|
|
East Stroudsburg University of Pennsylvania Center for Computer Security and Information Assurance |
Cryptographic
Application Reviews
The following cryptographic
applications have been reviewed by the listed ESU students as part of the CPSC 460,
Applied Computer Cryptography course.
- BeCrypt Disk Protect,
GEORGE HETTINGER
- DESlock+, JOHN BALDWIN
- DriveCrypt, ZACH DUNHAM
- GPG, ZACH SMITH
- McAfee
SafeBoot, ED PAGAN
- Microsoft Vista, MIKE
GRIMA
- New Media Security – NMS
for PC, DAVE MARIANO
- PGP Desktop, CJ GENSHEIMER
- PKWARE SecureZIP, NY GRANT
- RSA
File Security Manager, STEVE DASCH
- SafeHouse, ANTHONY CORCH
- Secude
Secure Notebook, JOSH HOWARD
- TrueCrypt, JOHN LEIS
- Utimaco
SafeGuard, STEVE WHITE
- WinEncrypt
CryptArchiver, DAN FISHER
- WinMagic SecureDoc ,
TIM GABLE
1. BeCrypt Disk Protect, GEORGE HETTINGER
I read Chris Mellor’s review of BeCrypt’s Disk Protect.He gave it an ok review, pointing out some major weaknesses. I think he might have been a bit too harsh in his criticism, and will explain why after I explain how DISK Protect works. What disk protect does is it gets a password from you , but does not use said password as the encryption key, it recieves an additional input for the key, which is 16 characters long. From then on, the program encrypts the entire filesystem, and performs authentication at an extremely low level environment, before Windows even attempts to begin booting. It asks you for your password, then uses that to decrypt an encrypted version of the 16 character key (ascii, so 128 bit key), and then uses said key to decrypt the filesystem (which is encrypted in AES), so that windows may start booting. Everytime a file is written or read encryption and decryption occurs This is very secure, because one cannot even access anything on the drive partition (filesystem), without having the password. Consider a normal PC Windows XP system. Even with a password on the account, someone can easily use OPHCrack to boot linux from a CD, and then brute force the password in 15 minutes, (on average, depending on password strength). This renders such a system quite vunerable. With DISK Protect installed, even if you booted with a CD into another operating system, you still would not be able to extract the SAM database for brute force cracking of Windows passwords, because the ciphertext, and the filesystem that points to it, would be in itself, ciphertext on top of that. This combined with the fact that if you guess more than 3 times, DISK Protect’s password, it digitally shreds the 16 char key, thus electronically “throwing away the key”. This makes the entire filesystem unreadable, and in effect, quickly digitally shreds the entire drive. For our legal case with Boucher v. DOJ, this tool would have been useful for him, so that he could just guess 3 times, and then the 5th Amendment no longer matters, because the key has been destroyed, and never entered his mind.
The major weakness of the software that Mellor points out, is that if a bug occurs where the filesystem is corrupted, you cannot even boot to a CD to re-install Windows, effectively “bricking” the entire hard disk. This I have trouble believing. Since this software installs only on the hard disk, and not on the EEPROM on the motherboard that contains the BIOS, how would one not be able to boot from a CD by changing the boot order in the BIOS. I think that Mellor is innacurate in this assessment, and it makes the software look worse than it actually is. Yes, a bug that makes you lose all your data would be catastrophic and undesireable, but that’s what backups are for. Bricking a hard disk, or an entire system sounds much worse, because it sounds like hardware is being damaged. This is untrue, you would never have a bricked hard disk from this software, you could always reformat, which is why I thought that Mellor was too harsh.
Works Cited
Mellor, Chris. “DISK Protect review.” TechWorld. 10 Jan. 2006. 29 Oct. 2008. http://www.techworld.com/storage/reviews/index.cfm?reviewid=363
Peltier, Justin. “BeCrypt Disk Protect.” SCMagazine. 1 Jan. 2007. 29 Oct. 2008. http://www.scmagazineus.com/BeCrypt-Disk-Protect/Review/171/
DESLOCK+ is a security service available at www.deslock.com.
DESLOCK is available for personal or business use and uses a USB token as the
key. The difference between the business and personal versions is that the
business contains an administrator override system that allows the
administrator to set the permissions on functions available to the user such as
the ability to create more keys or change the name of the token. DESLOCK uses up to a 64 bit key either in
software or on a USB token to encrypt and decrypt. The token also has a small
area on the disk for user data. DESLOCK
also has a secure deletion function similar to the windows trash can but uses
government-grade multiple-pass overwrites to destroy data. It also includes a tool to encrypt or decrypt
the contents of a text selection for use with email clients like outlook and
lotus as well as many others. DESLOCK has an icon in the windows bar for easy
access and hotkeys can be assigned to different functions, not using hotkeys
means the user has to navigate menus via the system tray icon.
The files are added to archives after encryption. This can be done by simply right clicking on a file and selecting the encrypt function and then either selecting to use a password or one of the keys. Folders can be encrypted in the same manner but also have transparency setting. Encrypted folders are fully accessible throughout the system as long as the key is present and can be configured to be hidden when the key is not present. Encrypted folders cannot be deleted unless the key is present. DESLOCK also gives the option to create encrypted volumes that can be mounted as a drive.
At this time DESLOCK is not available for systems outside of windows although there are plenty of other encryption protocols for Linux and Mac. There is also no service to use DESLOCK as a Windows login service but it seems like the next logical step since it uses two-factor security, using two different factors to authenticate.
Bibliography
http://www.scmagazineuk.com/DESlock/Review/1031/
DriveCrypt is a program that performs real time hard disk encryption. This is basically a way to protect data on your hard drive from users, even users that have permission to use the machine you have this data on. DriveCrypt is able to encrypt your entire hard drive including your operating system if you so chose. It also allows pre-boot authentication or USB token authentication at boot up. This program uses 256 bit AES encryption so it is very strong and secure. DriveCrypt works by decrypting information taken from the hard drive before loading it into memory and then encrypting it on the fly again before saving it back to the hard disk.
DriveCrypt also has a plus package available with more features. The “on the fly” encrypting and decrypting, or true real time encrypting and decrypting, is only available with this plus pack. There is no size limitation for encrypted disks with DriveCrypt; you can go as large as needed. This is basically the best drive encryption on the market and it has the most features. You can encrypt almost any kind of media that you wish; this is not just limited to the hard drive in the computer. You can also use this on USB sticks, other flash memory, ZIP disks, floppy disks, and many other disk types. DriveCrypt is completely transparent to the normal user. An administrator could have it running and the average user does not even need to know that it is there.
I found quite a few reviews on this product; not all were stunning. One review that I found says that DriveCrypt is deceptive because it advertises over 1000-bit encryption. Every character in the password that you enter apparently correlates to two to four bits of security. If this is the case you would need a 250-500 character password in order to get to that 1000-bit encryption that the product claims. It is not exactly false advertising because it is indeed possible, but it is deceptive. Another user also claims that there are bad support issues with this software and that on every upgrade they did that not a single one worked without some kind of problems. One other review commends this product and recommends it to any user that needs to have hard drive encryption on the fly. Over the five reviews that I read, three of them were bad and two of them were good. If I had to choose a good hard drive encryption software I would use TrueCrypt because it has better reviews and it is totally free because it is open source software.
http://www.sofotex.com/reviews/r15304.html
http://www.securstar.com/products_drivecryptpp.php
GPG is a completely free version of openPGP. It is a command line tool, but there are a number of frontend applications built around GPG. GPG is used to encrypt and decrypt messages using a verity of different encryption methods. It can also be used for signing documents. There are currently two different versions of GPG available for Linux. One is the older standalone version 1.4.9, and the newer version 2.0.9, is a more enhanced version. GPG is not only for Linux. It is now available for Windows, and is packaged under the name Gpg4win.
It also has a number of great features. GPG has better functionality than PGP, as well as more security than PGP 2. GPG includes support for the decryption and verification of PGP 5, 6, and 7 messages. GPG also takes advantage of a number of encryption algorithms such as, ElGamal, DSA, RSA, AES, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160 and TIGER. The way in which GPG was designed allows for the ability to add new algorithms, by simply adding the new algorithms extension modules to GPG. The creators of GPG also included support for key and signature expiration dates, as well as HKP servers. Another great feature of GPG is that it’s not restricted to a specific language. GPG supports languages from English, German, and French to Russian, Japanese, and Turkish. The makers of GPG packed a lot of features into this small cryptography engine, and didn’t leave anything out. They even include support for S/MIME in version 2.0.9.
After GPG is installed, the user needs to complete a few simple steps before they can start sending secure messages. They first must generate their key pair which consists of their public key, and their private key. After entering the information needed to generate the keys the user is asked to continue using their system in order to create a more random key. The reason it’s more random is because GPG uses the user’s activities to help create a more random key. Once the keys are created the user can start receiving and sending secure data. In order for the user to receive encrypted message using their public key they must first export their public key, and place it on the web for others to use, or they can use a key server to distribute their key. In order to decrypt another person message the receiver of the message must first import the sender’s public key to their key database if they do not already have it. They are then able to read the message from the sender by decrypting the message. Now the two users are able to send encrypted messages back and forth without a problem.
GPG also allows users to sign public keys they receive. To sign a public key the user places their signature over the key. As a result, the user knows that this key is valid, and safe to use. GPG even works with a number of email clients including, but not limited to Mozilla (through the use of a plug-in), Kmail, Eudora, and Pine. This allows user to send encrypted email, and decrypt email as well. It also allows the sender to sign an email so that the recipient can verify that the message came from the real sender.
For a free encryption application GPG is one of the best out there and it is not restricted to only Linux, it works on Windows as well. GPG is a feature packed encryption program that couldn’t get any better considering it’s free.
References:
http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto.html
Some of the benefits of SafeBoot are, protecting your data and your company, centralizing your security management, and prove compliance with less effort. Your company data can be protected by preventing access to unauthorized individuals. You can centralize your security management by implanting a uniform company wide data encryption policy. And last but not least you able to prove compliance with less effort by showing higher ups and stockholders that the privacy of the companies’ information is well protected.
Some of the features of SafeBoot are as follows: Full-disk, file, and folder encryption, strong access tables, synchronized password changes by transmitting passwords changes to all machines that the owner is connected to. In addition SafeBoot can easily be integrated with other existing infrastructure on your machines.
With full-disk, file and folder encryption you can apply
this product to your mobile phone. If
you accidently lost your phone in public, the person who finds the phone would
not be able to retrieve any data whatsoever from your mobile device. The same goes along with laptop computers.
The software also has wipe and lock features.
The wipe and lock features allow the owner of the software to remotely
connect to the specific device and either wipe it clean or lock the system up. Once the software is locked only authorized
users would be able to access the data.
SafeBoot is not only about encryption, it’s about management of the
encryption. The use of the software’s
digital rights managements gives the ability of the system owner to be able to
specify which individuals have access to certain encrypted data. This ability also allows the user to specify
a specific amount of time the data is able to be viewed.
McAfee SafeBoot requires the following minimum system requirements, the operating system must be, Microsoft Visa, Windows XP, Windows 2000 or Windows 2003 Sever. As for hardware, SafeBoot minimally requires, 128 MB of RAM, 3-35 MB of hard disk space available, and TCP/IP for remote network access.
Online Reference:
http://www.mcafee.com/us/about/corporate/mcafee_looking_for_safeboot.html
6. Microsoft Vista, MIKE GRIMA
Windows Vista is Microsoft’s latest version of the Windows operating system. With Windows Vista, Microsoft invested heavily on security features. One of the new major security features with regards to cryptography in Windows Vista is BitLocker. BitLocker is a feature of Windows Vista Ultimate, Vista Enterprise and Windows Server 2008. BitLocker performs encryption on the entire system’s hard drive. By encrypting the entire contents of a system’s hard drive, the data’s confidentiality is safeguarded against theft. BitLocker also provides an advantage as it does not place a heavy tax against the performance of the system. Generally, BitLocker will impose a single-digit percentage of overhead to the system.
Typically, a secured system would require a user to simply enter their password and log in. While this is effective at preventing an unauthorized user from logging into the running operating system’s session, it is entirely ineffective at preventing a user from using another operating system to examine the contents of the system’s hard drive. With strong filesystem encryption, this attempt can be thwarted. With BitLocker, logging into the system does more than just granting access, it unlocks the entire filesystem.
BitLocker does not just use one form of encryption. Indeed, it uses a combination of multiple encryption technologies, and works with Trusted Platform Modules (TPM) v 1.2. BitLocker is also flexible to the security needs of the user by featuring several different options for encrypting a system. On systems without TPM modules, the raw data of the filesystem is encrypted with the full volume encryption key using AES. The full volume encryption key is then encrypted with the volume master key using AES. Utilizing a TPM module, BitLocker can verify if the boot sector information was tampered with by another operating system. In the event that the partition was modified outside of the booted Windows environment, BitLocker will enter recovery mode, in which only a recovery key can be entered (this key is created during the initial BitLocker setup). If enabled, TPM can allow a user to enter a PIN number upon boot (shortly after BIOS POST). If this mode of protection is used, then the volume master key is encrypted with RSA encryption.
When a user enables BitLocker encryption to an unencrypted device, Windows will begin encrypting the drive at a rate of about 500MB per minute. Although the system remains useable during this process, it can clearly take some time to encrypt a large volume. Both sectors containing data and free space are encrypted during this process. Free space is encrypted because there can be remnants of file fragments on the free sectors of the volume. BitLocker encrypts the free space as a placeholder file to increase the efficiency of the initial encryption period. Once the free space is encrypted, that placeholder file is then deleted. During the initial encryption, the user can interrupt the power, or shut down the system. Upon resume, the system will begin encrypting the volume. When the volume is completely encrypted, data saved to the disk is pre-encrypted, so no future encryption is required.
References:
http://technet.microsoft.com/en-us/library/cc766200.aspx#BKMK_WhatIsBitLocker
http://technet.microsoft.com/en-us/magazine/cc510321.aspx
http://www.microsoft.com/windows/windows-vista/features/bitlocker.aspx
7. New Media Security – NMS for PC, DAVE
MARIANO
New Media Security is a company which produces encryption-based products for use with computers and PDA’s. For this article, I will be focusing on the computer based program offered by NMS. Currently, the most recent version available is 2.9. The program allows the end user to encrypt folders, files, hard drives, and even shared network drives. One of best features of the program is that it automatically encrypts Firewire and USB external devices such as flash drives, iPods, and external hard drives. The programmers of NMS know that external devices can easily be stolen and the data compromised, so they added automatic encryption to these devices. Another nice feature is that different security levels can be set on the encrypted data. Therefore, system managers or administrators can only give read access or other restricted access to the files at hand. This allows for greater control of the data by controlling the accessibility and confidentiality. In addition to these security features, NMS supports authentication by simple passwords along with fingerprint and token authentication.
One of the selling points for this product is the features it gives network administrators to manage and deploy NMS. The program comes with management tools that allow software deployment through a network along with the tools to manage user and security policies for the organization or company. In addition, a remote recovery module allows encrypted files to be recovered from locked accounts or when the passwords are forgotten.
The program allows the user to encrypt files easily and quickly. To encrypt a folder, the user just right clicks on the folder and clicks “Encrypt.” If the user chooses to encrypt subfolders and files, the user can choose the option “Include Subfolders”. If the user feels that a single folder is not secure enough, the user can right click on the hard drive located in “My Computer” and click “Encrypt”. By checking this option, all contents on the hard drive will be encrypted, therefore increasing the security of the system. Decryption can be done in the same manner by selecting “Decrypt” from the menu.
NMS for PC uses 128 bit 3-DES to encrypt the files. As one knows, 3-DES can perform encryption very quickly when implemented through hardware. Unfortunately, I was unable to obtain any more information pertaining to the encryption algorithms or methods.
One of the downsides of this software is that the user must be part of the “Power Users” or “Administrators” group on the local system. While this may not present a problem in a home environment, businesses or companies which push down policies for user groups may run into a problem. By working with a Windows domain, I know firsthand that all domain users are part of the “Users” group on the local system and they would not have the necessary rights to use this software properly. Companies and businesses may be reluctant to give users “Power Users” status as this would give the user more permissions on the system and possibly compromise the security of the network.
Looking at this software, I would say that NMS would be great software for home users or small businesses where user rights would not be an issue. NMS is very easy to use and offers a wide range of options for the user.
References:
http://www.scmagazineuk.com/NMS-for-PC/Review/1741/
http://www.newmediasecurity.com/products/nms_for_pc.html
PGP Desktop is a combination of
two products, PGP Email, and PGP Whole Disk Encryption which are designed to
protect the confidentiality and integrity of data stored on a desktop or laptop
computer while being transparent to the user.
PGP Desktop supports current
versions of operating systems Windows Vista SP1, XP SP3, Server 2003 SP2, and
MAC OSX. It supports a variety of authentication options (OpenPGP RFC 4880 keys
and X.509 keys), messaging protocols (POP3, IMAP, SMTP, MAPI and Lotus Notes),
and messaging security standards (PGP/MIME RFC 3156, OpenPGP RFC 4880, S/MIME
v3 RFC 2633, and X.509 v3) in English, German, and Japanese. PGP Desktop can
interface with a variety of email clients such as all versions of Microsoft
Outlook, as well as Windows Mail 6.0.6000, Mozilla Thunderbird 2.0, Lotus Notes
6.5.6, 7.0.3, and 8.01, Novell GroupWise 6.5, Apple Mail 2.1.1 and 3.3 and
Microsoft Entourage 2008. PGP Desktop also has support for instant message
clients like AOL Instant Messenger for Windows, Trillion 3.1, and Apple iChat
for Mac OS X.
The user can select AES, CAST,
3DES, IDEA, or Twofish as client encryption algorithms, but must use AES with a
256 bit key for full hard drive encryption. To ensure the integrity of
encrypted data, the user can choose from SHA-2, SHA-1, MD5, or RIPEMD-160
hashing algorithms. For public key encryption, PGP Desktop has support for the
Diffie Hellman key exchange, and DSA algorithm.
PGP Desktop supports two factor
authentication for Windows operating systems, and works with Department of
Defense Common Access Cards (CAC), Athena Smart Card Solutions smart cards, AET
SafeSign smart cards, Axalto smart cards, SafeNet smart cards, Aladdin smart
cards, and GemPlus smart cards.
PGP Whole Disk Encryption
requires a logon key when returning from any non active state (power on,
standby, hibernation) to decrypt the contents of a hard disk. Once this key is
input, basic parts of the system are able to be accessed. If a user chooses to
access a part of the hard drive that is still encrypted, PGP Desktop will
quickly decrypt the selected contents and allow the user to access the
requested files or folder. Based upon policy definitions, different portions of
the hard disk can be left encrypted unless acted upon by an administrator. An
alert window surfaces when any encryption or decryption operations are being
performed.
PGP Email acts as a local desktop
proxy service by encrypting every email message being sent or received by the
machine until a user wishes to view it. As with PGP Whole Disk Encryption, PGP
Email displays an alert window when encryption or decryption operations are
being performed.
PGP Desktop can also be
configured to run differently than explained in the previous two sections with
extensive support for rules and policies. Rules can be configured to enforce
policies when users shut down, standby, hibernate the system, and when emails
are sent or received to name a few. Because of PGP Desktop’s versatility across
many operating system platforms and authentication standards, and it’s
transparency while running, it is an effective, easy product to ensure the
confidentiality and integrity of your data.
Reference
“PGP Desktop Professional.” PGP Corporation. 3 Nov. 2008. http://www.pgp.com/products/packages/desktop_pro/#tech2
Secure Zip has a long history by
computer standards. Since the industry
is relatively young, anything over 10 years is considered old. The first
version of this software was called PKzip (from creater Paul Katz, who also
invented the .zip standard) made its debut in 1989 for the MS-DOS operating
system. Basically, a ZIP file contains
one or more files that have been compressed, to reduce their file size. This was acceptable in the early days of the
zip format but with security becoming a bigger concern, in 2005, PKWARE
released the next generation of archiving under the name Secure Zip, with
security being built in from the ground up.
The product statement from the company is: “SecureZIP enables users to
secure files with strong passphrase or digital certificate-based encryption, as
well as digital signature support to ensure data integrity.” Currently, most people [that I know] know
how to zip and unzip files, so the learning curve of Secure Zip is not steep at
all. The main difference from previous
versions is now a user is prompted for a password. Lets explain how it works: There are 4 encryptions options available
for a user to choose from : Secure Zip
AES 256 bit, AES 192 bit AES 128 bit and 3-DES 168 bit. The default encryption option is also the
strongest the AES 256 bit encryption but the lesser encryption options remain
nevertheless. If the user has a password then that user can extract the
file. One of the concerns a person may
have is how one can send an encrypted file and the recipient does not have a
copy of Secure Zip installed. How can
these files be extracted? Secure Zip
circumvents this limitation by allowing the user to create a self-extracting
archive which can run on multiple platforms including MS Windows (XP and
Vista), Linux and Solaris. In addition
to encryption, Secure Zip also allows for digital signatures which can be
stored locally or through a directory.
This way received files that are digitally signed by the sender can now
be authenticated against the signatures public key if available. Combining this with encryption a person can
use a certificate as a recipient list with or without a password so that a
given file cannot be decrypted by anyone except the person who was the intended
recipient. Secure Zip also integrates
with all the MS Office products, but let’s examine how one can use MS Outlook
to encrypt messages. This works by
automatically compressing any attachment that is through MS Outlook. This works with the two versions of Office
that are most widely used, MS Outlook 2003 and MS Outlook 2007. Additionally, if a sender wants to encrypt an
entire email, including the attachments and the message, Secure Zip will pack
it all into a file and encrypt with instructions for extractions. Again, for those without Secure ZIP can
download a free tool, ZIP Reader to unpack the message.
References:
http://www.pkware.com/documents/announcements/SecureZIP-12-1-Press-Release-Final.pdf
http://searchexchange.techtarget.com/tip/0,,sid43_gci1324978,00.html
10. RSA File Security Manager, STEVE DASCH
A major issue facing today’s
corporations is data loss prevention or DLP. When files are left unprotected on
enterprise servers or shared folders, the corporations leave themselves open to
large amounts of risk. This could be anything from a regulatory fine or even
worse a breach of company sensitive information. When sensitive information if
leaked, it not only affects the company but it affects all of their customers.
This can also lead to a loss of revenue for the company. RSA has addressed this
problem with their product RSA File Security Manager. File Security Manager allows the cooperation
to encrypt individual files or folders to FIPS certified encryption in the
exact place the files are stored without affecting the users or programs using
the data. Only the data payload is encrypted, leaving the metadata untouched.
This makes sure the file system remains unaffected. Also the corporation can grant access based
on the users role. The access can be centrally managed and allow separate
security and system administration to make sure only the members who really
need the access can see the actual files. This is especially important in
situations such as having an intern since an intern doesn’t need the same
amount of access the head of a department. This would allow the intern to see
the files in a folder he needs access to and not the ones he doesn’t. An
employee in a different field of the company would not have any access to the
folder. This can also be used to enforce separation of duties between security
administrators and server administrators as required. Since the users are given
roles and usernames, the corporation can see exactly who accessed what files or
folders. RSA File Security Manager has a built in audit only mode that will the
corporation to do just that. This allows them to be covered in case they ever
get audited since the program will log every access a file or folder may have.
The product is also very easy to administrate. Everything can be configured
from a single central management console. RSA File Security Manager is also
fully compatible with RSA’s other products such as RSA Key Manager. This will
allow a corporation the ability to centralize corporate policy and the
generation of keys. The product also allows the keys to be shared across the
entire server infrastructure without a users input. Another product compatible
with RSA File Security Manager is RSA Authentication Manager. This allows the
corporation to have two factor authentications to log in the console. The
Authentication manager uses a token or smartcard to log into the console,
making the security of the console very strong. The company will not have to
worry about the console setting getting changed. In the end a package like RSA
File Security Manager is very important for any corporation to have. Without it
the cooperation has no way of protecting their data moving around their network
and beyond.
Work Cited
http://www.rsa.com/node.aspx?id=3228
SafeHouse is encryption software
that can be used with any version of Windows. SafeHouse works by creating an
new volume on your hard drive and it assigning it a letter, much like creating
another partition or having multiple drives in Windows. This drive can only be
accessed by supplying the password that is assigned to it, this password can be
changed as often and as many times as desired. SafeHouse allows the user to
create an unlimited amount of these volumes, which can be up to 2000GB each.
When these drives aren't in use the drive letters disappear from Windows,
making them completely hidden from the normal user. You can also create these
encrypted volumes on external USB hard drives, USB flash drives, network
drives, and even CDs or DVDs. These
encrypted vaults work just like any other Windows drive, to put files into
these drives you can simply copy and paste the files, or drag and drop them.
Once a file is put into the encrypted volume it is automatically encrypted and
protected. Another feature of SafeHouse is the ability to create a virtual
smartcard. This process works by using a USB drive. With the smartcard you can
access any of your SafeHouse vaults without having to enter the passwords, your
smartcard stores all of your passwords for each drive. To use this smartcard
you just have to insert it into a USB drive in your computer, and enter the pin
identifier that was associated with the smartcard when it was created. After
entering this pin number, any of your encrypted drives can be unlocked as long
as the smartcard is in the computer. When this smartcard is removed from the
computer, the opened files are automatically closed and locked. Another feature
of SafeHouse is that it can automatically lock up or suspend access to your
files after a specified timeout or when Windows hibernates. SafeHouse uses
different types of encryption depending on the version of the software you
purchase. The personal edition of SafeHouse uses 128-bit encryption, whereas
the professional version uses 256-bit and 448-bit encryption. The user can
select from multiple algorithms to encrypt with when using SafeHouse, these
algorithms are blowfish, twofish, AES, and 3DES. SafeHouse also provides users
with a way to check the strength of their passwords used to encrypt drives. The
first method is a graphical password strength meter helps you choose strong
passwords. This sounds similar to the password checker located at
http://www.microsoft.com/protect/yourself/password/checker.mspx, which is just
a simple checker to see if you are using upper case characters, lower case
characters, numbers, and special characters. The other method, which is only
available in the professional edition, is the password dictionary which checks
the password against a dictionary attack and warns you if the password is weak.
The only main weakness I can see in SafeHouse would be human error, if someone
were to use a weak password to encrypt a drive, or a weak pin number for their
smartcard then it would be easy to crack the encryption. Without this password
it is impossible to break the encryption, since the algorithms used have no
known breaks. I would imagine however, that a person using this type of
software would be aware of the risks of using a weak password, and they would
more than likely use a password that would be sufficiently secure.
Reference: http://www.safehousesoftware.com/
12. Secude Secure Notebook, JOSH HOWARD
The following paragraph is a description
of the software from Secude’s website:
Secude’s Secure Notebook provides
entire hard drive encryption that encrypts both operating system files and
user’s files that are stored on a notebook.
One of the highest promoted feature of the encryption software is that
it provides excellent power-off protection.
Power-off protection means that attacks such as booting from another
media or putting the hard drive into another computer will not bypass the
encryption implemented by the software.
Secude Secure Notebook also has the option to use a smart card for power
on authentication. If the smart card
method is used, the notebook will first boot into a Linux distribution and
authenticate the user with the smart card before the Windows Operating System
is loaded. The use of hardware based
authentication makes it next to impossible for an attacker to gain unauthorized
access to the data on the notebook.
A white paper on Secude’s website
gives an interesting idea of why full disk encryption and using hardware based
authentication like a smart card should be used together. A new attack on retrieving encryption keys
has recently been published by a grad student at Princetion University. The attack is called a DRAM attack. A DRAM attack is a way for an attacker to
find encryption keys after the system has been powered off. DRAM on a computer system supposedly can hold
data for up to 30 seconds after the machine has been shut off and many products
store their encryption keys in DRAM. The
attacker than uses a cooling agent like compressed air to slow down the data
decay rate on the DRAM memory chips. The
chips can then be put into another system and the encryption keys can be found. This would take a very skilled attacker to
perform this operation, but nevertheless it can be done. If a person is fearful of this type of
attack, Secude’s method of adding hardware based authentication will prevent
against this kind of attack.
Another aspect of Secude’s secure
notebook that I mentioned was the pre-boot authentication. This works by adding a small but secure
custom Linux partition which is an extension of the system BIOS or boot
firmware. Since this partition is
executed as an extension of the BIOS, it runs before the master boot record,
thus not allowing an attacker to bypass the partition. To maintain ease of use the authentication
partition just prompts the user for the hardware token or a password and then
continues to boot into the desired operating system. Also, if the user decides to use a USB token
or smart card for the pre boot authentication, the software will lock the
keyboard during the authentication process to prevent an attacker from trying
any attacks or from trying to bypass the authentication.
I found a review of the product
at securecomputing.net. Their overall
consensus was that the encryption and security measures applied by Secude
Secure Notebook provided more than adequate security features. One of the problems that their tests found
was that hard drive encryption takes longer than other products in the same
price range. Another problem was the
lack of instructions provided with the product.
The average cost of the product was $135.
Works Cited:
1. “Don’t Panic – Cold Boot Reality Check”,
SECUDE International. Accessed November
19, 2008 http://www.secude.com/download/htm/10810/en/White_Paper%3A_Don%27t_Pani_Cold_Boot_Reality_Check.pdf
2. “Pre-boot Authentication” , SECUDE
International AG. Accessed: November 19,
2008
http://www.secude.com/download/htm/10274/en/FDE-PreBootAuthentication-whitepaper-en.pdf
3. “Full Disk Encryption”, SECUDE International
AG. Accessed: November 19, 2008
http://www.secude.com/download/htm/10595/en/White_Paper%3A_Full_Disk_Encryption.pdf
4. Peltier, Justin. “Secude Secure Notebook”, Secure Computing
Magazine. Accessed:
November 29, 2008. http://www.securecomputing.net.au/Review/71229,secude-secure-notebook.aspx
This product is very useful when
wanting to encrypt a complete partition or storage device. It encrypts automatically in real time, with
transparency, using the encryption algorithms AES-256, Serpent, and Twofish. TrueCrypt handles on-the-fly-encrypted volumes,
where data is automatically encrypted or decrypted before loading from or
storing to the storage device, with no user intervention. Because the encryption is on-the-fly, it is
trivial to copy files from the encrypted drive to elsewhere, or place files
into the drive. Since reading and
storing utilizes the encryption or decryption of the data before using it, this
means that the files will be correctly formatted for wherever they will be
placed.
When doing the decryption, the
user must enter a key/passphrase. Then
TrueCrypt will perform the decryption or encryption entirely in RAM when any
files are accessed that need to be encrypted or decrypted. If for any reason power is turned off on the
computer which has the mounted device, the user must reenter the passphrase/key
and remount the encrypted device in order to access the files on it. Nothing is saved while doing decryption,
which makes using TrueCrypt a secure way to protect files you wish to keep
secure.
TrueCrypt can be used by those
who have Windows, Mac, or Linux. Since
the encryption and decryption take place when accessing the files, you can
encrypt a storage device, such as a USB stick, and use it on any operating
device which has TrueCrypt installed for use.
You would simply have to provide the required passphrase/key to access
the files. It is also possible to place
a TrueCrypt encrypted drive inside of another TrueCrypt encrypted drive. This will effectively hide the drive unless
the passphrase/key is known for the second drive. Thus if you are forced to reveal your
passphrase for an encrypted drive, such as by extortion or blackmail, you would
simply provide the passphrase to the outer drive, and still keep you other
drive secure.
TrueCrypt is very useful when you
wish to have a storage device to protect sensitive files. Because it encrypts and decrypts in RAM while
you access the file, there is no lasting storage of the data that a malicious
person can grab to find the data. Also,
the encrypted storage device does not have any signature which could be used to
identify it as encrypted, so that someone searching for it would not know if
they found it. All this is very useful
in protecting sensitive data from prying eyes that may exploit the data for
personal gain.
14. Utimaco SafeGuard, STEVE WHITE
Ultimaco Safeguard is an
encryption product offered by the Ultimaco Safeware company, which is based in
Frankfurt, Germany. There are a few variants of the Safeguard product, so for
this overview I will be using the Ultimaco Safeguard Device Encryption for my
information.
Safeguard Device Encryption is a
module of Safeguard Enterprise, which is usually used for mixed IT
environments. The encryption service is designed to run on the three most
recent versions of the Windows platform, being Windows 2000 SP4, Windows XP
SP2/SP3, and Windows Vista SP1. It has been certified with FIPS 140-2, Common
Criteria EAL-4, and is Aladdin eToken enabled. This encryption software uses an
array of standards and protocols. For symmetrical encryption, it uses AES, in
either 128 bit or 256 bit modes. For asymmetrical encryption, Safeguard Device
Encryption uses RSA. It supports SHA-256 and SHA-512 hashing, as well as PKCS
#15, PKCS #11, Microsoft Cryptographic Service Provider, PC/SC, and Kerberos
for smartcards and tokens. Safeguard Device Encryption supports public key
infrastructure certificates PKCS #7, PKCS #12, X.509, and can transfer data
using SOAP, XML, SSL, and LDAP.
Safeguard Device Encryption’s key
features include transparent encryption functionality, which allows for full
hard disk encryption (NTFS or FAT) as well as multi-platform removable media
encryption. The encryption suite uses a TPM chip for random number generation,
which is widely recognized as a secure form of random number generation.
From a forensics standpoint,
Safeware points out that encrypted data cannot be read, even if the hard drive
has been removed from the computer (except by security administrators). Safeguard
Device Encryption has support for Lenovo’s “Rescue and Recovery” tool, Windows
PE 2.0, Encase, AccessData, and Kroll OnTrack. Safeguard Device Encryption uses
a pre-boot authentication, accepting credentials via username/password,
cryptographic token, Smartcard, or biometric information. The software utilizes
user-transparent background encryption, and supports secure password recovery
via phone or the internet. Safeguard Device Encryption integrates with
Microsoft Active Directory, and supports Novell environments. Safeguard Device
Encryption can be installed on a computer using a simple MSI package, which
makes deployment on a network very simple. The software also logs all
activities, security events, and system status for any given time.
Overall, Safeguard Device
Encryption seems to offer a very wide array of encryption services, including
AES, RSA, and SHA hashing. It implements directly with Windows, and uses
background encryption, which allows for a smoother experience. The software
will cooperate with forensic tools, which will certainly help if any sort of
investigation were to arise.
The information for this overview
was obtained at:
15. WinEncrypt CryptArchiver, DAN FISHER
WinEncrypt's CryptArchiver is a
disk, folder, and file encryption program.
With this program, you can encrypt nearly everything, including but not
limited to emails, text files, and video.
CryptArchiver creates a virtual drive that is then encrypted with either
128 or 448 bit encryption strength using either the Blowfish algorithm or
Advanced Encryption Standard.
CryptArchiver also uses standard drag and drop to make it easy to choose
the data you wish to encrypt which also adds “on-the-fly” encryption. The CrypArchiver will work with any types of
file or folders since the virtual drive acts simply like another physical
drive. You can then “unload” the drive
upon supplying it with a password. Once
this is done, the drive disappears from your “My Computer” screen and is hidden
as well as encrypted. To access the
data, just reload the drive, enter you password, and the virtual drive
initiates and acts as a physical drive again.
Depending
on which version you purchase or download, the types of encryption offered
changes. If you download the trial
version, only 128 bit encryption is offered through the Blowfish
algorithm. Also, you can only encrypt up
to 20 megabytes of data. If you purchase
the Basic, Personal, or Standard editions, though the encryption strength
increases to up to 448 bit encryption and if you choose from the Blowfish
Algorithm. Obviously, if you choose to
use the other algorithm option, AES, 256 bit encryption will be used. You are also able to extend the data
encryption to different media types such as CDs, DVDs, USB drives, or external
hard drives. From here, when inserting
the media into a computer, you will again be prompted for you password prior to
being able to read any data that is on these medias.
WinEncrypt's
CryptArchiver seems to be fairly priced for good encryption—both algorithms,
Blowfish and AES are very strong. On
WinEncrypt's website it seemed as though the CryptArchiver was not compatible
with Windows Vista (site had listed Windows 95/98/SE, Windows ME, Windows NT
4.0, Windows 2000/XP, and Windows 2003 Server) but after further investigation,
I found that it is in fact compatible with Vista and highly praised by users of
the product.
Reference:
http://www.winencrypt.com/cryptarchiver/
16. WinMagic SecureDoc , TIM GABLE
WinMagic SecureDoc is an
encryption system that encrypts the full disk. It allows you to use many
different integration techniques. You can also set up multiple factors of
authentication such as biometrics, a password, and a token. It can be used for
federal encryption because of all the certifications it has received. It
supports multiple types of tokens for authentication such as PCMCIA, USB, and
serial port tokens. It can use an implementation of the Advanced Encryption
Standard. It was the first encryption software that had AES validation from the
NIST. It can also use other encryption schemes such as DES and 3-DES. You can
use an encryption key that is up to 256 bits in length. WinMagic SecureDoc uses
Public Key Cryptographic Standard #11. This standard is the most widely used in
the cryptographic world.
It also is the only encryption
software to have FIPS 140-1 Level 2 certification. They have received level 1 and level 2
certification for the FIPS 140-2; they are certificates number 698 and 699. It
is also the only disk encryption certified by the NSA for SECRET data for
United States Government agencies. WinMagic SecureDoc can also be used for
security initiatives such as HIPPA because of the certifications it has
received.
Since the entire disk is
encrypted, you have to login before you get to the operating system during the
bios part of boot up. There can be multiple users with different partitions of
the hard drive encrypted with different keys. This means that each user can
have their private data on a hard drive that only his key can open. It even
encrypts the little space in between partitions WinMagic SecureDoc encrypts
every sector which includes, the Windows registry, deleted and temporary files.
The only problem with this is that the entire hard drive is encrypted and this
process will initially take a long time to encrypt. You can have partially encrypted
hard drives if they are removable media. It does let you decrypt sectors of
your hard drive if you want to install a new operating system.
WinMagic SecureDoc currently only
works on Windows operating systems, but is in development to work with Linux
distributions soon. While it runs, the user hardly notices, with the program
having less than three percent performance degradation. It can support an
unlimited amount of hard drives, and can encrypt removable devices, such as
CD’s, removable hard drives, as well as flash drives. It also supports multiple
processor systems, SCSI controllers, and RAID.
WinMagic SecureDoc also has
support for key history, limiting retry attempts, minimum key requirements
(length, special characters), and has lockout features. If you forget your key
you can still recover documents and there is a self help system for recovering
your key if it is lost, which does not use a “master password” system. There is
also a version handling for encryption key meaning that if you encrypt something
with one key then change your key, WinMagic SecureDoc will allow you to open
your old documents. This software also has auditing features for when
particular users log on, off, or are unsuccessful in logging on.
http://www.winmagic.com/solutions/securedoc.html