SlideShare une entreprise Scribd logo

Enhancing the Security of Full Disk Encryption Solutions with Pre- Boot Authentication Security Guide

SafeNet
SafeNet

The loss, theft, or misappropriation of the organization’s endpoint systems could expose sensitive corporate information such as intellectual property, personnel records or government secrets, producing disastrous effects for the organization. Full disk encryption, combined with an extra layer of security in the form of pre-boot authentication, can provide an integral layer of security against data loss, and can help address one of the most critical areas of exposure for an organization: unprotected files housing sensitive data.

1  sur  3
Télécharger pour lire hors ligne
Enhancing the Security of Full Disk Encryption Solutions with Pre- Boot Authentication SECURITY GUIDE Table of Contents Introduction ........................................................................................................................ 2 Full-Disk Encryption: Not As Secure as You Might Think .................................................... 2 Double Protection with SafeNet’s ProtectDrive and eToken PRO ......................................... 2 How Does the Combined Solution Increase Security?.......................................................... 2 More About ProtectDrive and eToken PRO ........................................................................... 3 About SafeNet..................................................................................................................... 3 Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot Authentication Security Guide 1
“...people who encrypt their Introduction hard drives, or partitions on The loss, theft, or misappropriation of the organization’s endpoint systems could expose their hard drives, have to realize sensitive corporate information such as intellectual property, personnel records or government that the encryption gives them secrets, producing disastrous effects for the organization. Full disk encryption, combined with an extra layer of security in the form of pre-boot authentication, can provide an integral layer of less protection than they security against data loss, and can help address one of the most critical areas of exposure for an probably believe…The defenses organization: unprotected files housing sensitive data. are basically two-factor authentication: a token you don’t Full-Disk Encryption: Not As Secure as You Might Think leave in your hotel room for the In the summer of 2009, Joanna Rutkowska implemented a series of attacks known as the “Evil maid to find and use.” Maid” attacks, which were designed to crack a computer protected by a full disk encryption solution by using a USB stick infected with the “Evil Maid” Sniffer. The Evil Maid Sniffer, stored Bruce Schneier on a USB stick, infects the protected laptop and sniffs out the disk encryption passphrase when the user enters it next time. It was thus called because it can be used against laptops left unattended in hotel rooms where an attacker (presuming to be the hotel maid) surreptitiously reboots the laptop from the Evil Maid USB Stick, infecting the laptop with the sniffer software. During 2009 and 2010, additional attacks – all developed by various security researchers – were also carried out. These include the Cold Boot Attack, Stoned Boot Attack and Bitlocker Boot Process Attack, which infect the protected device with malware. The malware scans the memory or changes the Master Boot Record to enable passphrase sniffing. Following the success of these attacks, Bruce Schneier, one of the most accredited security experts today, pointed out in his blog, that FDE might be creating a sense of false complacency: “...people who encrypt their hard drives, or partitions on their hard drives, have to realize that the encryption gives them less protection than they probably believe…The defenses are basically two- factor authentication: a token you don’t leave in your hotel room for the maid to find and use.” The attacks described above underscore the relative ease with which attackers can crack the passwords used to unlock full disk encryption solutions. For these solutions to provide the expected level of defense and maintain the integrity of the data they are designed to protect, an extra layer of security, in the form of pre-boot strong authentication, is required. Double Protection with SafeNet’s ProtectDrive and eToken PRO SafeNet’s ProtectDrive is an award-winning full-disk encryption (FDE) product that secures the hard drives in laptops, workstations, and servers, as well as removable media. ProtectDrive provides an outstanding security and robustness level and is validated by a number of security certification bodies including FIPS 140-2 and Common Criteria. To provide maximum protection and security, and prevent the malicious attacks that could potentially crack the password used to unlock the disk encryption, ProtectDrive combines with SafeNet’s eToken PRO certificate-based strong authentication USB device. With eToken PRO, organizations can easily and effectively improve data security for ProtectDrive as well as other FDE solutions and provide cost-effective protection against the types of attacks discussed above. How Does the Combined Solution Increase Security? When encrypting a hard drive or partition, ProtectDrive creates a machine unique master security key, also referred to as a Master Security Certificate (MSC). The MSC is associated with the machine’s Pre-Boot Authentication (PBA) mechanism and determines that only after successful pre-boot authentication, is ProtectDrive able to decrypt the disk. To protect against attacks such as “Evil Maid” and increase security, eToken PRO, the leading USB Smart-Card authentication device is used to create and store the MSC in the secure environment of the smart card which resides on the eToken PRO device. Users who want to boot their computers, must have both their personal eToken PRO device and eToken PRO password. Only when these are provided together, can the MCA be retrieved from the secure environment of the eToken PRO, and used for successful pre-boot authentication which subsequently enables Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot Authentication Security Guide 2
ProtectDrive to decrypt the disk. This solution provides a critical second level of security beyond simple passwords to protect your valuable digital business resources. 1 2 The user powers up The user her laptop, and after connects her BIOS boots, the eToken PRO ProtectDrive logon screen appears The user enters her After the boot 3 4 eToken PRO pass- process succeeds, word and the certifi- the Windows cate on the token is logon screen validated appears Password: 123456 Approve More About ProtectDrive and eToken PRO ProtectDrive ProtectDrive plays a key role in a comprehensive approach to data protection. The solution uses a sophisticated key-management system based on hybrid crypto concepts where the disk-encryption is done by using symmetric encryption (FIPS approved AES-256 algorithm), and asymmetric encryption is used for the key-management process (i.e., key-encryption-key, encrypting the disk-encryption symmetric key). Data is encrypted and decrypted “on the fly” providing a seamless user-experience. The solution offers a low total cost of ownership by using Microsoft Active Directory and Active Directory Application Management for central administration of policies and keys. eToken PRO eToken PRO, the world’s leading USB smart card authentication device, delivers highly secure strong two-factor authentication and advanced certificate-based security applications such as pre-boot authentication and digital signatures. eToken PRO utilizes certificate based technology to generate and store credentials, such as private keys, passwords and digital certificates, inside the protected environment of the smart card chip. eToken PRO allows organizations to streamline their authentication and access operations by offering strong authentication for remote access via VPN, network logon, password management, digital signing, pre-boot encryption and proximity - all on a single USB authenticator. With its USB form factor and common criteria/FIPS 140-2 Level 2 and 3 security certifications, eToken PRO ensures that security regulations are met, and that corporate networks and eBusiness resources are fully protected. About SafeNet Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies and in over 100 countries trust their information security needs to SafeNet. Contact Us: For all office locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected ©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. ScG (EN)-12.5.10 Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot Authentication Security Guide 3

Recommandé

Hard Disk Encryptions
Hard Disk EncryptionsHard Disk Encryptions
Hard Disk Encryptionsn|u - The Open Security Community
 
eIDAS Reference Guide
eIDAS Reference GuideeIDAS Reference Guide
eIDAS Reference GuideSafeNet
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudSafeNet
 
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlWhose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlSafeNet
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilitySafeNet
 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudSafeNet
 
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelCloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelSafeNet
 

Recommandé

Hard Disk Encryptions
Hard Disk EncryptionsHard Disk Encryptions
Hard Disk Encryptionsn|u - The Open Security Community
 
eIDAS Reference Guide
eIDAS Reference GuideeIDAS Reference Guide
eIDAS Reference GuideSafeNet
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudSafeNet
 
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlWhose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlSafeNet
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilitySafeNet
 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudSafeNet
 
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelCloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelSafeNet
 
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeNet
 
A Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsA Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsSafeNet
 
Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSafeNet
 
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...SafeNet
 
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...SafeNet
 
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...SafeNet
 
Hardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementHardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementSafeNet
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessSafeNet
 
Building Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesBuilding Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesSafeNet
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...SafeNet
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...SafeNet
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
Building Trust into DNS: Key Strategies
Building Trust into DNS: Key StrategiesBuilding Trust into DNS: Key Strategies
Building Trust into DNS: Key StrategiesSafeNet
 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementSafeNet
 
Secure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSecure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSafeNet
 
An Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key ManagementAn Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key ManagementSafeNet
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Securing the Smart Grid with SafeNet HSMs
Securing the Smart Grid with SafeNet HSMsSecuring the Smart Grid with SafeNet HSMs
Securing the Smart Grid with SafeNet HSMsSafeNet
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 

Contenu connexe

Plus de SafeNet

SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeNet
 
A Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsA Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsSafeNet
 
Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSafeNet
 
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...SafeNet
 
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...SafeNet
 
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...SafeNet
 
Hardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementHardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementSafeNet
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessSafeNet
 
Building Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesBuilding Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesSafeNet
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...SafeNet
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...SafeNet
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
Building Trust into DNS: Key Strategies
Building Trust into DNS: Key StrategiesBuilding Trust into DNS: Key Strategies
Building Trust into DNS: Key StrategiesSafeNet
 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementSafeNet
 
Secure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSecure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSafeNet
 
An Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key ManagementAn Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key ManagementSafeNet
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Securing the Smart Grid with SafeNet HSMs
Securing the Smart Grid with SafeNet HSMsSecuring the Smart Grid with SafeNet HSMs
Securing the Smart Grid with SafeNet HSMsSafeNet
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 

Plus de SafeNet (20)

SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
 
A Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsA Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise Applications
 
Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security Guide
 
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
 
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
 
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
 
Hardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementHardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk Management
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
 
Building Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesBuilding Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and Strategies
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server Encryption
 
Building Trust into DNS: Key Strategies
Building Trust into DNS: Key StrategiesBuilding Trust into DNS: Key Strategies
Building Trust into DNS: Key Strategies
 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key Management
 
Secure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the WebSecure PIN Management How to Issue and Change PINs Securely over the Web
Secure PIN Management How to Issue and Change PINs Securely over the Web
 
An Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key ManagementAn Enterprise Guide to Understanding Key Management
An Enterprise Guide to Understanding Key Management
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
 
Securing the Smart Grid with SafeNet HSMs
Securing the Smart Grid with SafeNet HSMsSecuring the Smart Grid with SafeNet HSMs
Securing the Smart Grid with SafeNet HSMs
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
 

Enhancing the Security of Full Disk Encryption Solutions with Pre- Boot Authentication Security Guide

  • 1. Enhancing the Security of Full Disk Encryption Solutions with Pre- Boot Authentication SECURITY GUIDE Table of Contents Introduction ........................................................................................................................ 2 Full-Disk Encryption: Not As Secure as You Might Think .................................................... 2 Double Protection with SafeNet’s ProtectDrive and eToken PRO ......................................... 2 How Does the Combined Solution Increase Security?.......................................................... 2 More About ProtectDrive and eToken PRO ........................................................................... 3 About SafeNet..................................................................................................................... 3 Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot Authentication Security Guide 1
  • 2. “...people who encrypt their Introduction hard drives, or partitions on The loss, theft, or misappropriation of the organization’s endpoint systems could expose their hard drives, have to realize sensitive corporate information such as intellectual property, personnel records or government that the encryption gives them secrets, producing disastrous effects for the organization. Full disk encryption, combined with an extra layer of security in the form of pre-boot authentication, can provide an integral layer of less protection than they security against data loss, and can help address one of the most critical areas of exposure for an probably believe…The defenses organization: unprotected files housing sensitive data. are basically two-factor authentication: a token you don’t Full-Disk Encryption: Not As Secure as You Might Think leave in your hotel room for the In the summer of 2009, Joanna Rutkowska implemented a series of attacks known as the “Evil maid to find and use.” Maid” attacks, which were designed to crack a computer protected by a full disk encryption solution by using a USB stick infected with the “Evil Maid” Sniffer. The Evil Maid Sniffer, stored Bruce Schneier on a USB stick, infects the protected laptop and sniffs out the disk encryption passphrase when the user enters it next time. It was thus called because it can be used against laptops left unattended in hotel rooms where an attacker (presuming to be the hotel maid) surreptitiously reboots the laptop from the Evil Maid USB Stick, infecting the laptop with the sniffer software. During 2009 and 2010, additional attacks – all developed by various security researchers – were also carried out. These include the Cold Boot Attack, Stoned Boot Attack and Bitlocker Boot Process Attack, which infect the protected device with malware. The malware scans the memory or changes the Master Boot Record to enable passphrase sniffing. Following the success of these attacks, Bruce Schneier, one of the most accredited security experts today, pointed out in his blog, that FDE might be creating a sense of false complacency: “...people who encrypt their hard drives, or partitions on their hard drives, have to realize that the encryption gives them less protection than they probably believe…The defenses are basically two- factor authentication: a token you don’t leave in your hotel room for the maid to find and use.” The attacks described above underscore the relative ease with which attackers can crack the passwords used to unlock full disk encryption solutions. For these solutions to provide the expected level of defense and maintain the integrity of the data they are designed to protect, an extra layer of security, in the form of pre-boot strong authentication, is required. Double Protection with SafeNet’s ProtectDrive and eToken PRO SafeNet’s ProtectDrive is an award-winning full-disk encryption (FDE) product that secures the hard drives in laptops, workstations, and servers, as well as removable media. ProtectDrive provides an outstanding security and robustness level and is validated by a number of security certification bodies including FIPS 140-2 and Common Criteria. To provide maximum protection and security, and prevent the malicious attacks that could potentially crack the password used to unlock the disk encryption, ProtectDrive combines with SafeNet’s eToken PRO certificate-based strong authentication USB device. With eToken PRO, organizations can easily and effectively improve data security for ProtectDrive as well as other FDE solutions and provide cost-effective protection against the types of attacks discussed above. How Does the Combined Solution Increase Security? When encrypting a hard drive or partition, ProtectDrive creates a machine unique master security key, also referred to as a Master Security Certificate (MSC). The MSC is associated with the machine’s Pre-Boot Authentication (PBA) mechanism and determines that only after successful pre-boot authentication, is ProtectDrive able to decrypt the disk. To protect against attacks such as “Evil Maid” and increase security, eToken PRO, the leading USB Smart-Card authentication device is used to create and store the MSC in the secure environment of the smart card which resides on the eToken PRO device. Users who want to boot their computers, must have both their personal eToken PRO device and eToken PRO password. Only when these are provided together, can the MCA be retrieved from the secure environment of the eToken PRO, and used for successful pre-boot authentication which subsequently enables Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot Authentication Security Guide 2
  • 3. ProtectDrive to decrypt the disk. This solution provides a critical second level of security beyond simple passwords to protect your valuable digital business resources. 1 2 The user powers up The user her laptop, and after connects her BIOS boots, the eToken PRO ProtectDrive logon screen appears The user enters her After the boot 3 4 eToken PRO pass- process succeeds, word and the certifi- the Windows cate on the token is logon screen validated appears Password: 123456 Approve More About ProtectDrive and eToken PRO ProtectDrive ProtectDrive plays a key role in a comprehensive approach to data protection. The solution uses a sophisticated key-management system based on hybrid crypto concepts where the disk-encryption is done by using symmetric encryption (FIPS approved AES-256 algorithm), and asymmetric encryption is used for the key-management process (i.e., key-encryption-key, encrypting the disk-encryption symmetric key). Data is encrypted and decrypted “on the fly” providing a seamless user-experience. The solution offers a low total cost of ownership by using Microsoft Active Directory and Active Directory Application Management for central administration of policies and keys. eToken PRO eToken PRO, the world’s leading USB smart card authentication device, delivers highly secure strong two-factor authentication and advanced certificate-based security applications such as pre-boot authentication and digital signatures. eToken PRO utilizes certificate based technology to generate and store credentials, such as private keys, passwords and digital certificates, inside the protected environment of the smart card chip. eToken PRO allows organizations to streamline their authentication and access operations by offering strong authentication for remote access via VPN, network logon, password management, digital signing, pre-boot encryption and proximity - all on a single USB authenticator. With its USB form factor and common criteria/FIPS 140-2 Level 2 and 3 security certifications, eToken PRO ensures that security regulations are met, and that corporate networks and eBusiness resources are fully protected. About SafeNet Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies and in over 100 countries trust their information security needs to SafeNet. Contact Us: For all office locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected ©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. ScG (EN)-12.5.10 Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot Authentication Security Guide 3