Security Basics mailing list archives
RE: The ugly side of using disk encryption
From: "Hagen, Eric" <hagene () DenverNewspaperAgency com>
Date: Mon, 23 Oct 2006 11:35:43 -0600
Speaking of TrueCrypt, a bruteforce attack is totally out of the question at this point. Any of the three cyphers in use will make the data irrelevantly hard to crack using sheer computing power. the only reason to even bother with the three-cypher is if the data will still be relevant in 20-40 years, when the technology to crack any single cypher *might* be available. However, this would also require a mathematical breakthrough, as the current state of encryption is not just a few orders of magnitude away from being broken, but dozens of orders of magnitude. As for the use of a hidden partition, this is really only useful for plausable deniability. Creating a hidden partition within a real partition allows the user to give up a passphrase under interrogation or otherwise, and have that passphrase be valid and decrypt some data. Unless your employees are likely to be kidnapped and compelled to disclose their passphrase, the hidden partition does little for your security. You can, however, use any random filename buried within the file structure c:\windows\system32\arrgh.not is just as valid a filename as any other as far as truecrypt is concerned, but having a 10GB file floating around would be pretty obvious to a would-be attacker, so this really only useful for small amounts of data. The greatest risk to your encryption from corporate espionage would likely be from two means: 1) Intercepting the data as it is being used with software such as a screen capture application to capture secure data without ever getting decryption passwords or keys. This requires administrator access to the PC, so keep them digitally-hardened and keep them physically in your hands and that's all you can do. 2) Intercepting encryption passphrases using a keylogger or even a video camera while watching the employee type. the only means of bruteforce that is practical against an advanced encryption scheme like this would be to target the passphrase, which is likely far weaker than the encryption itself. Keep your passphrase complex and random, but not so complex that people have to write it down. Also, use a second means of authentication. Biometric is great if you can do it, there are some companies that sell integrated thumbprint scanner laptops or you can pick up a PCMCIA model that can retract into the bay until use. the technical side of the data security is far stronger than the user-side, so comprehensive education and enforcement of policies is far more important than what cypher you use on the data. keep that in mind. Eric -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of Will Yonker Sent: Saturday, October 21, 2006 7:13 PM To: security-basics () securityfocus com Subject: RE: The ugly side of using disk encryption This thread has finally got me off my butt. I have been meaning to create some sort of encryption standard for a few customers but encryption really isn't my area. So here is the question: What is the best way to encrypt data? A broad question, I know. Let me narrow it down. 1) Some users work with sensitive data on their laptops when in places where network access is unreliable. 2) This is data that would be useful to competitors. It could be financially beneficial for these competitors to hire professionals to gain access to any data that might be stored on the laptop. 3) The data can be in the gigabytes but not more than 10 GB. 4) Speed of the decryption is not a large factor. 5) Some of the files will be MS Word and MS Excel documents. 6) All machines are running Windows XP. Now, I've taken a look at TrueCrypt and figured that a three cypher, hidden volume, passphrase + key stored on USB stick to be the best that I could do. I was also playing with the idea of installing TrueCrypt only on the USB stick so the attacker would have to guess what was used to create the hidden volume if they found it. Is this the best approach? Is there more that I could do to easily enhance the security? Do I need to worry about clearing something off the C:\ drive like the system cache? I'm guessing a medium sized corporation would be willing to put more effort into obtaining the data than the government did with this guy. Most have a powerful cluster at their disposal so I guess they could brute force it. Is there a way I can make that take longer? I know there is no perfect solution, just ways to slow down the attackers. As always, any help would be appreciated. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: The ugly side of using disk encryption, (continued)
- RE: The ugly side of using disk encryption Dan Anderson (Oct 20)
- RE: The ugly side of using disk encryption Robert D. Holtz - Lists (Oct 20)
- -Real- anonymity (was: The ugly side of using disk encryption) Michael Painter (Oct 20)
- RE: The ugly side of using disk encryption Hagen, Eric (Oct 20)
- Re: The ugly side of using disk encryption Saqib Ali (Oct 20)
- RE: The ugly side of using disk encryption Hagen, Eric (Oct 20)
- Re: RE: The ugly side of using disk encryption qxlr (Oct 23)
- RE: RE: The ugly side of using disk encryption Henry Troup (Oct 23)
- Re: RE: The ugly side of using disk encryption qxlr (Oct 23)
- FW: The ugly side of using disk encryption Isaac Van Name (Oct 20)
- RE: RE: The ugly side of using disk encryption Hagen, Eric (Oct 23)
- RE: The ugly side of using disk encryption Hagen, Eric (Oct 23)
- RE: The ugly side of using disk encryption Will Yonker (Oct 27)