Comments on: Securing Data at Rest with Cryptography http://perimetergrid.com/wp/2007/12/04/securing-data-at-rest-with-cryptography/ Building Security in a Networked World Fri, 03 Sep 2010 18:55:09 +0000 hourly 1 http://wordpress.org/?v=abc By: Jon Callas http://perimetergrid.com/wp/2007/12/04/securing-data-at-rest-with-cryptography/comment-page-1/#comment-15 Jon Callas Fri, 07 Dec 2007 18:26:35 +0000 http://perimetergrid.com/wp/2007/12/04/securing-data-at-rest-with-cryptography/#comment-15 Simple key escrow has risks. Ideally, you want a laptop in someone's hand to be completely under their control alone, but with some exception cases. (Note also that this is what we call a "managed" environment. If you, as an individual, buy WDE, there isn't any back door in the system where someone else can get to your disk. Also, we don't run a service where we will hold WDRTs for people. The authentication and authorization issues are still large.) The problem with simple key escrow is something you've noted -- if you release the volume key, the volume is then in some real sense not secure unless you re-encrypt the volume. I think that key escrow is the wrong solution to the problem. The problem you want to solve is owner/administrator access to the volume. It isn't the keys. Focusing on the keys introduces new security problems that are hard to solve. You should focus on the <b>data</b>. Key escrow has other issues with personnel changes, and so on. Companies don't want the administrators to have access to everything, and administrators don't want that, either. (Imagine if you were a sysadmin in a cruddy job and you tell your boss off and leave. The next day, a laptop goes missing. You're a suspect because you're a disgruntled employee who had access to the keys.) But anyway, here's how the WDRT works. It's just a passphrase. It's a passphrase that is a 128-bit random number. It is formatted to look like a license number: a mix of letters, digits, and separated with hyphens. The resulting string is just a passphrase: it is hashed many times with salt to produce an AES key that encrypts the volume key. Any volume can have a WDRT; the boot volume, removables like flash drives, etc. If the WDE driver uses WDRT, it notes that fact, and will contact the PGP Universal server and negotiate a new WDRT. The WDRT is always generated on the endpoint, not on the server. They can be centrally logged and audited. This gives us a lot of good properties: * When someone forgets a password, you haven't bricked the machine. Similarly, when someone tells you, "I quite, here's your laptop" it's not a brick. * There's no master key that gets you into everyone's disks. It's per-volume token. * The token that gets you into a specific volume will be changed after use. * You know who has gotten such a token. * Since the token is a random number, any attack has to be a brute-force attack -- dictionaries won't work; since we hash passphrases many times with salt, that slows things down and we eliminate rainbow tables. If someone tries to brute-force the token, they're doing the wrong thing -- the user's passphrase is almost certainly weaker. The end result is that it's much safer than key escrow, but it solves the end problem, which is what you're after. Regards, Jon Callas CTO, PGP Corporation Simple key escrow has risks. Ideally, you want a laptop in someone’s hand to be completely under their control alone, but with some exception cases.

(Note also that this is what we call a “managed” environment. If you, as an individual, buy WDE, there isn’t any back door in the system where someone else can get to your disk. Also, we don’t run a service where we will hold WDRTs for people. The authentication and authorization issues are still large.)

The problem with simple key escrow is something you’ve noted — if you release the volume key, the volume is then in some real sense not secure unless you re-encrypt the volume. I think that key escrow is the wrong solution to the problem. The problem you want to solve is owner/administrator access to the volume. It isn’t the keys. Focusing on the keys introduces new security problems that are hard to solve. You should focus on the data.

Key escrow has other issues with personnel changes, and so on. Companies don’t want the administrators to have access to everything, and administrators don’t want that, either. (Imagine if you were a sysadmin in a cruddy job and you tell your boss off and leave. The next day, a laptop goes missing. You’re a suspect because you’re a disgruntled employee who had access to the keys.)

But anyway, here’s how the WDRT works. It’s just a passphrase. It’s a passphrase that is a 128-bit random number. It is formatted to look like a license number: a mix of letters, digits, and separated with hyphens. The resulting string is just a passphrase: it is hashed many times with salt to produce an AES key that encrypts the volume key. Any volume can have a WDRT; the boot volume, removables like flash drives, etc.

If the WDE driver uses WDRT, it notes that fact, and will contact the PGP Universal server and negotiate a new WDRT. The WDRT is always generated on the endpoint, not on the server. They can be centrally logged and audited.

This gives us a lot of good properties:

* When someone forgets a password, you haven’t bricked the machine. Similarly, when someone tells you, “I quite, here’s your laptop” it’s not a brick.

* There’s no master key that gets you into everyone’s disks. It’s per-volume token.

* The token that gets you into a specific volume will be changed after use.

* You know who has gotten such a token.

* Since the token is a random number, any attack has to be a brute-force attack — dictionaries won’t work; since we hash passphrases many times with salt, that slows things down and we eliminate rainbow tables. If someone tries to brute-force the token, they’re doing the wrong thing — the user’s passphrase is almost certainly weaker.

The end result is that it’s much safer than key escrow, but it solves the end problem, which is what you’re after.

Regards,
Jon Callas
CTO, PGP Corporation

]]> By: Grant Bugher http://perimetergrid.com/wp/2007/12/04/securing-data-at-rest-with-cryptography/comment-page-1/#comment-14 Grant Bugher Thu, 06 Dec 2007 16:41:45 +0000 http://perimetergrid.com/wp/2007/12/04/securing-data-at-rest-with-cryptography/#comment-14 Thanks, Jon! It looks like PGP Whole Disk Encryption has come quite a long way since the last time I used it. Prompted by this comment, I read your recent literature, and it looks like the PGP Encryption Platform product does take care of the key-recovery issues I'd had with PGP when using it in an enterprise scenario a few years ago. The Universal Server administering a PGP installation in an enterprise can issue recovery keys for any of the encrypted volumes under its management, thus allowing centralized key recovery. I'm not sure how this works cryptographically (i.e. how is a recovery key not reusable? Does the software re-encrypt the entire volume once one has been used? I don't see how this system could work against an attacker who was implementing their own software rather than using the provided PGP client; I'd be quite interested to see a technical whitepaper on the WDRT system), but that's really not material, as simply having an option for administrative key recovery solves a major problem for enterprise deployments of whole-disk encryption. I don't see a significant advantage for WDRTs over BitLocker's escrow for most enterprises, but it's certainly a good thing that there's a viable, secure alternative out there for companies who seek to implement whole-disk encryption but are not ready or willing to upgrade their enterprise to Vista Ultimate. (An OS migration is certainly a more expensive proposition than installing an enterprise encryption product.) Thanks, Jon! It looks like PGP Whole Disk Encryption has come quite a long way since the last time I used it. Prompted by this comment, I read your recent literature, and it looks like the PGP Encryption Platform product does take care of the key-recovery issues I’d had with PGP when using it in an enterprise scenario a few years ago.

The Universal Server administering a PGP installation in an enterprise can issue recovery keys for any of the encrypted volumes under its management, thus allowing centralized key recovery. I’m not sure how this works cryptographically (i.e. how is a recovery key not reusable? Does the software re-encrypt the entire volume once one has been used? I don’t see how this system could work against an attacker who was implementing their own software rather than using the provided PGP client; I’d be quite interested to see a technical whitepaper on the WDRT system), but that’s really not material, as simply having an option for administrative key recovery solves a major problem for enterprise deployments of whole-disk encryption.

I don’t see a significant advantage for WDRTs over BitLocker’s escrow for most enterprises, but it’s certainly a good thing that there’s a viable, secure alternative out there for companies who seek to implement whole-disk encryption but are not ready or willing to upgrade their enterprise to Vista Ultimate. (An OS migration is certainly a more expensive proposition than installing an enterprise encryption product.)

]]> By: Jon Callas http://perimetergrid.com/wp/2007/12/04/securing-data-at-rest-with-cryptography/comment-page-1/#comment-13 Jon Callas Wed, 05 Dec 2007 20:22:38 +0000 http://perimetergrid.com/wp/2007/12/04/securing-data-at-rest-with-cryptography/#comment-13 Thank you for your thoughtful comments on key escrow, but you have mischaracterized PGP Whole Disk Encryption. PGP WDE has a feature that we call "Whole Disk Recovery Tokens." These are one-time-use passwords that are actually 128-bit random numbers managed by the PGP Universal server that permit recovery from lost passphrases and other things that key escrow provides. In fact, WDRTs are vastly superior to key escrow -- a simple putting keys into the directory. WDRTs have access control, logging, auditing, and can only be used once. After a WDRT has been used, a new one is created. If you escrow the keys, you have to re-encrypt the entire disk to eliminate possible abuse. If you would like information about this, please look at our web site or contact us and we'll be happy to answer any questions you have about it. Regards, Jon Callas CTO, PGP Corporation Thank you for your thoughtful comments on key escrow, but you have mischaracterized PGP Whole Disk Encryption. PGP WDE has a feature that we call “Whole Disk Recovery Tokens.” These are one-time-use passwords that are actually 128-bit random numbers managed by the PGP Universal server that permit recovery from lost passphrases and other things that key escrow provides.

In fact, WDRTs are vastly superior to key escrow — a simple putting keys into the directory. WDRTs have access control, logging, auditing, and can only be used once. After a WDRT has been used, a new one is created. If you escrow the keys, you have to re-encrypt the entire disk to eliminate possible abuse.

If you would like information about this, please look at our web site or contact us and we’ll be happy to answer any questions you have about it.

Regards,
Jon Callas
CTO, PGP Corporation

]]>