Jueneman Consulting, LLC -- "Security Solutions for an  Insecure World"

Home Up Contact Us Contents Search Privacy/Legal Feedback @Home

Encrypted Storage                        
 

Home
Who We Are
Recent Trends
Recommendations
Information Privacy
Security Threats
Electronic Voting
HIPAA Compliance
Security Services
Security Solutions
News and Links
Experience
Publications

Solutions for Encrypted Storage

Media Encryption

The first line of defense, especially for laptops, home computers, and office workstations, would be a good media encryption (disk encryption) package -- one that will encrypt the entire hard drive, except for the tiniest portion of the boot segment used to load everything else.  This will provide complete protection against the theft of the laptop or hard drive. Among other areas of interest, it will protect your pagefile, which is an unseen file that is used to extend the computer's memory, and probably has all sorts of thing written all over it that you would never know about.   A couple of caveats are in order, however.  Although software-based file encryption is almost essential for this application, because most hardware encryption devices that would be fast enough would be too expensive.  However, that does not mean that the keys should be stored in software, or derived from a password, because keyboard sniffers and password-cracking algorithms are just too easy.  In particular, DO NOT rely on the protection provided by a PKCS#12 (.pfx) password-based key export, as that process uses a very weak 40-bit encryption algorithm internally -- a throw-back to the old crypto export regulations.  Instead, use a hardware token or smart card such as those made by SPYRUS and others.  And be careful to think through the backup provisions for that hardware device, as it would be embarrassing to be locked out of your own computer.

Encrypting File System

The second line of defense would be the use of Microsoft's Encrypting File System (EFS), which is included with all of the recent Microsoft Windows operating systems,.  EFS can be applied on a file-by-file basis, or applied to an entire folder.  Again, be very careful to consider your backup strategy -- EFS is probably best used within an enterprise with an IT staff that can set up an EFS key archive system that is backed up.  And unfortunately, the cryptographic services used by EFS are controlled within a system-level CPS, so they can't be changed or replaced.  If you don't like the algorithm Microsoft uses (probably RC4), you are out of luck.   But certainly EFS should be applied to all of your temporary folders, so that the results of all of the cuts and paste operations and intermediate files are protected.  Note that EFS can only be used on NTFS-formatted drives -- the older FAT type of file system is not supported, so it won't work on floppy disk drives

Secure E-Mail

The third line of defense would be to use S/MIME for all sensitive correspondence, and to always save the copy in encrypted form, never in the clear.  Again, this can best be done using a hardware token or smart card.  $50 for the token (or less), plus $15 to VeriSign or other CA for a certificate, and you are good to go.  If you are setting this up for your own personal use, I would recommend buying two tokens, generating the keys in software, loading those keys onto two tokens, and then putting the the backup token in your bank vault.  Then memorize the PIN or password used to unlock the token, so that if the token is found, it can't be used.  But if you encrypt documents such as your tax returns, you ought to include a copy of that password in your "in the event of my death" papers, so that the estate will have access to them.

Application-Specific Encryption

The fourth line of defense would be to demand that easy-to-use encryption be built in to all of the specialized software packages you use.  The more recent versions of Outlook, Outlook Express, GroupWise, PKZIP, and Adobe Acrobat all support PKI-based encryption.  Unfortunately, the Microsoft Office XP suite of applications, including Word, PowerPoint, Excel, etc., is rather deficient in this regard -- they can password-protect a document with password-based encryption, but this is presumably PKCS#12-based encryption and not very strong. In addition, it isn't public-key based, and it isn't particularly convenient to use, especially if multiple people are required to access the document.

Encrypted Backup Utilities

The final line of defense has to do with "everything else" -- the CD and tape backups, the USB drives (this must be the DoD's biggest nightmare recently), etc.  Backup programs that copy the entire hard disk, sector by sector, ought to have encryption built-in, but I don't know of any that do, so media-based encryption becomes that much more important.  Programs that allow someone to do the equivalent of COPY *.* to a CD or worse yet, to a networked drive or FTP site are particularly dangerous, since they may automatically decrypt the file before transmitting or copying it.

If you are a sole-practitioner or home computer user, the onus is on you to not do such things, but if you are the CEO, CFO, or CIO and concerned that your company might be hugely liable because of the actions of some uninformed user, then it is your responsibility to make sure that your IT staff is proactive in controlling the use of such applications.

The biggest risk in large companies with valuable repositories of such data remains the possibility of a rogue system administrator.  That's why we would very much like to see server backup programs use public key based protection, so that the backup tapes or disks can be created regularly, but can only be restored if someone is in possession of the hardware token and the PIN used to unlock it.  Then you can apply split-knowledge controls over the hardware token and the PIN, so that a conspiracy of two or three people is required in order to circumvent these controls.

 

Back to: Jueneman Consulting Home Page

This page was last updated on 08/14/2003.



 

 
To report errors or difficulties with this site, please email webmaster@jueneman.com.