|
Portable secure data and applications on laptops, thumb drives, etc. |
Background
Protecting university data is important because of privacy issues, legal requirements (FERPA), financial implications, the need to avoid bad publicity and the need to protect intellectual property. At the request of the IT Security Task Force, the Encrypted Data Storage (EDS) Working Group was formed November 15, 2006 to begin investigation of encryption solutions that could be used to protect the confidentiality and integrity of sensitive university data from accidental or unauthorized disclosure. The proliferation and expanded use of mobile devices at the university has compounded the security risks of unauthorized information disclosure due to theft and loss. Encryption has increasingly become widely accepted as the technology of choice for securing desktops, laptops, tablets, PDAs, and other mobile devices from inadvertent disclosure of sensitive information stored on these devices. It offers an effective solution by providing methods to convert readable cleartext (plaintext) data into ciphertext that obscures the data in such a way as to hide its substance thus rendering the data unreadable without special knowledge. The EDS Working Group will investigate and identify data privacy issues associated with the use of desktop and mobile devices and make recommendations on what steps should be taken to help mitigate the security risks.
Conferences and Research by other Universities
Initiatives by the Federal Government
EDS Working Group
Chair: Frank Galligan eProvisioning
Members: Ismael Alaoui eProvisioning, Phil Benchoff Communications Network Svcs, Brock Burroughs Business and Mgt Systems, Marc Debonis MS Implementation Group, Philip Kobezak IT Security, Kevin Rooney Information Resource Management
Charge
Explore and recommend solutions to prevent accidental or unauthorized disclosure of sensitive university data that resides on desktops and mobile devices.
- Identify situations where encryption is or is not appropriate.
- Identify methods available for encrypting desktop and mobile device storage.
- Recommend baseline requirements for purchasing encryption software.
- Recommend commercial, freeware products or native built-in tools.
- Communicate recommendations to the Knowledge Base and 4Help groups.
Note: The project charge is limited to file and disk encryption for protecting sensitive data residing on desktop, laptop computers and portable storage devices or media, such as PDA, smart phones, flash drives, CD and DVD media. It does not extend to secure email, network communication, or servers.
Meeting Minutes
Where Encryption is Needed
This is just some random thoughts on dealing with data you may want to keep on laptops, thumb drives, or home computers. In general, these systems provide more opportunity for an adversary to get physical access to the hardware. The focus is on encrypted file systems rather than on encrypting individual files or e-mails.
Some of the encrypted file systems may just be snapshots of critical data needed to operate without access to the network:
- Disaster recovery plan
- Contact database
- Configuration data
- Passwords (probably in encrypted files) Check out KeePass Password Safe
- Keys (c.f. security token)
- A list of CNS specific data can be found here.
These data could be replicated from a central image to keep everyone up to date with the critical data. Encrypted files would only need to be large enough to hold the data (since they are "read-only"). Each logical set of data could be in one encrypted volume and a person would only carry the ones he needs.
Types of Encryption
Encryption - The Last Line of Defense - Overview of encryption and why it is needed.
Layers of Encryption
There is a spectrum of system layers where encryption can be used.
- Hardware
- Flash drives w/fingerprint reader
- External drives w/fingerprint reader
- Independant of operating system
- Device could be moved between multiple machines
- FDE Hard Drives - Momentus 5400 FDE.2 Hard Dirve by Seagate
- BIOS
- Operating System
- Partition/block device
- Pseudo-device (virtual drive, encrypted partition, filesystem in a file) - encrypted file system is actually a real file which appears to the user to be a filesystem or folder.
- File system directories/folders
- User
- Individual files - use of a product like GPG to encrypt an individual file or files.
System Types
Levels of management
- Central IT managed
- Department managed
- User managed
User community
- Shared host (loaner laptop, labs, etc.)
- Single-user portable
- Individual desk top
What Problem Are You Trying To Solve?
Here are some of the issues that could be addressed by an encrypted file system.
- Prevent disclosure of data on a stolen or lost laptop or drive.
- Assure the integrity of the operating system and files.
- Prevent user from sending sensative data in clear text or copying it to unencrypted media. (Probably not in scope for EDS group.)
Features
This is a list of features to consider in any solution. In any particular application, some of them will be required.
- Multiple encrypted volumes on one device
- May be useful on a multi-user host where each user has their own encrypted data or where the user wishes to backup the encrypted data in manageable chunks.
- Industry-standard cryptography
- Based on industry standards and certified encryption algorithms.
- Try to use standards like FIPS or other certifications.
- No secret sauce as we say in another project group.
- Multi-platform (at least Linux, Mac, MS Windows)
- There may be solutions where the actual product used is different, but the encrypted data are stored in a format that can be accessed on multiple platforms.
- Encrypted data can be backed up as cipher text
- This allows data to be backed up on a system that isn't necessarily trusted. It may be desirable if a department wants to back up data to a central IT managed backup service but not give them access to the data.
- Encrypted data can be backed up as clear text
- Backing up the clear text is one way to eliminate the need for encrypted data recovery services If a file server is determined to provide a secure enough platform for clear text storage, data could be periodically backed up there.
- Supports security token
- Uses a security token to store the encryption key.
- Not just storing a key as data on the token. The real data encryption key is stored on the host as encrypted data. It is decrypted on the token.
- Multi-key access
- Access to the data may be obtained with any one of multiple keys. This may be significant for recovery of the encrypted data, i.e. one of the keys could be a departmental key and the other an individual user's.
- Threshold system
- Requirement for m of n keys to recover the encryption key. This is another useful feature for recovery of the encrypted data.
- Portable software
- The required software can be carried by the user on portable storage along with the encrypted data and use it without installation on the host system.
- Licensing/Cost
- Free, commercial, licensed per year, etc.
- Support
- Is there an official support channel for the product?
- Key Management and Data Recovery
- Use of security token to store key
- Use of TPM
- Operating System Encryption
- Can the device holding the operating system be encrypted?
- How does boot work?
- Works with CD-Bootable OS or bootable OS on device
- Central Management Capabilities
- Central management infrastructure, which can help ensure uniform compliance
- Partitioned management Capabilities
- Attractive for multi-boot configurations
- Supports shared access to encrypted data on network shares
- Supports encryption of data on removable storage media/devices
- Can leverage the use of VT issued certificates for encryption
- Plausible deniability
- The existence of "hidden" data within the overtly encrypted data is deniablein the sense that it cannot be proven to exist.
- Steganography
- Writing hidden text in such a way that no one except the authorized individual knows of the existence of the text
Need some thought
- Distribution of encrypted data without keys, i.e. individuals may carry data files that are encrypted with keys they do not have (passphrase). If events require them to have access to the data, they can be given the passphrase. If individual passphrases are used, it may be reasonable to give out the passphrases over insecure channels.
- Biometric reader on storage device.
- Access can be too transparent.
- Does the user really need to understand that there is an encrypted file system in use? If not, how does the user know not to save the data outside the file system or send it around in clear text?
- Can the user determine tell if the file system is really working?
Out Of Scope
- Data recovery - escrow, backup of keys, etc. It is assumed clear-text data would be stored on a managed system and the portable device would only hold a temporary working copy.
(Here are some general comments by Phil on key escrow anyway. Of interest may be the description of the general categories of encrypted data.)
How To Do It
Full Disk Encryption Info
Trusted Platform Module(TPM) Info
- TPM - Trusted computing hardware module (Trusted Platform Module).
This is the core of the trusted computing platform. Among other things, the TPM does offer protected storage of cryptographic keys. It will likely be standard in new laptops.
- TPM Matrix - Comprehensive list of Trusted Platform Module manufacturers and implementations.
- TPM Platforms - Infineon
- TPM Platforms - Dell
- Linux Info
Hardware Encryption
Full Disk Encryption Tools
- SafeGuard Easy The Goerge Washington we are using Safeguard Easy (Utimaco product) for full-disk encryption
- SafeBoot Device Encryption for PC
- Guardian Edge Encryption Anywhere Hard Disk
- Voltage SecureDisk
- Pointsec for PCUC Davis is in the process of implementing Pointsec solutions, supports whole disk encryption, a central key escrow function, a helpdesk function and extends product coverage to Windows, Linux, smartphones and portable/USB drives.
- TrueCrypt
- Virtual encrypted disk in a file or encrypted partition
- Encrypts an entire hard disk partition or a storage device such as a USB flash drive
- Encryption is automatic, real-time(on-the-fly) and transparent
- Windows XP/2000/2003, Mac, and Linux
- Pre-boot authentication and encryption of system disks (Windows only).
- Open Source, Free
- Works under BartPE in "traveller mode"
- Protecting Laptop Data with TrueCrypt - Some helpful hints, also pros and cons
- allows creation of volumes that are either a fixed size (disk space is used even when the volume is empty) or dynamic (disk space is used as needed)
- Problem discovered when using TrueCrypt volumes created on Windows shares - periodic "Disk free space has dropped below the minimum threshold" event notifications given
- TrueCrypt volume passwords can be stored on Aladdin eTokens when using Aladdin SSO product
- FREE CompuSec
- FDE, pre-boot auth
- Some info at Security Now podcast - see episode 134
- Not much known about t his product
- Information Week: 7 Whole-Disk Encryption Apps Put A Lock On Data
File, Folder and Virtual Disk Encryption Tools
- EFS - Built into Windows (XP and beyond)
- Authenex HDLockWhile it doesn't encrypt the operating system it does encrypt everything else - being deployed at Franklin University, Columbus, Ohio.
- File Vault
- Built into OS X
- Mac only
- Encrypts users home directory
Other Encryption Tools and Info
- AxCrypt - M$ Windows
- Cryptoloop - Linux encrypted file system
- dm-crypt - Linux encrypted file system using device-mapper. This appears to be replacing cryptoloop and has significant improvements in key management that should be considered for any similar system.
- FUSE (Filesystems In User Space)|http://fuse.sourceforge.net/]
- IEEE Security In Storage WG (SISWG)
- PasswordSafe - Multi-platform password storage program.
- U3 - USB smart drive platform
- Rsync
Portable Storage Devices
Managing and Securing Mobile Devices- Best Practices
Applications and Data
- Using the data on an un-trusted platform has risks of disclosure.
- Keeping important data files encrypted (even if the whold file system is encrypted) will help.
- Essential applications may not be available on hosts that are not setup to support them.
- Essential applications could be included in the data.
- May still require admin access to the host being used.
- Some applications are now packaged to run from removable storage.
- Bootable versions of operating systems with all of the necessary tools may be a good choice.
- BartPE - Run M$ Windows from CD-ROM or DVD
- Flash linus distributions
- Numerous CD/DVD versions of Linux
Application List
This list covers applications you may want on a portable file system. The focus is on the stuff you need to operate
short term and not a full environment.
- Essential
- SSH
- TrueCrypt
- Firefox
- telnet
- Mail client
- Java runtime
- ftp client
- traceroute
- ping
- password safe
- PPPD
- VPN Client
- Internet Messenger client
- Important
- PGP/GPG
- web server on localhost
- Oracle client
- tftp server
- Serial communications program
- tcpdump/Ethereal
Packaging the data
Updating/Synchronizing the data
- Text data can be maintained with rsync or CVS.
Risks
Impact of Data Compromise
Managed
- Disclosure of data if encrypted media are exposed.
- Lost or stolen media.
- Media that must be returned for warranty replacement.
- Compromised host (so long as data stay encrypted). This point should be considered when looking at a solution that starts when the computer is booted and keeps the data available during the time the computer is operating.
Residual
Here are some risks data may still be subject to:
- rubber hose decryption
- ephemeral storage - data in clear format may end up stored in these locations
- swap file
- hybernation image
- core file
- RAM
- various
tmp or cache files
- exposures related to host compromise
- attachment to un-trusted host
- secure storage of filesystem key
Leftovers
Stuff to be looked at and put in the right place.
An email from 5 Sep:
http://www.u3.com/
Wikipedia has an entry:
http://en.wikipedia.org/wiki/List_of_portable_software
Some sites offering portable freeware and/or shareware:
http://www.portablefreeware.com/resources.php
http://digg.com/software/Very_Best_Free_Portable_Software_for_Windows
http://www.programurl.com/software/portable.htm
http://www.lifehacker.com/software/portable-applications/
http://portableapps.com/ (this was in the earlier message, repeated here for com
pleteness)
http://www.portasoft.org/e107/news.php
Securing your portable key:
http://www.dekart.com/howto/howto_disk_encryption/howto_portable_software/
http://www.keynesis.com/products/lockngo-pro/
A Linux distribution that runs from a USB key:
http://www.flashlinux.org.uk/
Some specific apps:
Text Editor:
http://www.editpadpro.com/portable.html
Email:
Poco PE:
http://www.pocosystems.com/home/index.php?option=content&task=category§ionid
=2&id=13&Itemid=29
Thunderbird:
http://portableapps.com/apps/internet/thunderbird_portable
Web Browsers:
http://portableapps.com/apps/internet/firefox_portable/test
http://www.kejut.com/operaportable
http://www.opera-usb.com/operausben.htm
OpenOffice.org
http://johnhaller.com/jh/useful_stuff/portable_openoffice/
GIMP (Open Source Photoshop-like image editor):
https://sourceforge.net/projects/portablegimp/
|
From Unisog:
Date: Fri, 10 Nov 2006 16:14:53 -0500
From: George Farah <george.farah@QUEENSU.CA>
Reply-to: The EDUCAUSE Security Discussion Group Listserv <SECURITY@LISTSERV.EDUCAUSE.EDU>
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [ED-SEC] Whole Disk Encryption Tools
For encrypting hard drives on laptops, either SafeGuard of SecureDoc
would work, but the SecureDoc product promises to work with all
Anti-Virus products, and it is the only product at FIPS 140-1 level 2.
It is also the only product approved by the NSA for protecting Secret
material, and it's the only product to meet the Homeland Security
Directive 12, FIPS 201.
|