So why don't we use full disk encryption on all mobile devices?
So why don't we use full disk encryption on all mobile devices?. Discuss So why don't we use full disk encryption on all mobile devices?, on Wireless Forums.
So why don't we use full disk encryption on all mobile devices?
2006 Security Breaches Matrix reveals that a large number of the data
leaks were caused due to stolen laptops, which can be easily mitigated
by using full disk encryption on the laptop. So why not encrypt the
whole drive? Cost and performance impact are the usual arguments. Tests
show that access time for files increases by 56%-85% after full disk
encryption. And the cost of FDE software usually ranges from $0-$300
depending on how good of a software and support you wanna get. So is it
NOT worth it?
Re: So why don't we use full disk encryption on all mobile devices?
Sebastian Gottschalk wrote:
>
> Jim Watt wrote:
>
> > For most purposes the use of a disk password would be
> > give adequate protection, no overhead on legitimate use
> > and no additional cost.
>
> adequate == none? Just moves the plates to another electronic board and
> you've got full access. Even I'm competent enough to do that.
Wrong.
A hard drive password will protect data, even if the drive is moved
to another "home."
Re: So why don't we use full disk encryption on all mobile devices?
Sebastian Gottschalk wrote:
> adequate == none? Just moves the plates to another electronic board and
> you've got full access. Even I'm competent enough to do that.
After Full Disk Encryption, I DON'T think you can simply move the
platters to different board and you get full access. I think you are
talking about ATA Drive Lock
Re: So why don't we use full disk encryption on all mobile devices?
> > After Full Disk Encryption, I DON'T think you can simply move the
> > platters to different board and you get full access. I think you are
> > talking about ATA Drive Lock
>
> Exactly that's what the IBM password lock thing is about.
oops sorry. I didn't realize the original poster was talking about ATA
Drive lock.
I thought they were talking about Utimaco which is a FDE solution and
ships for free with IBM/Lenovo laptops.
Re: So why don't we use full disk encryption on all mobile devices?
> > After Full Disk Encryption, I DON'T think you can simply move the
> > platters to different board and you get full access. I think you are
> > talking about ATA Drive Lock
>
> Exactly that's what the IBM password lock thing is about.
However I will add that Seagate's FDE.2 drives encrypt everything by
default before "placing it on the platter" So the mere act of enabling
ATA Drive Lock on a Seagate FDE.2 drive does the trick. Even if you
take out the platters and place it in a different enclosure you won't
be able to access the data.
See: http://www.seagate.com/docs/pdf/mark...400_fde_bb.pdf
Also Seagate has plugged all the known ATA Drive Lock hacks (as far as
I know).
Re: So why don't we use full disk encryption on all mobile devices?
Sebastian Gottschalk wrote:
> Jim Watt wrote:
>
> > For most purposes the use of a disk password would be
> > give adequate protection, no overhead on legitimate use
> > and no additional cost.
>
> adequate == none? Just moves the plates to another electronic board and
> you've got full access. Even I'm competent enough to do that.
Re: So why don't we use full disk encryption on all mobile devices?
Sebastian Gottschalk wrote:
> Jim Watt wrote:
>
> > For most purposes the use of a disk password would be
> > give adequate protection, no overhead on legitimate use
> > and no additional cost.
>
> adequate == none? Just moves the plates to another electronic board and
> you've got full access. Even I'm competent enough to do that.
I did an analysis of various FDE solutions to find the best one for my
needs. The key thing I was interested was that it must be AES 256,
reasonably fast, inexpensive, and *offer key recovery in case of
password loss*.
Compusec is great for home / personal use. It is cheap i.e. $0.00
(Free), and does not slow down the computer as much as the other
products. But that is because it only support 128 bit AES, which is a
major drawback as most enterprise settings require at least 256 bit
AES. Compusec also has a great online support forum where you can get
your questions answered by Compusec employees and other experienced
users.
I ended up purchasing both Utimaco and Pointsec. They are excellent
products. They both support AES 256. The downside is that they are
little bit expensive (Pointsec:$170 ; Utimaco:$200) and slow.
The best thing is they both offer great password / encryption key
recovery capabilities. You can create a recovery disk with both
products.
They also offer password recovery using Challenge / Response sequence,
where the IT Helpdesk can perform a Challenge/Response sequence with
the user to help them recover the password or reset it to a new one.
Off course Challenge/Response password recovery is the NOT most secure,
especially if the user is remote, but you have the option to disable it
on the laptop if you want.
..
>I did an analysis of various FDE solutions to find the best one for my
>needs. The key thing I was interested was that it must be AES 256,
>reasonably fast, inexpensive, and *offer key recovery in case of
>password loss*.
Sorry, AES 256 why? It is idiotic in that finding a 128 bit key is simply
infeasible now and in the rather distant future.
And then you demand key recovery which means that you automatically make
the system weak. If you can recover the key, so can the enemy. Ie, it is
like saying "I want a 1 foot thick steel door for my home, and I want a cat
door in it, so if I forget my key I can reach in and unlock it. "
>Compusec is great for home / personal use. It is cheap i.e. $0.00
>(Free), and does not slow down the computer as much as the other
>products. But that is because it only support 128 bit AES, which is a
>major drawback as most enterprise settings require at least 256 bit
How in th eworld is that a drawback? Under what rational criteria is that a
drawback?
>AES. Compusec also has a great online support forum where you can get
>your questions answered by Compusec employees and other experienced
>users.
>I ended up purchasing both Utimaco and Pointsec. They are excellent
>products. They both support AES 256. The downside is that they are
>little bit expensive (Pointsec:$170 ; Utimaco:$200) and slow.
>The best thing is they both offer great password / encryption key
>recovery capabilities. You can create a recovery disk with both
>products.
>They also offer password recovery using Challenge / Response sequence,
>where the IT Helpdesk can perform a Challenge/Response sequence with
>the user to help them recover the password or reset it to a new one.
>Off course Challenge/Response password recovery is the NOT most secure,
>especially if the user is remote, but you have the option to disable it
>on the laptop if you want.
And now you tell me that a third party also has your key as well? Sheesh.
Re: So why don't we use full disk encryption on all mobile devices?
> How in th eworld is that a drawback? Under what rational criteria is that a
> drawback?
hmm, all i said that compusec was a excellent product but it only
offers 128bit AES. Most of the government agencies, and especially if
you work for financial institution, require you to use 256 AES.
> And now you tell me that a third party also has your key as well? Sheesh.
hmm. what do you mean by third party?
For the Challenge/Response password recovery to work, the IT Help Desk
needs to know a secret. If that secret is leaked (e.g. posted on a
website) yes then a attacker *might* be login into the system. The
attacker would still need another secret, the user's logon name, which
may or may not be easy to guess in 3 trys.
As I said earlier, you can turn off the challence/response password
recovery if you want. But it is good to have in case the employee
leaves the company without giving up the passwords. This may not be
applicable in all situations.
Re: So why don't we use full disk encryption on all mobile devices?
In
Message-ID:<1162677633.552281.49020@h48g2000cwc.googlegrou ps.com>,
"Saqib Ali" <docbook.xml@gmail.com> wrote:
>> How in th eworld is that a drawback? Under what rational criteria is that a
>> drawback?
>
>hmm, all i said that compusec was a excellent product but it only
>offers 128bit AES. Most of the government agencies, and especially if
>you work for financial institution, require you to use 256 AES.
What version of Compusec did you benchmark? I haven't
installed it, yet, but the documentation of CompuSec 4.21 says,
"Fast AES Algorithm with 128 or 256 bit key length."
--
Arthur T. - ar23hur "at" intergate "dot" com
Looking for a good MVS systems programmer position
Re: So why don't we use full disk encryption on all mobile devices?
> What version of Compusec did you benchmark? I haven't
> installed it, yet, but the documentation of CompuSec 4.21 says,
> "Fast AES Algorithm with 128 or 256 bit key length."
I had the 4.21 (Free) version installed. And 128bit was the only
option. Maybe I missed something.
Let me know if are able to install the product successfully and encrypt
using 256bit AES
Re: So why don't we use full disk encryption on all mobile devices?
"Saqib Ali" <docbook.xml@gmail.com> writes:
>> How in th eworld is that a drawback? Under what rational criteria is that a
>> drawback?
>hmm, all i said that compusec was a excellent product but it only
>offers 128bit AES. Most of the government agencies, and especially if
>you work for financial institution, require you to use 256 AES.
I guess I did say rational criteria. There si no rational reason to prefer
256 over 128.
>> And now you tell me that a third party also has your key as well? Sheesh.
>hmm. what do you mean by third party?
>For the Challenge/Response password recovery to work, the IT Help Desk
>needs to know a secret. If that secret is leaked (e.g. posted on a
>website) yes then a attacker *might* be login into the system. The
>attacker would still need another secret, the user's logon name, which
>may or may not be easy to guess in 3 trys.
The help desk is the third person. Anyone else who knows the password is
the third person. That introduces a huge security hole, far far larger than
any AES128/256 distinction. It reduces the security to something like the
unix crypt funtion-- seeems secure but is easily broken. In this case not
broken, but susceptible to other far more efficient lines of attack than
direct attack on the cypher.
>As I said earlier, you can turn off the challence/response password
>recovery if you want. But it is good to have in case the employee
>leaves the company without giving up the passwords. This may not be
>applicable in all situations.
I understand why you would want it. It is also a huge security hole. That
is where I would spend my security concerns, not whether it uses 128, 256
or whatever size AES.
All I am saying is that the number of bits should not be factor in your
decision, unless there is some insane political reason to take it into
account. It is the least of your worries.
You also have to decide what it is you are using the encryption to protect
yourself from. If it is from the local druggie, or if it is fromNSA those
are very different situations.
The other thing you shoud chech is write speeds. If they use a stream
cypher, they have to rekey every single time you write. And they have to
reencrypt the whole block. If the block is file sized, they have to rewrite
the whole file, not just the section of the file that changed.
They also have to have a subkey management fascility.
Re: So why don't we use full disk encryption on all mobile devices?
In
Message-ID:<1162681910.538093.272460@e3g2000cwe.googlegrou ps.com>,
"Saqib Ali" <docbook.xml@gmail.com> wrote:
>> What version of Compusec did you benchmark? I haven't
>> installed it, yet, but the documentation of CompuSec 4.21 says,
>> "Fast AES Algorithm with 128 or 256 bit key length."
>
>I had the 4.21 (Free) version installed. And 128bit was the only
>option. Maybe I missed something.
>
>Let me know if are able to install the product successfully and encrypt
>using 256bit AES
I installed it, didn't like it, and uninstalled it. I didn't
try encrypting the drives, but I tried using 256-bit strings for
the securityinfo.dat file, and couldn't make it work.
Of course, even 128-bit encryption is overkill since the
password is a maximum of 16 alpha-numeric characters. I work that
out to be just over 95 bits worth. Even worse, you *must* have
two passwords (one for password recovery), so I figure that brings
it down to just over 94 bits.
Also, there's something akin to a back-door in Compusec. In
their Yahoo support group, one message said:
>Hi, may I recommend you to send your Securityinfo.dat file to:
>
>support.sg@ce-infosys
>
>Send it with a request to have them extract your UserID and password
>reset code.
>
>Let us know if you encounter any problem.
>
>CE-Infosys
--
Arthur T. - ar23hur "at" intergate "dot" com
Looking for a good MVS systems programmer position
Re: So why don't we use full disk encryption on all mobile devices?
Arthur T. ha scritto:
>
> Also, there's something akin to a back-door in Compusec. In
> their Yahoo support group, one message said:
>
> >Hi, may I recommend you to send your Securityinfo.dat file to:
> >
> >support.sg@ce-infosys
> >
> >Send it with a request to have them extract your UserID and password
> >reset code.
> >
You don't even need to send this file to them. It is enough to open it
with a text editor to find userid and reset password in plaintext!!!
To emphasize the BIG security limit of this program, if someone manages
to access your pc with administrative privileges (e.g. if you leave it
unattended and logged in, or if you let someone to use your pc, at
work, for example) even for few minutes he/she can create this
Securityinfo.dat file and use it to gain the reset password. This can
obviously happen also if he/she manages to obtain the Securityinfo.dat
file you created during the installation (i.e. because you did not
store it in a safe place).
Re: So why don't we use full disk encryption on all mobile devices?
In
Message-ID:<1164121193.720099.164020@j44g2000cwa.googlegro ups.com>, paolo.digiacomo@gmail.com wrote:
>Arthur T. ha scritto:
>
>>
>> Also, there's something akin to a back-door in Compusec. In
>> their Yahoo support group, one message said:
>>
>> >Hi, may I recommend you to send your Securityinfo.dat file to:
>> >
>> >support.sg@ce-infosys
>> >
>> >Send it with a request to have them extract your UserID and password
>> >reset code.
>> >
>
>You don't even need to send this file to them. It is enough to open it
>with a text editor to find userid and reset password in plaintext!!!
>To emphasize the BIG security limit of this program, if someone manages
>to access your pc with administrative privileges (e.g. if you leave it
>unattended and logged in, or if you let someone to use your pc, at
>work, for example) even for few minutes he/she can create this
>Securityinfo.dat file and use it to gain the reset password. This can
>obviously happen also if he/she manages to obtain the Securityinfo.dat
>file you created during the installation (i.e. because you did not
>store it in a safe place).
You're right. It's right there.
When installing, CompuSec tells you to back up the file to
external media in case something happens to the file on your hard
disk. I don't think the program says that the information can be
used *all*by*itself* to break into your machine. I had figured it
was like the PGP keyring: You're sunk without it, but, even with
it, you need your passphrase.
--
Arthur T. - ar23hur "at" intergate "dot" com
Looking for a good MVS systems programmer position
Re: So why don't we use full disk encryption on all mobile devices?
Arthur T. ha scritto:
> When installing, CompuSec tells you to back up the file to
> external media in case something happens to the file on your hard
> disk. I don't think the program says that the information can be
> used *all*by*itself* to break into your machine. I had figured it
> was like the PGP keyring: You're sunk without it, but, even with
> it, you need your passphrase.
Unfortunately it is not like PGP keyring, because with the reset
password you can boot the encrypted PC using "help" as a login and the
reset password get from the plaintext Securityinfo.dat file. So it is
enough to have this file to gain access to the machine. Moreover you
can't be safe even if you keep this file well protected, because it can
be regenerated if a user manages to access your pc with administrative
privileges (and it sounds to me like a security vulnerability).
Re: So why don't we use full disk encryption on all mobile devices?
This is exactly why I like the Challenge/Response Password recovery
mechanism offered by Utimaco or Pointsec much more. It allows the
password to be recovered in a secure manner.
Some benefits of challenge/response password recovery:
1. No confidential data is exchanged.
2. Attempts to "eavesdrop" or use data gathered by "listening in"
fail.
3. Can also be used for devices without a network connection. i.e. it
works for users that are at remote location.
4. No need for the user to carry a disc with recovery encryption key.
5. The user can start working again after only a short interruption.
> Unfortunately it is not like PGP keyring, because with the reset
> password you can boot the encrypted PC using "help" as a login and the
> reset password get from the plaintext Securityinfo.dat file. So it is
> enough to have this file to gain access to the machine. Moreover you
> can't be safe even if you keep this file well protected, because it can
> be regenerated if a user manages to access your pc with administrative
> privileges (and it sounds to me like a security vulnerability).
So why don't we use full disk encryption on all mobile devices? 
Linear Mode
