[unisog] Drive Encryption (was: Windows Encrypted File System (EFS))

Jim Dillon Jim.Dillon at cusys.edu
Wed Feb 15 22:35:48 GMT 2006

That's (the weak link) absolutely possible, but in our case and given
our typical sensitivity it is a non-player.  It is far better than the
alternate reality of trusting the user to keep some sort of electronic
key somewhere else, or even to trusting an internal key certificate org.
Our primary risk is the stolen notebook with sensitive info means
regulatory fine/scrutiny/disclosure.  Most often the data in question is
already available to Uncle Sam under open records requests.  It is not
unlike a bank card where the pin is merely an offset code of a 4 digit
number that is stored on your bank card!  The bank could mis-use it
(knowledge of the offset function) but the customer/institution
relationship would be at risk, and federal insurance creates a backup so
we all accept that risk without much second thought.

A weak link yes, but not as weak as trusting the vast populace to
implement something right.  I believe a follow-on thread included the
concern of populace ability to not lose passwords/keys, etc.  That's a
bigger concern in our typical case.  I can't imagine us getting PGP
right in large scale in this manner, let alone most users being able to
implement it, even with an online training.

Of course you don't have to use the online service (I don't believe),
but beware the broken/lost key or forgotten passphrase!

The key is encoded differently with each passphrase change by the way,
so an original serial number or blank key can't be made to duplicate
your current key.  There isn't an option to merely replace the key based
on a serial number, and that seems all the better of the possible
choices.  (Lost key means unencrypting with the softkey and reencrypting
with the new key.)  There is some rightful paranoia about the vendor
held soft-key, but a lot depends on the actual setup of that system as
to how much risk it presents.  In any case it is far less than not using
the solution, and seems better at avoiding false assurance than a volume
oriented solution that doesn't catch cache/buffers/temps/backups and the
like, my biggest problem with EFS and the other solutions I looked at.  

I still don't trust fully that users won't litter their C Root or
C:\Windows directory with sensitive info, so this is not yet the perfect
solution.  I like the idea someone else proposed about HD Vendor
supplied encrypting Hard Drives - if they do that correctly it could
surpass this solution for sure.

I'm still looking for encryption panacea and there isn't anything I've
seen for notebooks that close, although this Kensington thing may
suffice.  Some desktop systems with h/w between the I/O channels and
drive look promising, but they are not yet available for notebooks that
I've seen.  ($ a problem too.)


Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon at cusys.edu

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Michael Holstein
Sent: Wednesday, February 15, 2006 2:53 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Drive Encryption (was: Windows Encrypted File
System (EFS))

> Your certificate for emergency decryption is stored by Kensington, 

<Tinfoil hat>

Therein lies the weak link. Remember the "clipper chip"? .. any 
key-escrow by a private company is just as bad as trusting the 
government itself -- since they'll just send a national security letter 
over to Kennisgston and ask for it.

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list