In association with heise online

What can go wrong?

A huge problem with encryption is that it can cause non-linear data losses. While a normal "soft sector" on a disk drive, e.g. caused by a notebook being dropped on the floor, or allowed near an airport luggage handler, may cause local data loss, often limited to a single record or even less, a similar level of data corruption on an encrypted volume or in an encrypted file will normally lead to 100% loss.

A simple system failure, e.g. an electrical fault in the motherboard of a computer, will normally cause the motherboard to be replaced, and you will be up and running again fifteen minutes later, your PC as good as new. In a worst case scenario you may need to move the hard disk, including all its information, to a new PC. With a Vista-based computer things are rather different. You will not be able to move the disk drive, or replace the motherboard, without losing access to the information on the hard drive, in fact, you may not even be able to carry out repairs to the computer - a complete rebuild will be required. This can potentially lead to both private and corporate data losses of significant importance.

Backed up or remotely stored encrypted data will often not be recoverable because the decryption key will be bound to the broken PC.

The difficulties for computer forensics and hence law enforcement will be huge, and prosecutions against individuals, e.g. for possession of kiddie porn, potentially rendered extremely difficult because it will often no longer be possible to extract incriminating information from suspects' computers. The only thing a potential suspect will have to do is to spill coffee on the computer when the police knock on the door - voila, computer dead, disk unrecoverable, plausible deniability - "Sorry, officer, your knock startled me, and I spilled my coffee".

Of course this is also true for other types of data recovery.

Mitigation

Microsoft has made a fairly comprehensive recovery system available, including alternative access methods, called Bitlocker Recovery. However, in order for this to work a recovery key and a recovery password must be set up and saved during installation of the encrypted system and must of course itself be held securely. In a corporate context these measures must be tested and validated regularly as part of the business continuity process. Of course, recovery keys should not be tied to the same computer for which they are valid. Bitlocker Recovery enables external storage, e.g. on smart cards. Recovery keys can be integrated with PKI/Active Directory and recovery may be PKI based or based on EFS recovery certificates.

So far, so good. These measures can potentially recover lost file systems. However, the recovery of any encrypted application data is completely at the mercy of the application provider. So when choosing applications to run under Vista make sure a recovery scheme exists which is comprehensive, easy to manage, reliable and secure.

Computer faults remain between the ears of the users

Several Vista versions come without these very secure measures enabled by default. Hence, in your typical organisation you will have users deploying bitlocker or EFS after installation, as well as installing third party applications using various cryptographic functions. This is the usual problem - only in this case it has the non-linear consequences described above. So, as a system administrator you need to apply the usual solutions: lock down machine configurations, bind security configurations to group policy settings and carry out regular audits of crypto settings. Only, you need to be a great deal more diligent.

Consequences for Business Continuity Planning

You need to take control by identifying all cryptographic services and identifying and finding all:

  • encrypted data objects
  • items containing keys and credentials
  • recovery mechanisms

Data protection needs to be revised and probably extended to:

  • ensure all data is copied and protected
  • prevent abuse of data items and encryption mechanisms

All this obviously needs to be audited and tested regularly. Vista does not imply a revolution in the ways these things need to be done. It does, however, represent a considerable paradigm shift with potentially severe legal and operational implications.

In conclusion it must be noted that whereas Vista gives us what we have been asking for, secure PCs, it improves confidentiality and integrity at the expense of availability. (Niels Bjergstrom)

Print Version | Permalink: http://h-online.com/-747189
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit