The Joys of Full Disk Encryption
By Seth Ross
Here at PC Guardian headquarters, we've had our heads down, fingers
tapping away on keyboards. We've been pounding out the code and
testing the heck out of it. Our latest and most important project
is a hard disk encryption solution, Encryption
Plus® Hard Disk (EP Hard Disk) 7.0.
EP Hard Disk 7.0 is the apex of a line of disk encryption products
from PC Guardian. Our record of accomplishment in this market niche
goes back to 1994. Version 7.0 is a substantial re-engineering and
re-write of our current shipping product. Like its predecessors,
it encrypts all the sectors on the end user's hard disk and then
delivers transparent on-the-fly decryption of those sectors as they
are needed by either the system or the user. Once the program is
installed and a password is provided to the pre-DOS logon prompt,
the user will not notice that the program is working behind the
scenes, decrypting on demand and re-encrypting.
There are numerous benefits to the full-disk approach, as opposed
to mere file encryption. Manual file-by-file encryption is laborious
and error prone. It's all too easy for a user to leave sensitive
information unprotected. Even if the user is exceptionally careful,
Windows application data gets stored in numerous locations, including
temporary directories and swap files. Full-disk encryption addresses
the sloppiness of both users and applications: all data is encrypted,
regardless of user work habits and application file storage routines.
For an excellent overview of the challenges faced in designing
cryptosystems that are transparent to the user and applications,
see Matt Blaze's groundbreaking 1993 paper on his Cryptographic
File System: http://www.crypto.com/papers/cfs.pdf
Like all PC Guardian software products, EP Hard Disk 7.0 is designed
for deployment in large organizations. An administrative program
provides IT personnel and/or security administrators with fine-grain
control of how user disks are encrypted. Administrators can configure
the user program to enforce corporate password policy, including
password length and expiration, and set both start-up and logon
messages. During the initial disk encryption, the program encrypts
in the background and thus can be set to run "slow" (leaving
resources for the user) or "fast" (optimized for encryption).
Similarly, the disk encryption process is designed to recover from
catastrophes like power loss, though this can be turned off in order
to further speed the initial disk encryption.
Like PC Guardian's other enterprise software products, the program
offers multiple recovery mechanisms. These are useful when the user
forgets a password or when the user is "hit by a bus"
(i.e., the company needs the data and the user is not around). The
Authenti-Check(R) mechanism challenges the user to remember his
or her answer to one or more personal questions. The One-Time Password
recovery mechanism is built around an easy-to-use (but hard to code)
challenge-response system that allows the administrator to reset
a user's password during a phone call.
EP Hard Disk 7.0 uses the Rijndael cipher for data encryption and
decryption, using a 256-bit key length. Rijndael is the new US Advanced
Encryption Standard (AES) designed to replace DES. It was selected
during an exhaustive multi-year process that involved extensive
reviews by cryptographers worldwide. We are confident that Rijndael
provides good security. It's also fast -- an important attribute
for a cipher used for on-the-fly cryptographic operations.
EP Hard Disk 7.0 is currently in beta release and is being tested
by a select group of PC Guardian customers. If you are involved
with computer security for large organizations, I invite you to
contact us and start an evaluation of this hard disk encryption
solution. Please note that this product is NOT designed for consumers
or standalone PCs -- we are only able to honor requests from qualified
evaluators in large organizations. This beta, like all betas, should
not be run on production machines. Only Windows XP, 2000, and NT
are supported at this time.
For more information about EP Hard Disk, see our product page on
the web: http://www.pcguardian.com/software/Encryption_Plus_Hard_Disk/
In order to request an evaluation copy of EP Hard Disk 7.0 Beta,
please contact us via the form at http://www.pcguardian.com/contact_email.html
MICROSOFT BASELINE SECURITY ANALYZER
As long-time readers know, this newsletter has knocked Microsoft
for the many security problems that affect its operating systems.
On the up side, Microsoft has released a nifty security tool that
scans Windows-based computers for common security snafus: the Microsoft
Baseline Security Analyzer (MBSA).
MBSA runs on Windows 2000/XP-based computers and scans for missing
"hot fixes" and security vulnerabilities on Windows NT/2000/XP-based
computers. MBSA generates reports for security issues in Microsoft's
operating systems, Internet Information Services (IIS), SQL Server,
and Internet Explorer.
If you run Windows 2000 or XP, you owe it to yourself to try this
tool. It has a clean and simple graphical user interface (GUI).
The program's GUI and data parsing routines are built around XML,
an architecture that's likely to appear in other security programs.
Not only does MSBA cite problems, but it also provides links to
further information about system security. Thus, running this program
is an easy and practical way to learn more about Windows 2000/XP
security. If you administer a network of Windows machines, you can
save a lot of shoe leather by using MBSA to remotely check many
machines at once.