Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot Authentication Security Guide 1

Table of ContentsIntroduction ........................................................................................................................ 2

Full-Disk Encryption: Not As Secure as You Might Think .................................................... 2

Double Protection with SafeNet’s ProtectDrive and eToken PRO ......................................... 2

How Does the Combined Solution Increase Security? .......................................................... 2

More About ProtectDrive and eToken PRO ........................................................................... 3

About SafeNet ..................................................................................................................... 3

Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot AuthenticationSECURITY GUIDE

Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot Authentication Security Guide 2

IntroductionThe loss, theft, or misappropriation of the organization’s endpoint systems could expose sensitive corporate information such as intellectual property, personnel records or government secrets, producing disastrous effects for the organization. Full disk encryption, combined with an extra layer of security in the form of pre-boot authentication, can provide an integral layer of security against data loss, and can help address one of the most critical areas of exposure for an organization: unprotected files housing sensitive data.

Full-Disk Encryption: Not As Secure as You Might ThinkIn the summer of 2009, Joanna Rutkowska implemented a series of attacks known as the “Evil Maid” attacks, which were designed to crack a computer protected by a full disk encryption solution by using a USB stick infected with the “Evil Maid” Sniffer. The Evil Maid Sniffer, stored on a USB stick, infects the protected laptop and sniffs out the disk encryption passphrase when the user enters it next time. It was thus called because it can be used against laptops left unattended in hotel rooms where an attacker (presuming to be the hotel maid) surreptitiously reboots the laptop from the Evil Maid USB Stick, infecting the laptop with the sniffer software.

During 2009 and 2010, additional attacks – all developed by various security researchers – were also carried out. These include the Cold Boot Attack, Stoned Boot Attack and Bitlocker Boot Process Attack, which infect the protected device with malware. The malware scans the memory or changes the Master Boot Record to enable passphrase sniffing.

Following the success of these attacks, Bruce Schneier, one of the most accredited security experts today, pointed out in his blog, that FDE might be creating a sense of false complacency: “...people who encrypt their hard drives, or partitions on their hard drives, have to realize that the encryption gives them less protection than they probably believe…The defenses are basically two-factor authentication: a token you don’t leave in your hotel room for the maid to find and use.”

The attacks described above underscore the relative ease with which attackers can crack the passwords used to unlock full disk encryption solutions. For these solutions to provide the expected level of defense and maintain the integrity of the data they are designed to protect, an extra layer of security, in the form of pre-boot strong authentication, is required.

Double Protection with SafeNet’s ProtectDrive and eToken PROSafeNet’s ProtectDrive is an award-winning full-disk encryption (FDE) product that secures the hard drives in laptops, workstations, and servers, as well as removable media. ProtectDrive provides an outstanding security and robustness level and is validated by a number of security certification bodies including FIPS 140-2 and Common Criteria.

To provide maximum protection and security, and prevent the malicious attacks that could potentially crack the password used to unlock the disk encryption, ProtectDrive combines with SafeNet’s eToken PRO certificate-based strong authentication USB device. With eToken PRO, organizations can easily and effectively improve data security for ProtectDrive as well as other FDE solutions and provide cost-effective protection against the types of attacks discussed above.

How Does the Combined Solution Increase Security?When encrypting a hard drive or partition, ProtectDrive creates a machine unique master security key, also referred to as a Master Security Certificate (MSC). The MSC is associated with the machine’s Pre-Boot Authentication (PBA) mechanism and determines that only after successful pre-boot authentication, is ProtectDrive able to decrypt the disk.

To protect against attacks such as “Evil Maid” and increase security, eToken PRO, the leading USB Smart-Card authentication device is used to create and store the MSC in the secure environment of the smart card which resides on the eToken PRO device. Users who want to boot their computers, must have both their personal eToken PRO device and eToken PRO password. Only when these are provided together, can the MCA be retrieved from the secure environment of the eToken PRO, and used for successful pre-boot authentication which subsequently enables

“...people who encrypt their hard drives, or partitions on

their hard drives, have to realize that the encryption gives them

less protection than they probably believe…The defenses

are basically two-factor authentication: a token you don’t

leave in your hotel room for the maid to find and use.”

Bruce Schneier

Enhancing the Security of Full Disk Encryption Solutions with Pre-Boot Authentication Security Guide 3

Contact Us: For all office locations and contact information, please visit www.safenet-inc.comFollow Us: www.safenet-inc.com/connected

©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. ScG (EN)-12.5.10

ProtectDrive to decrypt the disk. This solution provides a critical second level of security beyond simple passwords to protect your valuable digital business resources.

2 The user connects her eToken PRO

3The user enters her eToken PRO pass-word and the certifi-cate on the token is validated

1 The user powers up her laptop, and after BIOS boots, the ProtectDrive logon screen appears

4After the boot process succeeds, the Windows logon screen appears

Password:123456

Approve

More About ProtectDrive and eToken PROProtectDriveProtectDrive plays a key role in a comprehensive approach to data protection. The solution uses a sophisticated key-management system based on hybrid crypto concepts where the disk-encryption is done by using symmetric encryption (FIPS approved AES-256 algorithm), and asymmetric encryption is used for the key-management process (i.e., key-encryption-key, encrypting the disk-encryption symmetric key). Data is encrypted and decrypted “on the fly” providing a seamless user-experience. The solution offers a low total cost of ownership by using Microsoft Active Directory and Active Directory Application Management for central administration of policies and keys.

eToken PROeToken PRO, the world’s leading USB smart card authentication device, delivers highly secure strong two-factor authentication and advanced certificate-based security applications such as pre-boot authentication and digital signatures. eToken PRO utilizes certificate based technology to generate and store credentials, such as private keys, passwords and digital certificates, inside the protected environment of the smart card chip.

eToken PRO allows organizations to streamline their authentication and access operations by offering strong authentication for remote access via VPN, network logon, password management, digital signing, pre-boot encryption and proximity - all on a single USB authenticator. With its USB form factor and common criteria/FIPS 140-2 Level 2 and 3 security certifications, eToken PRO ensures that security regulations are met, and that corporate networks and eBusiness resources are fully protected.

About SafeNetFounded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies and in over 100 countries trust their information security needs to SafeNet.