool to encrypt or decrypt
the contents of a text selection for use with email clients like outlook and
lotus as well as many others. DESLOCK has an icon in the windows bar for easy
access and hotkeys can be assigned to different functions, not using hotkeys
means the user has to navigate menus via the system tray icon.
The files are added to archives after encryption. This can be done by simply right clicking on a file and selecting the encrypt function and then either selecting to use a password or one of the keys. Folders can be encrypted in the same manner but also have transparency setting. Encrypted folders are fully accessible throughout the system as long as the key is present and can be configured to be hidden when the key is not present. Encrypted folders cannot be deleted unless the key is present. DESLOCK also gives the option to create encrypted volumes that can be mounted as a drive.
At this time DESLOCK is not available for systems outside of windows although there are plenty of other encryption protocols for Linux and Mac. There is also no service to use DESLOCK as a Windows login service but it seems like the next logical step since it uses two-factor security, using two different factors to authenticate.
DriveCrypt is a program that performs real time hard disk encryption. This is basically a way to protect data on your hard drive from users, even users that have permission to use the machine you have this data on. DriveCrypt is able to encrypt your entire hard drive including your operating system if you so chose. It also allows pre-boot authentication or USB token authentication at boot up. This program uses 256 bit AES encryption so it is very strong and secure. DriveCrypt works by decrypting information taken from the hard drive before loading it into memory and then encrypting it on the fly again before saving it back to the hard disk.
DriveCrypt also has a plus package available with more features. The “on the fly” encrypting and decrypting, or true real time encrypting and decrypting, is only available with this plus pack. There is no size limitation for encrypted disks with DriveCrypt; you can go as large as needed. This is basically the best drive encryption on the market and it has the most features. You can encrypt almost any kind of media that you wish; this is not just limited to the hard drive in the computer. You can also use this on USB sticks, other flash memory, ZIP disks, floppy disks, and many other disk types. DriveCrypt is completely transparent to the normal user. An administrator could have it running and the average user does not even need to know that it is there.
I found quite a few reviews on this product; not all were stunning. One review that I found says that DriveCrypt is deceptive because it advertises over 1000-bit encryption. Every character in the password that you enter apparently correlates to two to four bits of security. If this is the case you would need a 250-500 character password in order to get to that 1000-bit encryption that the product claims. It is not exactly false advertising because it is indeed possible, but it is deceptive. Another user also claims that there are bad support issues with this software and that on every upgrade they did that not a single one worked without some kind of problems. One other review commends this product and recommends it to any user that needs to have hard drive encryption on the fly. Over the five reviews that I read, three of them were bad and two of them were good. If I had to choose a good hard drive encryption software I would use TrueCrypt because it has better reviews and it is totally free because it is open source software.
GPG is a completely free version of openPGP. It is a command line tool, but there are a number of frontend applications built around GPG. GPG is used to encrypt and decrypt messages using a verity of different encryption methods. It can also be used for signing documents. There are currently two different versions of GPG available for Linux. One is the older standalone version 1.4.9, and the newer version 2.0.9, is a more enhanced version. GPG is not only for Linux. It is now available for Windows, and is packaged under the name Gpg4win.
It also has a number of great features. GPG has better functionality than PGP, as well as more security than PGP 2. GPG includes support for the decryption and verification of PGP 5, 6, and 7 messages. GPG also takes advantage of a number of encryption algorithms such as, ElGamal, DSA, RSA, AES, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160 and TIGER. The way in which GPG was designed allows for the ability to add new algorithms, by simply adding the new algorithms extension modules to GPG. The creators of GPG also included support for key and signature expiration dates, as well as HKP servers. Another great feature of GPG is that it’s not restricted to a specific language. GPG supports languages from English, German, and French to Russian, Japanese, and Turkish. The makers of GPG packed a lot of features into this small cryptography engine, and didn’t leave anything out. They even include support for S/MIME in version 2.0.9.
After GPG is installed, the user needs to complete a few simple steps before they can start sending secure messages. They first must generate their key pair which consists of their public key, and their private key. After entering the information needed to generate the keys the user is asked to continue using their system in order to create a more random key. The reason it’s more random is because GPG uses the user’s activities to help create a more random key. Once the keys are created the user can start receiving and sending secure data. In order for the user to receive encrypted message using their public key they must first export their public key, and place it on the web for others to use, or they can use a key server to distribute their key. In order to decrypt another person message the receiver of the message must first import the sender’s public key to their key database if they do not already have it. They are then able to read the message from the sender by decrypting the message. Now the two users are able to send encrypted messages back and forth without a problem.
GPG also allows users to sign public keys they receive. To sign a public key the user places their signature over the key. As a result, the user knows that this key is valid, and safe to use. GPG even works with a number of email clients including, but not limited to Mozilla (through the use of a plug-in), Kmail, Eudora, and Pine. This allows user to send encrypted email, and decrypt email as well. It also allows the sender to sign an email so that the recipient can verify that the message came from the real sender.
For a free encryption application GPG is one of the best out there and it is not restricted to only Linux, it works on Windows as well. GPG is a feature packed encryption program that couldn’t get any better considering it’s free.
Some of the benefits of SafeBoot are, protecting your data and your company, centralizing your security management, and prove compliance with less effort. Your company data can be protected by preventing access to unauthorized individuals. You can centralize your security management by implanting a uniform company wide data encryption policy. And last but not least you able to prove compliance with less effort by showing higher ups and stockholders that the privacy of the companies’ information is well protected.
Some of the features of SafeBoot are as follows: Full-disk, file, and folder encryption, strong access tables, synchronized password changes by transmitting passwords changes to all machines that the owner is connected to. In addition SafeBoot can easily be integrated with other existing infrastructure on your machines.
With full-disk, file and folder encryption you can apply
this product to your mobile phone. If
you accidently lost your phone in public, the person who finds the phone would
not be able to retrieve any data whatsoever from your mobile device. The same goes along with laptop computers.
The software also has wipe and lock features. The wipe and lock features allow the owner of the software to remotely connect to the specific device and either wipe it clean or lock the system up. Once the software is locked only authorized users would be able to access the data.
SafeBoot is not only about encryption, it’s about management of the encryption. The use of the software’s digital rights managements gives the ability of the system owner to be able to specify which individuals have access to certain encrypted data. This ability also allows the user to specify a specific amount of time the data is able to be viewed.
McAfee SafeBoot requires the following minimum system requirements, the operating system must be, Microsoft Visa, Windows XP, Windows 2000 or Windows 2003 Sever. As for hardware, SafeBoot minimally requires, 128 MB of RAM, 3-35 MB of hard disk space available, and TCP/IP for remote network access.
6. Microsoft Vista, MIKE GRIMA
Windows Vista is Microsoft’s latest version of the Windows operating system. With Windows Vista, Microsoft invested heavily on security features. One of the new major security features with regards to cryptography in Windows Vista is BitLocker. BitLocker is a feature of Windows Vista Ultimate, Vista Enterprise and Windows Server 2008. BitLocker performs encryption on the entire system’s hard drive. By encrypting the entire contents of a system’s hard drive, the data’s confidentiality is safeguarded against theft. BitLocker also provides an advantage as it does not place a heavy tax against the performance of the system. Generally, BitLocker will impose a single-digit percentage of overhead to the system.
Typically, a secured system would require a user to simply enter their password and log in. While this is effective at preventing an unauthorized user from logging into the running operating system’s session, it is entirely ineffective at preventing a user from using another operating system to examine the contents of the system’s hard drive. With strong filesystem encryption, this attempt can be thwarted. With BitLocker, logging into the system does more than just granting access, it unlocks the entire filesystem.
BitLocker does not just use one form of encryption. Indeed, it uses a combination of multiple encryption technologies, and works with Trusted Platform Modules (TPM) v 1.2. BitLocker is also flexible to the security needs of the user by featuring several different options for encrypting a system. On systems without TPM modules, the raw data of the filesystem is encrypted with the full volume encryption key using AES. The full volume encryption key is then encrypted with the volume master key using AES. Utilizing a TPM module, BitLocker can verify if the boot sector information was tampered with by another operating system. In the event that the partition was modified outside of the booted Windows environment, BitLocker will enter recovery mode, in which only a recovery key can be entered (this key is created during the initial BitLocker setup). If enabled, TPM can allow a user to enter a PIN number upon boot (shortly after BIOS POST). If this mode of protection is used, then the volume master key is encrypted with RSA encryption.
When a user enables BitLocker encryption to an unencrypted device, Windows will begin encrypting the drive at a rate of about 500MB per minute. Although the system remains useable during this process, it can clearly take some time to encrypt a large volume. Both sectors containing data and free space are encrypted during this process. Free space is encrypted because there can be remnants of file fragments on the free sectors of the volume. BitLocker encrypts the free space as a placeholder file to increase the efficiency of the initial encryption period. Once the free space is encrypted, that placeholder file is then deleted. During the initial encryption, the user can interrupt the power, or shut down the system. Upon resume, the system will begin encrypting the volume. When the volume is completely encrypted, data saved to the disk is pre-encrypted, so no future encryption is required.
7. New Media Security – NMS for PC, DAVE MARIANO
New Media Security is a company which produces encryption-based products for use with computers and PDA’s. For this article, I will be focusing on the computer based program offered by NMS. Currently, the most recent version available is 2.9. The program allows the end user to encrypt folders, files, hard drives, and even shared network drives. One of best features of the program is that it automatically encrypts Firewire and USB external devices such as flash drives, iPods, and external hard drives. The programmers of NMS know that external devices can easily be stolen and the data compromised, so they added automatic encryption to these devices. Another nice feature is that different security levels can be set on the encrypted data. Therefore, system managers or administrators can only give read access or other restricted access to the files at hand. This allows for greater control of the data by controlling the accessibility and confidentiality. In addition to these security features, NMS supports authentication by simple passwords along with fingerprint and token authentication.
One of the selling points for this product is the features it gives network administrators to manage and deploy NMS. The program comes with management tools that allow software deployment through a network along with the tools to manage user and security policies for the organization or company. In addition, a remote recovery module allows encrypted files to be recovered from locked accounts or when the passwords are forgotten.
The program allows the user to encrypt files easily and quickly. To encrypt a folder, the user just right clicks on the folder and clicks “Encrypt.” If the user chooses to encrypt subfolders and files, the user can choose the option “Include Subfolders”. If the user feels that a single folder is not secure enough, the user can right click on the hard drive located in “My Computer” and click “Encrypt”. By checking this option, all contents on the hard drive will be encrypted, therefore increasing the security of the system. Decryption can be done in the same manner by selecting “Decrypt” from the menu.
NMS for PC uses 128 bit 3-DES to encrypt the files. As one knows, 3-DES can perform encryption very quickly when implemented through hardware. Unfortunately, I was unable to obtain any more information pertaining to the encryption algorithms or methods.
One of the downsides of this software is that the user must be part of the “Power Users” or “Administrators” group on the local system. While this may not present a problem in a home environment, businesses or companies which push down policies for user groups may run into a problem. By working with a Windows domain, I know firsthand that all domain users are part of the “Users” group on the local system and they would not have the necessary rights to use this software properly. Companies and businesses may be reluctant to give users “Power Users” status as this would give the user more permissions on the system and possibly compromise the security of the network.
Looking at this software, I would say that NMS would be great software for home users or small businesses where user rights would not be an issue. NMS is very easy to use and offers a wide range of options for the user.
PGP Desktop is a combination of two products, PGP Email, and PGP Whole Disk Encryption which are designed to protect the confidentiality and integrity of data stored on a desktop or laptop computer while being transparent to the user.
PGP Desktop supports current versions of operating systems Windows Vista SP1, XP SP3, Server 2003 SP2, and MAC OSX. It supports a variety of authentication options (OpenPGP RFC 4880 keys and X.509 keys), messaging protocols (POP3, IMAP, SMTP, MAPI and Lotus Notes), and messaging security standards (PGP/MIME RFC 3156, OpenPGP RFC 4880, S/MIME v3 RFC 2633, and X.509 v3) in English, German, and Japanese. PGP Desktop can interface with a variety of email clients such as all versions of Microsoft Outlook, as well as Windows Mail 6.0.6000, Mozilla Thunderbird 2.0, Lotus Notes 6.5.6, 7.0.3, and 8.01, Novell GroupWise 6.5, Apple Mail 2.1.1 and 3.3 and Microsoft Entourage 2008. PGP Desktop also has support for instant message clients like AOL Instant Messenger for Windows, Trillion 3.1, and Apple iChat for Mac OS X.
The user can select AES, CAST, 3DES, IDEA, or Twofish as client encryption algorithms, but must use AES with a 256 bit key for full hard drive encryption. To ensure the integrity of encrypted data, the user can choose from SHA-2, SHA-1, MD5, or RIPEMD-160 hashing algorithms. For public key encryption, PGP Desktop has support for the Diffie Hellman key exchange, and DSA algorithm.
PGP Desktop supports two factor authentication for Windows operating systems, and works with Department of Defense Common Access Cards (CAC), Athena Smart Card Solutions smart cards, AET SafeSign smart cards, Axalto smart cards, SafeNet smart cards, Aladdin smart cards, and GemPlus smart cards.
PGP Whole Disk Encryption requires a logon key when returning from any non active state (power on, standby, hibernation) to decrypt the contents of a hard disk. Once this key is input, basic parts of the system are able to be accessed. If a user chooses to access a part of the hard drive that is still encrypted, PGP Desktop will quickly decrypt the selected contents and allow the user to access the requested files or folder. Based upon policy definitions, different portions of the hard disk can be left encrypted unless acted upon by an administrator. An alert window surfaces when any encryption or decryption operations are being performed.
PGP Email acts as a local desktop proxy service by encrypting every email message being sent or received by the machine until a user wishes to view it. As with PGP Whole Disk Encryption, PGP Email displays an alert window when encryption or decryption operations are being performed.
PGP Desktop can also be configured to run differently than explained in the previous two sections with extensive support for rules and policies. Rules can be configured to enforce policies when users shut down, standby, hibernate the system, and when emails are sent or received to name a few. Because of PGP Desktop’s versatility across many operating system platforms and authentication standards, and it’s transparency while running, it is an effective, easy product to ensure the confidentiality and integrity of your data.
“PGP Desktop Professional.” PGP Corporation. 3 Nov. 2008. http://www.pgp.com/products/packages/desktop_pro/#tech2
Secure Zip has a long history by computer standards. Since the industry is relatively young, anything over 10 years is considered old. The first version of this software was called PKzip (from creater Paul Katz, who also invented the .zip standard) made its debut in 1989 for the MS-DOS operating system. Basically, a ZIP file contains one or more files that have been compressed, to reduce their file size. This was acceptable in the early days of the zip format but with security becoming a bigger concern, in 2005, PKWARE released the next generation of archiving under the name Secure Zip, with security being built in from the ground up. The product statement from the company is: “SecureZIP enables users to secure files with strong passphrase or digital certificate-based encryption, as well as digital signature support to ensure data integrity.” Currently, most people [that I know] know how to zip and unzip files, so the learning curve of Secure Zip is not steep at all. The main difference from previous versions is now a user is prompted for a password. Lets explain how it works: There are 4 encryptions options available for a user to choose from : Secure Zip AES 256 bit, AES 192 bit AES 128 bit and 3-DES 168 bit. The default encryption option is also the strongest the AES 256 bit encryption but the lesser encryption options remain nevertheless. If the user has a password then that user can extract the file. One of the concerns a person may have is how one can send an encrypted file and the recipient does not have a copy of Secure Zip installed. How can these files be extracted? Secure Zip circumvents this limitation by allowing the user to create a self-extracting archive which can run on multiple platforms including MS Windows (XP and Vista), Linux and Solaris. In addition to encryption, Secure Zip also allows for digital signatures which can be stored locally or through a directory. This way received files that are digitally signed by the sender can now be authenticated against the signatures public key if available. Combining this with encryption a person can use a certificate as a recipient list with or without a password so that a given file cannot be decrypted by anyone except the person who was the intended recipient. Secure Zip also integrates with all the MS Office products, but let’s examine how one can use MS Outlook to encrypt messages. This works by automatically compressing any attachment that is through MS Outlook. This works with the two versions of Office that are most widely used, MS Outlook 2003 and MS Outlook 2007. Additionally, if a sender wants to encrypt an entire email, including the attachments and the message, Secure Zip will pack it all into a file and encrypt with instructions for extractions. Again, for those without Secure ZIP can download a free tool, ZIP Reader to unpack the message.
A major issue facing today’s corporations is data loss prevention or DLP. When files are left unprotected on enterprise servers or shared folders, the corporations leave themselves open to large amounts of risk. This could be anything from a regulatory fine or even worse a breach of company sensitive information. When sensitive information if leaked, it not only affects the company but it affects all of their customers. This can also lead to a loss of revenue for the company. RSA has addressed this problem with their product RSA File Security Manager. File Security Manager allows the cooperation to encrypt individual files or folders to FIPS certified encryption in the exact place the files are stored without affecting the users or programs using the data. Only the data payload is encrypted, leaving the metadata untouched. This makes sure the file system remains unaffected. Also the corporation can grant access based on the users role. The access can be centrally managed and allow separate security and system administration to make sure only the members who really need the access can see the actual files. This is especially important in situations such as having an intern since an intern doesn’t need the same amount of access the head of a department. This would allow the intern to see the files in a folder he needs access to and not the ones he doesn’t. An employee in a different field of the company would not have any access to the folder. This can also be used to enforce separation of duties between security administrators and server administrators as required. Since the users are given roles and usernames, the corporation can see exactly who accessed what files or folders. RSA File Security Manager has a built in audit only mode that will the corporation to do just that. This allows them to be covered in case they ever get audited since the program will log every access a file or folder may have. The product is also very easy to administrate. Everything can be configured from a single central management console. RSA File Security Manager is also fully compatible with RSA’s other products such as RSA Key Manager. This will allow a corporation the ability to centralize corporate policy and the generation of keys. The product also allows the keys to be shared across the entire server infrastructure without a users input. Another product compatible with RSA File Security Manager is RSA Authentication Manager. This allows the corporation to have two factor authentications to log in the console. The Authentication manager uses a token or smartcard to log into the console, making the security of the console very strong. The company will not have to worry about the console setting getting changed. In the end a package like RSA File Security Manager is very important for any corporation to have. Without it the cooperation has no way of protecting their data moving around their network and beyond.
SafeHouse is encryption software that can be used with any version of Windows. SafeHouse works by creating an new volume on your hard drive and it assigning it a letter, much like creating another partition or having multiple drives in Windows. This drive can only be accessed by supplying the password that is assigned to it, this password can be changed as often and as many times as desired. SafeHouse allows the user to create an unlimited amount of these volumes, which can be up to 2000GB each. When these drives aren't in use the drive letters disappear from Windows, making them completely hidden from the normal user. You can also create these encrypted volumes on external USB hard drives, USB flash drives, network drives, and even CDs or DVDs. These encrypted vaults work just like any other Windows drive, to put files into these drives you can simply copy and paste the files, or drag and drop them. Once a file is put into the encrypted volume it is automatically encrypted and protected. Another feature of SafeHouse is the ability to create a virtual smartcard. This process works by using a USB drive. With the smartcard you can access any of your SafeHouse vaults without having to enter the passwords, your smartcard stores all of your passwords for each drive. To use this smartcard you just have to insert it into a USB drive in your computer, and enter the pin identifier that was associated with the smartcard when it was created. After entering this pin number, any of your encrypted drives can be unlocked as long as the smartcard is in the computer. When this smartcard is removed from the computer, the opened files are automatically closed and locked. Another feature of SafeHouse is that it can automatically lock up or suspend access to your files after a specified timeout or when Windows hibernates. SafeHouse uses different types of encryption depending on the version of the software you purchase. The personal edition of SafeHouse uses 128-bit encryption, whereas the professional version uses 256-bit and 448-bit encryption. The user can select from multiple algorithms to encrypt with when using SafeHouse, these algorithms are blowfish, twofish, AES, and 3DES. SafeHouse also provides users with a way to check the strength of their passwords used to encrypt drives. The first method is a graphical password strength meter helps you choose strong passwords. This sounds similar to the password checker located at http://www.microsoft.com/protect/yourself/password/checker.mspx, which is just a simple checker to see if you are using upper case characters, lower case characters, numbers, and special characters. The other method, which is only available in the professional edition, is the password dictionary which checks the password against a dictionary attack and warns you if the password is weak. The only main weakness I can see in SafeHouse would be human error, if someone were to use a weak password to encrypt a drive, or a weak pin number for their smartcard then it would be easy to crack the encryption. Without this password it is impossible to break the encryption, since the algorithms used have no known breaks. I would imagine however, that a person using this type of software would be aware of the risks of using a weak password, and they would more than likely use a password that would be sufficiently secure.
The following paragraph is a description of the software from Secude’s website:
Secude’s Secure Notebook provides entire hard drive encryption that encrypts both operating system files and user’s files that are stored on a notebook. One of the highest promoted feature of the encryption software is that it provides excellent power-off protection. Power-off protection means that attacks such as booting from another media or putting the hard drive into another computer will not bypass the encryption implemented by the software. Secude Secure Notebook also has the option to use a smart card for power on authentication. If the smart card method is used, the notebook will first boot into a Linux distribution and authenticate the user with the smart card before the Windows Operating System is loaded. The use of hardware based authentication makes it next to impossible for an attacker to gain unauthorized access to the data on the notebook.
A white paper on Secude’s website gives an interesting idea of why full disk encryption and using hardware based authentication like a smart card should be used together. A new attack on retrieving encryption keys has recently been published by a grad student at Princetion University. The attack is called a DRAM attack. A DRAM attack is a way for an attacker to find encryption keys after the system has been powered off. DRAM on a computer system supposedly can hold data for up to 30 seconds after the machine has been shut off and many products store their encryption keys in DRAM. The attacker than uses a cooling agent like compressed air to slow down the data decay rate on the DRAM memory chips. The chips can then be put into another system and the encryption keys can be found. This would take a very skilled attacker to perform this operation, but nevertheless it can be done. If a person is fearful of this type of attack, Secude’s method of adding hardware based authentication will prevent against this kind of attack.
Another aspect of Secude’s secure notebook that I mentioned was the pre-boot authentication. This works by adding a small but secure custom Linux partition which is an extension of the system BIOS or boot firmware. Since this partition is executed as an extension of the BIOS, it runs before the master boot record, thus not allowing an attacker to bypass the partition. To maintain ease of use the authentication partition just prompts the user for the hardware token or a password and then continues to boot into the desired operating system. Also, if the user decides to use a USB token or smart card for the pre boot authentication, the software will lock the keyboard during the authentication process to prevent an attacker from trying any attacks or from trying to bypass the authentication.
I found a review of the product at securecomputing.net. Their overall consensus was that the encryption and security measures applied by Secude Secure Notebook provided more than adequate security features. One of the problems that their tests found was that hard drive encryption takes longer than other products in the same price range. Another problem was the lack of instructions provided with the product. The average cost of the product was $135.
1. “Don’t Panic – Cold Boot Reality Check”, SECUDE International. Accessed November 19, 2008 http://www.secude.com/download/htm/10810/en/White_Paper%3A_Don%27t_Pani_Cold_Boot_Reality_Check.pdf
2. “Pre-boot Authentication” , SECUDE International AG. Accessed: November 19, 2008
3. “Full Disk Encryption”, SECUDE International AG. Accessed: November 19, 2008
4. Peltier, Justin. “Secude Secure Notebook”, Secure Computing Magazine. Accessed:
November 29, 2008. http://www.securecomputing.net.au/Review/71229,secude-secure-notebook.aspx
This product is very useful when wanting to encrypt a complete partition or storage device. It encrypts automatically in real time, with transparency, using the encryption algorithms AES-256, Serpent, and Twofish. TrueCrypt handles on-the-fly-encrypted volumes, where data is automatically encrypted or decrypted before loading from or storing to the storage device, with no user intervention. Because the encryption is on-the-fly, it is trivial to copy files from the encrypted drive to elsewhere, or place files into the drive. Since reading and storing utilizes the encryption or decryption of the data before using it, this means that the files will be correctly formatted for wherever they will be placed.
When doing the decryption, the user must enter a key/passphrase. Then TrueCrypt will perform the decryption or encryption entirely in RAM when any files are accessed that need to be encrypted or decrypted. If for any reason power is turned off on the computer which has the mounted device, the user must reenter the passphrase/key and remount the encrypted device in order to access the files on it. Nothing is saved while doing decryption, which makes using TrueCrypt a secure way to protect files you wish to keep secure.
TrueCrypt can be used by those who have Windows, Mac, or Linux. Since the encryption and decryption take place when accessing the files, you can encrypt a storage device, such as a USB stick, and use it on any operating device which has TrueCrypt installed for use. You would simply have to provide the required passphrase/key to access the files. It is also possible to place a TrueCrypt encrypted drive inside of another TrueCrypt encrypted drive. This will effectively hide the drive unless the passphrase/key is known for the second drive. Thus if you are forced to reveal your passphrase for an encrypted drive, such as by extortion or blackmail, you would simply provide the passphrase to the outer drive, and still keep you other drive secure.
TrueCrypt is very useful when you wish to have a storage device to protect sensitive files. Because it encrypts and decrypts in RAM while you access the file, there is no lasting storage of the data that a malicious person can grab to find the data. Also, the encrypted storage device does not have any signature which could be used to identify it as encrypted, so that someone searching for it would not know if they found it. All this is very useful in protecting sensitive data from prying eyes that may exploit the data for personal gain.
Ultimaco Safeguard is an encryption product offered by the Ultimaco Safeware company, which is based in Frankfurt, Germany. There are a few variants of the Safeguard product, so for this overview I will be using the Ultimaco Safeguard Device Encryption for my information.
Safeguard Device Encryption is a module of Safeguard Enterprise, which is usually used for mixed IT environments. The encryption service is designed to run on the three most recent versions of the Windows platform, being Windows 2000 SP4, Windows XP SP2/SP3, and Windows Vista SP1. It has been certified with FIPS 140-2, Common Criteria EAL-4, and is Aladdin eToken enabled. This encryption software uses an array of standards and protocols. For symmetrical encryption, it uses AES, in either 128 bit or 256 bit modes. For asymmetrical encryption, Safeguard Device Encryption uses RSA. It supports SHA-256 and SHA-512 hashing, as well as PKCS #15, PKCS #11, Microsoft Cryptographic Service Provider, PC/SC, and Kerberos for smartcards and tokens. Safeguard Device Encryption supports public key infrastructure certificates PKCS #7, PKCS #12, X.509, and can transfer data using SOAP, XML, SSL, and LDAP.
Safeguard Device Encryption’s key features include transparent encryption functionality, which allows for full hard disk encryption (NTFS or FAT) as well as multi-platform removable media encryption. The encryption suite uses a TPM chip for random number generation, which is widely recognized as a secure form of random number generation.
From a forensics standpoint, Safeware points out that encrypted data cannot be read, even if the hard drive has been removed from the computer (except by security administrators). Safeguard Device Encryption has support for Lenovo’s “Rescue and Recovery” tool, Windows PE 2.0, Encase, AccessData, and Kroll OnTrack. Safeguard Device Encryption uses a pre-boot authentication, accepting credentials via username/password, cryptographic token, Smartcard, or biometric information. The software utilizes user-transparent background encryption, and supports secure password recovery via phone or the internet. Safeguard Device Encryption integrates with Microsoft Active Directory, and supports Novell environments. Safeguard Device Encryption can be installed on a computer using a simple MSI package, which makes deployment on a network very simple. The software also logs all activities, security events, and system status for any given time.
Overall, Safeguard Device Encryption seems to offer a very wide array of encryption services, including AES, RSA, and SHA hashing. It implements directly with Windows, and uses background encryption, which allows for a smoother experience. The software will cooperate with forensic tools, which will certainly help if any sort of investigation were to arise.
The information for this overview was obtained at:
WinEncrypt's CryptArchiver is a disk, folder, and file encryption program. With this program, you can encrypt nearly everything, including but not limited to emails, text files, and video. CryptArchiver creates a virtual drive that is then encrypted with either 128 or 448 bit encryption strength using either the Blowfish algorithm or Advanced Encryption Standard. CryptArchiver also uses standard drag and drop to make it easy to choose the data you wish to encrypt which also adds “on-the-fly” encryption. The CrypArchiver will work with any types of file or folders since the virtual drive acts simply like another physical drive. You can then “unload” the drive upon supplying it with a password. Once this is done, the drive disappears from your “My Computer” screen and is hidden as well as encrypted. To access the data, just reload the drive, enter you password, and the virtual drive initiates and acts as a physical drive again.
Depending on which version you purchase or download, the types of encryption offered changes. If you download the trial version, only 128 bit encryption is offered through the Blowfish algorithm. Also, you can only encrypt up to 20 megabytes of data. If you purchase the Basic, Personal, or Standard editions, though the encryption strength increases to up to 448 bit encryption and if you choose from the Blowfish Algorithm. Obviously, if you choose to use the other algorithm option, AES, 256 bit encryption will be used. You are also able to extend the data encryption to different media types such as CDs, DVDs, USB drives, or external hard drives. From here, when inserting the media into a computer, you will again be prompted for you password prior to being able to read any data that is on these medias.
WinEncrypt's CryptArchiver seems to be fairly priced for good encryption—both algorithms, Blowfish and AES are very strong. On WinEncrypt's website it seemed as though the CryptArchiver was not compatible with Windows Vista (site had listed Windows 95/98/SE, Windows ME, Windows NT 4.0, Windows 2000/XP, and Windows 2003 Server) but after further investigation, I found that it is in fact compatible with Vista and highly praised by users of the product.
WinMagic SecureDoc is an encryption system that encrypts the full disk. It allows you to use many different integration techniques. You can also set up multiple factors of authentication such as biometrics, a password, and a token. It can be used for federal encryption because of all the certifications it has received. It supports multiple types of tokens for authentication such as PCMCIA, USB, and serial port tokens. It can use an implementation of the Advanced Encryption Standard. It was the first encryption software that had AES validation from the NIST. It can also use other encryption schemes such as DES and 3-DES. You can use an encryption key that is up to 256 bits in length. WinMagic SecureDoc uses Public Key Cryptographic Standard #11. This standard is the most widely used in the cryptographic world.
It also is the only encryption software to have FIPS 140-1 Level 2 certification. They have received level 1 and level 2 certification for the FIPS 140-2; they are certificates number 698 and 699. It is also the only disk encryption certified by the NSA for SECRET data for United States Government agencies. WinMagic SecureDoc can also be used for security initiatives such as HIPPA because of the certifications it has received.
Since the entire disk is encrypted, you have to login before you get to the operating system during the bios part of boot up. There can be multiple users with different partitions of the hard drive encrypted with different keys. This means that each user can have their private data on a hard drive that only his key can open. It even encrypts the little space in between partitions WinMagic SecureDoc encrypts every sector which includes, the Windows registry, deleted and temporary files. The only problem with this is that the entire hard drive is encrypted and this process will initially take a long time to encrypt. You can have partially encrypted hard drives if they are removable media. It does let you decrypt sectors of your hard drive if you want to install a new operating system.
WinMagic SecureDoc currently only works on Windows operating systems, but is in development to work with Linux distributions soon. While it runs, the user hardly notices, with the program having less than three percent performance degradation. It can support an unlimited amount of hard drives, and can encrypt removable devices, such as CD’s, removable hard drives, as well as flash drives. It also supports multiple processor systems, SCSI controllers, and RAID.
WinMagic SecureDoc also has support for key history, limiting retry attempts, minimum key requirements (length, special characters), and has lockout features. If you forget your key you can still recover documents and there is a self help system for recovering your key if it is lost, which does not use a “master password” system. There is also a version handling for encryption key meaning that if you encrypt something with one key then change your key, WinMagic SecureDoc will allow you to open your old documents. This software also has auditing features for when particular users log on, off, or are unsuccessful in logging on.