Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Full Disk Encryption Survey

Reply
Thread Tools

Full Disk Encryption Survey

 
 
Saqib Ali
Guest
Posts: n/a
 
      07-09-2007
Please vote for you favorite Full Disk Encryption FDE solution at the
following URL:
http://security-basics.blogspot.com/...on-survey.html
or
http://tinyurl.com/2oy7k4


Please consider the following when voting:
1. Easy of use
2. Transparency to the user
3. Directory integration (e.g. integration with Active Directory or
LDAP)
4. Key Management (Backup, recovery, archiving)
5. Password recovery
6. Cost
7. User Interface
8. Reliability
9. Performance
10. Overall Functionality

 
Reply With Quote
 
 
 
 
Vanguard
Guest
Posts: n/a
 
      07-09-2007
"Saqib Ali" wrote in message
news:(E-Mail Removed) ups.com...
> Please vote for you favorite Full Disk Encryption FDE solution at the
> following URL:
> http://security-basics.blogspot.com/...on-survey.html
> or
> http://tinyurl.com/2oy7k4



In order for any product to be favorite requires that user also report
what OTHER similar products they trialed or used. A user that has only
used one FDE product doesn't have a favorite. I have one sister, so the
joke goes "you're my favorite sister". You do not let the user report
what other FDE products they have used or how many total FDE products
they have used (which must be greater than one). The survey is
worthless without this info.

 
Reply With Quote
 
 
 
 
benb
Guest
Posts: n/a
 
      07-12-2007
"Vanguard" <(E-Mail Removed)> wrote in message
news(E-Mail Removed). ..
> "Saqib Ali" wrote in message
> news:(E-Mail Removed) ups.com...
>> Please vote for you favorite Full Disk Encryption FDE solution at the
>> following URL:
>> http://security-basics.blogspot.com/...on-survey.html
>> or
>> http://tinyurl.com/2oy7k4

>
>
> In order for any product to be favorite requires that user also report
> what OTHER similar products they trialed or used. A user that has only
> used one FDE product doesn't have a favorite. I have one sister, so the
> joke goes "you're my favorite sister". You do not let the user report
> what other FDE products they have used or how many total FDE products they
> have used (which must be greater than one). The survey is worthless
> without this info.
>


I'll be keeping an eye on this survey, as I'm currently researching an FDE
solutions for about 20 of our users laptops. So far I've downloaded and
tested PGP WDE, next is CompuSec, I have a trial of SafeGuard Easy on order
(hopefully arrive in the post next week), and I'm arranging a conference
call with someone from PointSec to setup a trial of that product.

If anyone has any experience with any of the or other products, I'd be
interested in your views. Our requirements are:
Full Disk Encryption
Pre Boot Authentication
Activate Directory Integration
Easy Deployment (MSI/group policy)
Automated Encryption (no user intervention)

Cheers

Ben


 
Reply With Quote
 
Sebastian G.
Guest
Posts: n/a
 
      07-13-2007
benb wrote:


> I'll be keeping an eye on this survey, as I'm currently researching an FDE
> solutions for about 20 of our users laptops. So far I've downloaded and
> tested PGP WDE, next is CompuSec, I have a trial of SafeGuard Easy on order
> (hopefully arrive in the post next week), and I'm arranging a conference
> call with someone from PointSec to setup a trial of that product.
>
> If anyone has any experience with any of the or other products, I'd be
> interested in your views.



Trivial: CompuSec is insecure by design. Just create a password reset floppy
on a second machine, start the recovery at the first, insert it, and there
you go. A trivial proof that they must have stored the key on the encrypted
disk as well.

SafeGuard Easy... well, has this **** become working now? On two test
machines I saw the boot loader completely crashing, totally ignoring any
keyboard response, or not accepting any of the correct passwords.

> Our requirements are:


> Full Disk Encryption
> Pre Boot Authentication
> Activate Directory Integration
> Easy Deployment (MSI/group policy)
> Automated Encryption (no user intervention)


Hm... what about actual security? In terms of encryption this means to only
Open Source software, due to a matter of trust and verification of the
implementation. CompuSec has already been mentioned. SafeGuard Easy has been
proven to be horrible insecure, f.e. not properly locking memory regions
and then letting the keys being swapped out.
 
Reply With Quote
 
Arthur T.
Guest
Posts: n/a
 
      07-13-2007
In Message-ID:<(E-Mail Removed)>,
"benb" <(E-Mail Removed)> wrote:

>I'll be keeping an eye on this survey, as I'm currently researching an FDE
>solutions for about 20 of our users laptops. So far I've downloaded and
>tested PGP WDE, next is CompuSec


Before you try out CompuSec, you might want to look at some
previous posts about it in this newsgroup. Here's part of one of
mine:

Message-ID: <(E-Mail Removed)>
Of course, even 128-bit encryption is overkill since the
password is a maximum of 16 alpha-numeric characters. I work that
out to be just over 95 bits worth.

Also, there's something akin to a back-door in Compusec. In
their Yahoo support group, one message said:

>Hi, may I recommend you to send your Securityinfo.dat file to:
>
>support.sg@ce-infosys
>
>Send it with a request to have them extract your UserID and password
>reset code.


--
Arthur T. - ar23hur "at" intergate "dot" com
Looking for a z/OS (IBM mainframe) systems programmer position
 
Reply With Quote
 
benb
Guest
Posts: n/a
 
      07-13-2007
"Sebastian G." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> benb wrote:
>
>
> Trivial: CompuSec is insecure by design. Just create a password reset
> floppy
> on a second machine, start the recovery at the first, insert it, and there
> you go. A trivial proof that they must have stored the key on the
> encrypted
> disk as well.


Yeah I tested it at home last night and didn't like it at all. There are a
number of other failings as well. Such as only allowing 1 user login, if a
consultant sends a machine in for repair, it would be useful to be able to
login without them having to expose their password. Another is only allowing
alphanumerical charactors in the login name, our users logon to the domain
as joe.bloggs, but they couldn't use this to login to CompuSec as it
contains a period, so its another username for them to remember. There is no
windows/directory service synchronisation, so it means another password for
users to remember, increasing the likihood of users writing down passwords
somewhere.

> SafeGuard Easy... well, has this **** become working now? On two test
> machines I saw the boot loader completely crashing, totally ignoring any
> keyboard response, or not accepting any of the correct passwords.


Thanks for the warning, I was going to install it on my laptop to test, but
I think I'll use a spare now, until I know it works! I've heard from other
people that it is stable, and offers all of the requirements listed below.

>> Our requirements are:

>
>> Full Disk Encryption
>> Pre Boot Authentication
>> Activate Directory Integration
>> Easy Deployment (MSI/group policy)
>> Automated Encryption (no user intervention)

>
> Hm... what about actual security? In terms of encryption this means to
> only
> Open Source software, due to a matter of trust and verification of the
> implementation. CompuSec has already been mentioned. SafeGuard Easy has
> been
> proven to be horrible insecure, f.e. not properly locking memory regions
> and then letting the keys being swapped out.


I assumed that most of the products mentioned used at least AES 128, and so
were fairly equal in that respect. Certainly all the datasheets for PGP WDE,
SafeGuard Easy, PointSec & CompuSec state that they are capable of AES 256,
and PointSec & SafeGuard say they are FIPS 140-2 compliant.

My major reason for looking into this is in the event that one of our
consultants has a laptop stolen, and someone might be able to retrieve
clients confidential information from the hard disk. We're not a goverment
organisation, bank or anything, but it would damage the company's reputation
if a client were to find their information had been lost/made public!

Ben


 
Reply With Quote
 
Juergen Nieveler
Guest
Posts: n/a
 
      07-13-2007
"benb" <(E-Mail Removed)> wrote:

> Thanks for the warning, I was going to install it on my laptop to
> test, but I think I'll use a spare now, until I know it works! I've
> heard from other people that it is stable, and offers all of the
> requirements listed below.


FWIW, no problems at all with SGE 4.2 at our company, and Utimaco lists
a number of reference customers - some of which DID get to check the
security of SGE in much more detail than for example Sebastian

(For example, the German Army uses it, and to do so required permission
from the government data security agency...)

>> Hm... what about actual security? In terms of encryption this means
>> to only Open Source software, due to a matter of trust and
>> verification of the implementation. CompuSec has already been
>> mentioned. SafeGuard Easy has been proven to be horrible insecure,
>> f.e. not properly locking memory regions and then letting the keys
>> being swapped out.


Which is totally and utterly meaningless in a switched-off laptop, which
is what SGE is designed to protect. All full-disc-encryption packages
have the "weakness" that they allow data to be accessed when the laptop
is on (even any Linux implementation) - after all, that's what they're
designed for.

How about stopping being a troll and actually sticking to the topic,
Sebastian?

> I assumed that most of the products mentioned used at least AES 128,
> and so were fairly equal in that respect. Certainly all the
> datasheets for PGP WDE, SafeGuard Easy, PointSec & CompuSec state
> that they are capable of AES 256, and PointSec & SafeGuard say they
> are FIPS 140-2 compliant.


They are. Sebastian means that there might be a chance to recover the
key when the laptop is running - which however is meaningless in any
realistic scenario, because if the laptop is stolen while switched on,
the files are accessible anyway®, even if the most secure unobtainium-
derived open-source software is used (that of course was compiled by a
self-written compiler, as you can't trust the compiler software
either....)


> My major reason for looking into this is in the event that one of our
> consultants has a laptop stolen, and someone might be able to retrieve
> clients confidential information from the hard disk.


Which is something those packages WILL protect you against, provided
the user didn't stick a post-it with the password to his laptop.

And even then, some packages (SGE, for example) allow you to require
authentication with a USB token (Alladin eToken, for SGE) instead of
username/password - which of course would mean that you have to teach
the user NOT to carry the token in the laptop bag



Juergen Nieveler
--
Fabricati diem, Pvnc!
 
Reply With Quote
 
Sebastian G.
Guest
Posts: n/a
 
      07-13-2007
Juergen Nieveler wrote:


>>> Hm... what about actual security? In terms of encryption this means
>>> to only Open Source software, due to a matter of trust and
>>> verification of the implementation. CompuSec has already been
>>> mentioned. SafeGuard Easy has been proven to be horrible insecure,
>>> f.e. not properly locking memory regions and then letting the keys
>>> being swapped out.

>
> Which is totally and utterly meaningless in a switched-off laptop, which
> is what SGE is designed to protect. All full-disc-encryption packages
> have the "weakness" that they allow data to be accessed when the laptop
> is on (even any Linux implementation) - after all, that's what they're
> designed for.



It was one example from the non-FDE products from Ultimaco provides. Over
the years we've seen many such implementation errors, and one really can't
reasonably trust the vendor for now having created a proper implementation.

>(that of course was compiled by a


> self-written compiler, as you can't trust the compiler software
> either....)



The issue about checking the correctness of the implementation. That means
not just the cipher, but also the key management (including key creation and
key destruction) and the rest (f.e. that it doesn't store a backup of the
key somewhere else). Didn't we learn something from PGP 5.x?
 
Reply With Quote
 
Juergen Nieveler
Guest
Posts: n/a
 
      07-13-2007
"Sebastian G." <(E-Mail Removed)> wrote:

> The issue about checking the correctness of the implementation. That
> means not just the cipher, but also the key management (including key
> creation and key destruction) and the rest (f.e. that it doesn't store
> a backup of the key somewhere else). Didn't we learn something from
> PGP 5.x?


AFAIK the BSI checked SGE before allowing the Bundeswehr to use it for
confidential documents, and so did NATO.

Of course, it all depends on your personal level of paranoia - even if
a product is secure enough to encrypt state secrets and
multi-billion-dollar trade information, is it secure enough for you?

Juergen Nieveler
--
Ignore previous cookie
 
Reply With Quote
 
Sebastian G.
Guest
Posts: n/a
 
      07-13-2007
Juergen Nieveler wrote:

> "Sebastian G." <(E-Mail Removed)> wrote:
>
>> The issue about checking the correctness of the implementation. That
>> means not just the cipher, but also the key management (including key
>> creation and key destruction) and the rest (f.e. that it doesn't store
>> a backup of the key somewhere else). Didn't we learn something from
>> PGP 5.x?

>
> AFAIK the BSI checked SGE before allowing the Bundeswehr to use it for
> confidential documents, and so did NATO.


>


> Of course, it all depends on your personal level of paranoia - even if
> a product is secure enough to encrypt state secrets and
> multi-billion-dollar trade information, is it secure enough for you?


Two words: Microsoft Windows
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
UEFI and full-disk-encryption feenberg Windows 64bit 4 01-08-2012 01:07 AM
So why don't we use full disk encryption on all mobile devices? Saqib Ali Computer Security 24 12-16-2009 11:30 PM
full disk encryption "Backup" gojlt2 Computer Security 3 08-12-2008 07:12 AM
U.S. Gov't to use Full Disk Encryption on All Computers Saqib Ali Computer Security 22 01-05-2007 05:32 AM
Full Disk Encryption - Anyone Tried These? Tim Weaver Computer Security 6 06-14-2004 02:32 PM



Advertisments