Security Review: Full disk encryption
Summary
The past week has seen a renewed interest on the part of the security community in the reliability of hard disk encryption. With the recent revelation that data on encrypted drives is vulnerable to unauthorized access via memory manipulation, the technology has come under new scrutiny, and the integrity of existing disk encryption technologies is being questioned. While this blog has explored both the recent security breach and specific encryption tools (cold-boot attacks , Truecrypt security review), this security review will take a broad look at the security principles behind disk encryption and vendor-independent weaknesses and strengths of the technology.
Generally speaking, hard disk encryption was developed in an effort to solve the physical security problem posed by many sensitive systems, namely, that no level of software protection or network security would prevent an adversary from having complete access to the entire contents of an owner’s drive if they had physical access to the machine. In the case of laptops, public kiosks, and other physically vulnerable locations, a clear need for physical data security exists. In theory, disk encryption provides such a service, making it impossible for an attacker to remove a disk and access the data stored on it without having the correct authentication information.
There are a variety of methods by which disk encryption is achieved. Encryption at the file system layer allows for individual files to be selectively encrypted and decrypted, while full disk encryption takes place near the physical layer with facilitation by the OS, and all bits written or read from the disk platters are encrypted. In the case of full disk encryption, a software layer generally provides on-the-fly encryption/decryption so as to make the process invisible to the end user. In order to decode the data correctly, a key must be provided to the software layer. Such a key is generally encrypted and stored in the file system, and then decrypted when the system receives a valid authentication from the user. Once the key is available, it can be used for I/O operations for the remainder of the user’s session.
Assets/Security Goals
The privacy of the user’s data on the encrypted machine is clearly the primary asset when considering disk encoding. An adversary should be unable to read the actual contents of the drive given unlimited physical access to the machine. A secondary asset is the integrity of the data on the disk. An attack should not be able to predictably change the data on the disk without the user’s knowledge.
Adversaries/Threats
A clear adversary to physically unprotected systems is casual theft in which an attacker steals a protected system. For the sake of categorization, we will assume that such thefts are not specifically targeting encrypted data, and that it is unlikely such an attacker would have the technical knowledge to launch sophisticated efforts to break the encryption algorithm. Conversely, a second adversary may be a more sophisticated thief, perhaps with the goal of identity theft or corporate espionage, in which specific sensitive and encrypted data is targeted and the adversary has advanced computer and encryption knowledge.
Potential weaknesses
A significant weakness has been found with multiple implementations of full disk encryption involving the recovery of encryption keys from memory. This vulnerability has been previous discussed on the blog, and more information can be found here.
Another weakness may lie in the implementation and user configuration of the disk encryption software. Some software has been known to use keys as small as 40 bits in length, making it vulnerable to brute-force attacks. Other implementations allow users to bypass entering a password to verify a user’s access to the file system, and thereby grant access by default. Finally, as with many security systems, there remains a significant risk of user error. Depending on the specific software, users are frequently given the choice of making backup copies of the encryption keys, and storing them on a USB drive or other accessible media. The likelihood that a significant portion of users will store such a backup with or near the computer being protected seems high, and would result in the protection afforded by the disk encryption useless.
Potential Defenses
The question of cryptographic strength is perhaps the most easily addressed weakness described above. Most modern software allows for a minimum of 128-bit encryption, with the option of using 256-bit keys, making it far more difficult to gain access to the data via brute force.
User error is far more difficult to account for, though it is possible to mitigate some of the risks. Requirements for strong passwords would ensure that the password needed to decrypt the drive could not be easily guessed or brute-forced. At the same time, the secure use of a recovery key could be enhanced by requiring an additional form of verification, such as a biometric reading, to ensure the individual trying to recover the drive’s contents is in fact authorized to do so.
Evaluate risks associated with assets/threats/weaknesses described
Ultimately, it appears that disk encryption provides a solid layer of physical security to protect against basic and non-targeted attacks. With the use of strong encryption algorithms, it seems likely that the threat from casual theft is suitably secured against. Only those adversaries with the motive and skills to specifically attack encrypted data would likely be able to exploit existing holes in disk encryption software. Incorporation of the suggested defenses would additionally secure the systems and make them more viable security solutions against both advanced and casual attackers. Critically, despite the apparent protection afforded by complete encoding of the disk, disk encryption is not an infallible security option, and like all security measures, suffers from a dependence on proper user behavior and implementation.
Travis M, David W, Max A.