Enhancing the Security of Full Disk Encryption Solutions with Pre- Boot Authentication Security Guide
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Enhancing the Security of Full Disk Encryption Solutions with Pre- Boot Authentication Security Guide

on

  • 1,172 views

The loss, theft, or misappropriation of the organization’s endpoint systems could expose ...

The loss, theft, or misappropriation of the organization’s endpoint systems could expose
sensitive corporate information such as intellectual property, personnel records or government
secrets, producing disastrous effects for the organization. Full disk encryption, combined with
an extra layer of security in the form of pre-boot authentication, can provide an integral layer of
security against data loss, and can help address one of the most critical areas of exposure for an
organization: unprotected files housing sensitive data.

Statistics

Views

Total Views
1,172
Views on SlideShare
1,172
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Enhancing the Security of Full Disk Encryption Solutions with Pre- Boot Authentication Security Guide Document Transcript

  • 1. Enhancing the Security ofFull Disk Encryption Solutions with Pre-Boot AuthenticationSECURITY GUIDETable of ContentsIntroduction ........................................................................................................................ 2Full-Disk Encryption: Not As Secure as You Might Think .................................................... 2Double Protection with SafeNet’s ProtectDrive and eToken PRO ......................................... 2How Does the Combined Solution Increase Security?.......................................................... 2More About ProtectDrive and eToken PRO ........................................................................... 3About SafeNet..................................................................................................................... 3Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot Authentication Security Guide 1
  • 2. “...people who encrypt their Introduction hard drives, or partitions on The loss, theft, or misappropriation of the organization’s endpoint systems could expose their hard drives, have to realize sensitive corporate information such as intellectual property, personnel records or government that the encryption gives them secrets, producing disastrous effects for the organization. Full disk encryption, combined with an extra layer of security in the form of pre-boot authentication, can provide an integral layer of less protection than they security against data loss, and can help address one of the most critical areas of exposure for an probably believe…The defenses organization: unprotected files housing sensitive data. are basically two-factorauthentication: a token you don’t Full-Disk Encryption: Not As Secure as You Might Think leave in your hotel room for the In the summer of 2009, Joanna Rutkowska implemented a series of attacks known as the “Evil maid to find and use.” Maid” attacks, which were designed to crack a computer protected by a full disk encryption solution by using a USB stick infected with the “Evil Maid” Sniffer. The Evil Maid Sniffer, stored Bruce Schneier on a USB stick, infects the protected laptop and sniffs out the disk encryption passphrase when the user enters it next time. It was thus called because it can be used against laptops left unattended in hotel rooms where an attacker (presuming to be the hotel maid) surreptitiously reboots the laptop from the Evil Maid USB Stick, infecting the laptop with the sniffer software. During 2009 and 2010, additional attacks – all developed by various security researchers – were also carried out. These include the Cold Boot Attack, Stoned Boot Attack and Bitlocker Boot Process Attack, which infect the protected device with malware. The malware scans the memory or changes the Master Boot Record to enable passphrase sniffing. Following the success of these attacks, Bruce Schneier, one of the most accredited security experts today, pointed out in his blog, that FDE might be creating a sense of false complacency: “...people who encrypt their hard drives, or partitions on their hard drives, have to realize that the encryption gives them less protection than they probably believe…The defenses are basically two- factor authentication: a token you don’t leave in your hotel room for the maid to find and use.” The attacks described above underscore the relative ease with which attackers can crack the passwords used to unlock full disk encryption solutions. For these solutions to provide the expected level of defense and maintain the integrity of the data they are designed to protect, an extra layer of security, in the form of pre-boot strong authentication, is required. Double Protection with SafeNet’s ProtectDrive and eToken PRO SafeNet’s ProtectDrive is an award-winning full-disk encryption (FDE) product that secures the hard drives in laptops, workstations, and servers, as well as removable media. ProtectDrive provides an outstanding security and robustness level and is validated by a number of security certification bodies including FIPS 140-2 and Common Criteria. To provide maximum protection and security, and prevent the malicious attacks that could potentially crack the password used to unlock the disk encryption, ProtectDrive combines with SafeNet’s eToken PRO certificate-based strong authentication USB device. With eToken PRO, organizations can easily and effectively improve data security for ProtectDrive as well as other FDE solutions and provide cost-effective protection against the types of attacks discussed above. How Does the Combined Solution Increase Security? When encrypting a hard drive or partition, ProtectDrive creates a machine unique master security key, also referred to as a Master Security Certificate (MSC). The MSC is associated with the machine’s Pre-Boot Authentication (PBA) mechanism and determines that only after successful pre-boot authentication, is ProtectDrive able to decrypt the disk. To protect against attacks such as “Evil Maid” and increase security, eToken PRO, the leading USB Smart-Card authentication device is used to create and store the MSC in the secure environment of the smart card which resides on the eToken PRO device. Users who want to boot their computers, must have both their personal eToken PRO device and eToken PRO password. Only when these are provided together, can the MCA be retrieved from the secure environment of the eToken PRO, and used for successful pre-boot authentication which subsequently enables Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot Authentication Security Guide 2
  • 3. ProtectDrive to decrypt the disk. This solution provides a critical second level of securitybeyond simple passwords to protect your valuable digital business resources. 1 2 The user powers up The user her laptop, and after connects her BIOS boots, the eToken PRO ProtectDrive logon screen appears The user enters her After the boot 3 4 eToken PRO pass- process succeeds, word and the certifi- the Windows cate on the token is logon screen validated appears Password: 123456 ApproveMore About ProtectDrive and eToken PROProtectDriveProtectDrive plays a key role in a comprehensive approach to data protection. The solutionuses a sophisticated key-management system based on hybrid crypto concepts wherethe disk-encryption is done by using symmetric encryption (FIPS approved AES-256algorithm), and asymmetric encryption is used for the key-management process (i.e.,key-encryption-key, encrypting the disk-encryption symmetric key). Data is encrypted anddecrypted “on the fly” providing a seamless user-experience. The solution offers a low totalcost of ownership by using Microsoft Active Directory and Active Directory ApplicationManagement for central administration of policies and keys.eToken PROeToken PRO, the world’s leading USB smart card authentication device, delivers highlysecure strong two-factor authentication and advanced certificate-based securityapplications such as pre-boot authentication and digital signatures. eToken PRO utilizescertificate based technology to generate and store credentials, such as private keys,passwords and digital certificates, inside the protected environment of the smart card chip.eToken PRO allows organizations to streamline their authentication and access operationsby offering strong authentication for remote access via VPN, network logon, passwordmanagement, digital signing, pre-boot encryption and proximity - all on a single USBauthenticator. With its USB form factor and common criteria/FIPS 140-2 Level 2 and 3security certifications, eToken PRO ensures that security regulations are met, and thatcorporate networks and eBusiness resources are fully protected.About SafeNetFounded in 1983, SafeNet is a global leader in information security. SafeNet protects itscustomers’ most valuable assets, including identities, transactions, communications, dataand software licensing, throughout the data lifecycle. More than 25,000 customers acrossboth commercial enterprises and government agencies and in over 100 countries trusttheir information security needs to SafeNet.Contact Us: For all office locations and contact information, please visit www.safenet-inc.comFollow Us: www.safenet-inc.com/connected©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet.All other product names are trademarks of their respective owners. ScG (EN)-12.5.10Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot Authentication Security Guide 3