Chapter 1: Risk Discussion
Published: April 04, 2007
Sensitive data, like all data, has a complex life cycle and typically moves from place to place as it performs its business function. Securing data is necessary throughout the entire cycle of its use, but many technologies and processes will be applied in different phases of the data life cycle.
Figure 1.1. Sample data life cycle
This guide focuses on the level of security that can be achieved by using Microsoft technologies to protect data when it is copied to or created on mobile PCs, such as laptop computers.
Discussions of data protection for the following scenarios are out of scope for this guide, except when the data is cached locally:
Data Security Risks
The two technologies described in this guide, Encrypting File System (EFS) and Microsoft® BitLocker™ Drive Encryption (BitLocker), are examples of two different but complementary approaches to data encryption. EFS is an encryption mechanism that protects data in files and folders on a per-user basis. BitLocker is a full-volume encryption mechanism that encrypts all sectors on the system volume on a per-computer basis, including operating system, applications, and data files. BitLocker provides pre-boot integrity checking and encryption, but it does not provide user authentication. EFS complements BitLocker protection by restricting access to encrypted files to properly authenticated users on a running computer.
Because of their fundamentally different approaches and implementation, EFS and BitLocker have their own strengths and weaknesses and deliver different levels of security across a common set of attacker scenarios. This guide describes those scenarios in detail and examines how the two encryption technologies apply to each.
Understanding Data Types
There are different types of confidential data and many different scenarios for how and why that data might be compromised. This guide discusses the different encryption technologies in the context of the following types of data.
Attacker Scenarios: Insider and Outsider
When discussing attacks and mitigating technologies, a distinction is often made between whether the threat is from a malicious insider or an outside attacker. Malicious insiders have capabilities that outsiders typically do not have. A partial list of the differences includes:
To compare the strengths and weaknesses of different approaches to data encryption, it is necessary to discuss some cryptographic concepts that apply to encryption in general and to EFS and BitLocker specifically.
Cryptographic Concepts for Data Protection
Encryption can be implemented in many ways. For example, encryption can be performed in layers, or in complicated patterns built into unique algorithms. Cryptographic key use is often discussed in terms of key length, but how those keys are calculated, stored, and used is often much more important. Cryptographic key storage and protection is rarely discussed in detail in technical product documentation, but these issues are extremely important to understanding what is usually the weakest part of an encryption technology.
Note This section of the guide is not meant to be a general primer on encryption technologies. If you do not have a basic understanding of encryption fundamentals such as symmetric and asymmetric encryption, you should review the article "Cryptography for Network and Information Security."
An optimal encryption algorithm is designed and implemented so that an attacker’s only way to break the encryption is to correctly guess what particular key was used from a large possible key space, which is the range of values that a key might possibly have. This type of an attack is called a brute-force attack.
Symmetric key algorithms typically have a key space of between 40 and 512 bits, which means that the number of possible values for the key is the maximum numerical value that can be expressed by the number of bits used. 40 bits allows a maximum numerical value of 1,099,511,627,775 (240 -1), which is certainly a large number, although currently available computers could fairly easily try every possible value of a 40-bit key space as an encryption key in an attempt to decrypt data. However, every bit added to the key space doubles the number of possible keys—so a 41-bit key space would offer 2,199,023,255,552 possible keys. Increasing the key space quickly causes the number of possible keys to increase to a point at which brute-force attacks become infeasible using current hardware and known attack techniques.
Encryption technologies, however, rarely provide security that is this strong. Many encryption implementations have one or more of the following weaknesses:
If encryption technologies are subject to such weaknesses, you might wonder why anyone bothers with encryption at all. In practice, there are two factors that help reduce the occurrence of these weaknesses. One factor is that Microsoft invests heavily in validating and verifying the soundness of its encryption implementations. This process begins with choosing mature, well-understood algorithms that provide innate resistance to some types of attacks, and it continues through the ongoing Microsoft commitment to having its cryptographic algorithm implementations certified as meeting the Federal Information Processing Standards (FIPS) 140 Evaluation standards and to submitting its operating systems for Common Criteria certification. For more information about Common Criteria certification, see the Windows Platform Common Criteria Certification page on Microsoft TechNet. In addition, The Trustworthy Computing Security Development Lifecycle (SDL) process has been integrated into Microsoft development processes to ensure that security is incorporated as a core component of product development.
The second factor is that encryption can be made sufficiently resistant to attack to provide a degree of security that is appropriate for the data that is being protected. In other words, it often does not matter if a large government could apply all of its resources and succeed in cracking the encryption that protects your customer database. You might only need an encryption solution that would prevent the data from being easily discoverable if it somehow became available to unauthorized people with very limited resources or knowledge. Another way to assess your encryption needs is to ensure that any data you decide to encrypt is evaluated for its true worth and then compared with the estimated cost to break the encryption. For example, if your customer database is worth $100,000 to a competitor and the estimated cost to break the encryption is $1 million, the level of encryption used is probably sufficient.
Note For more information about ways to assure that a cryptographic implementation is secure, refer to chapter 19 in Special Publication 800-12 – An Introduction to Computer Security: The NIST Handbook, published by the US National Institute of Standards and Technology (NIST).
To evaluate the relative merits of encryption approaches, you need to examine the details of the encryption implementation in its entirety. The following figure shows a typical chain of events that occurs when data is encrypted and decrypted.
Figure 1.2. Data encryption and decryption
The following factors are important to understand when evaluating an encryption technology:
Not all attacks against an encryption solution are equal. As stated earlier, a smart attacker will often attack the weakest link. To estimate the security level of an encryption solution, you can list the possible attacks against the encryption technologies that it implements and then rate the attacks by difficulty.
A low-difficulty attack is one in which no resources are required to read the data of interest. In other words, this type of attack would describe a situation in which an attacker only has to raise the lid of the laptop computer and start reading. The difficulty of an attack is frequently linked to context and other factors of a particular solution.
Understanding Data Risks
The goal of an encryption solution is to encrypt all important data so that no attacker—casual or determined, novice or expert—can access the data as plaintext. However, encryption solutions can be subverted through massive application of resources, by finding an unknown flaw in a specific encryption technology, or simply by user error. Encryption technologies have unique risk characteristics that are based on their design and implementation decisions and on how they are used. Some potential risks are listed in the following subsections and referenced in the scenario descriptions later in this guide. Remember, not every listed risk will apply to every organization. You should consider mitigating those risks that apply to your organization after you determine which of them are significant and warrant appropriate action.
Computer Left in Hibernation
Most laptop computers have a feature called hibernation that allows users to shut down the computers so that they do not use any power but then restart in exactly the same state they were in prior to hibernation. However, leaving the computer in unsecured hibernation mode means that an attacker could have unlimited access to all information on the computer. As with sleep mode, computers can be configured to prompt for user credentials when they resume from hibernation mode. Details about how to enable this setting can be found in To password-protect your computer during standby or hibernation, which is part of the online Windows XP Professional Product documentation.
Important Microsoft strongly recommends that you require the use of credentials to unlock a computer from hibernation mode.
Computer Left in Sleep (Standby) Mode
It is possible that a laptop computer will be configured so that it does not prompt the user for a password or a smart card when it resumes from sleep mode, which means that the computer is effectively left turned on and available for use by anyone. Those users who configure their computers to use sleep mode are at the greatest risk if the computer does not require logon when it resumes from sleep mode. Details about how to enable this setting can be found in To password-protect your computer during standby or hibernation, which is part of the the online Windows XP Professional Product documentation.
Important Microsoft strongly recommends that you require the use of credentials to unlock a computer from sleep mode.
Computer Left Logged On and Desktop Unlocked
Very few encryption technologies will help if a computer is left in a public place while an authorized user is logged on. Some attacks might even succeed against a computer with a locked desktop. An attacker can simply pick up the computer, take it to a private place, and start reading or copying data from it. A few encryption technologies have options that require an external key every time a file is accessed, but the impact on usability is so dramatic that few organizations choose such a restrictive solution. A more common mitigation is the use of an external key or token, such as a smart card, with caching that allows the computer to retain an encrypted copy of the key to provide better usability.
Discover Local/Domain Password
An attacker who obtains a user's credentials might be able to gain access to encrypted data in one of two ways, depending on the encryption implementation: the credentials might be used to decrypt the material directly, or the credentials might be used to gain access to the key material through attacks on credentials that are cached or stored by the operating system.
In any security system, the weakest link of the encryption technology is usually the user’s password because user-selected passwords are typically much weaker than even the weakest keys used by common encryption algorithms. The author of Avoiding bogus encryption products: Snake Oil FAQ asserts that even a 20-character English phrase has only 40 bits of randomness instead of the 20x8=160 bits of randomness you might expect. An 8-character password would have much less than 40 bits of randomness, according to this author's opinion. However, even this scenario is not as much of a concern as someone who writes their password on a piece of paper and tapes it to their laptop—which effectively subverts any encryption solution that is based on a user password!
Note Attacks that discover the user's password through social engineering or other non-technical attack methods are outside the scope of this guide. Password discovery attacks are primarily considered to involve brute-force cryptographic attacks or other technical attacks against credential stores.
Insider Can Read Encrypted Data
This risk is different than previously discussed risks because the attacker is assumed to be a malicious insider instead of an outsider. This risk calls attention to the fact that some encryption technologies, especially per-computer encryption as described in the following section, allow access to encrypted data by any user who can successfully log on to the computer. The user account could be local to the computer or a network user account (for example, an account in the Active Directory® directory service), and the logon could be local or over the network.
Key Discovery through Offline Attack
In this type of attack, the attacker mounts a disk with encrypted data into a different or modified operating system. With detailed knowledge of the implementation, the attacker can attempt to isolate the keys used to encrypt data and attempt a brute-force attack on the storage mechanism used for the keys. The rule of least effort applies in this type of attack, and the attacker will attempt to isolate and attack the weakest link in the storage mechanism. Brute-force attacks on even moderately strong keys are very difficult and require extraordinary amounts of computational resources. If the encryption solution is implemented well enough so that a brute-force attack is the only option for the attacker, the data security goals of the organization have probably been met.
Offline Attacks Against the Operating System
This type of attack attempts to modify or change system files or settings when the operating system is not running to make it easier to access encrypted data. Such attacks are technically difficult and require a deep understanding of the operating system. In the context of a full-volume encryption technology, one possible attack is that an attacker can change some encrypted data on disk in the hope that it changes a single registry value or hard-coded value in an operating system executable that makes the computer less secure.
Online Attacks Against the Operating System
This type of attack attempts to subvert protections in the operating system while it is running. Examples include escalation of privilege attacks or attempts to execute code remotely. If an attacker can successfully complete this type of attack, they can recover encrypted data by running code of their choice on the computer.
Plaintext Data Found on Computer
The existence of plaintext confidential data is a basic risk that any encryption solution must mitigate. Almost all encryption solutions mitigate this risk unless the encryption algorithm they use can be broken with little or no effort. Both of the Microsoft encryption technologies discussed in this guide use industry-accepted encryption algorithms, so this risk is assumed to be mitigated in general for each analyzed option. However, in some situations, the encryption technology might not get applied to a specific file that contains confidential data. Many of the risk discussions in the rest of this guide describe such situations.
Plaintext Data Leaks through Hibernation File
Hibernation is similar to the concept of system paging, except that the computer takes a snapshot of all physical memory and writes this data to disk in a hibernation file. If any sensitive data is in physical memory at the time the snapshot is taken, it will be written to disk as part of the hibernation file. Like attacks on the paging file, attacks against the hibernation file are typically performed offline.
Plaintext Data Leaks through System Paging File
Modern operating systems provide large amounts of virtual memory to applications by swapping data in memory that is not being used to a paging file stored on the hard disk drive. This functionality creates a risk, however, because an application running on the computer may load encrypted data from disk, decrypt it in memory for use, and then write it as unencrypted data to the hard disk drive in the form of a paging file. Some operating systems delete the page file during shutdown operations, but there are known ways to prevent the deletion of the page file (including causing the operating system to crash). Also, it might be trivial to undelete the pagefile and explore its contents. Attacks against the paging file almost always include removing the hard disk drive from the target computer and mounting it on another computer or else booting another operating system on the target computer. These attacks are known as offline attacks.
Note Sensitive material such as cryptographic keys may leak through other operating system or application cache mechanisms, including temporary files written to disk. The measures described in the Data Encryption Toolkit for Mobile PCs focus on mitigating the risk of data leakage through the system paging file but might also mitigate leaks from other application-specific caching mechanisms.
Some attacks target hardware or software features of a particular platform. For example, some attacks use the direct memory access (DMA) feature offered by the IEEE 1394 (FireWire) interface to attempt to read or write to system memory without notice of the operating system. Other attacks include the possibility of DMA–based memory access performed by an active PCI device and attacks that exploit features or vulnerabilities in PCI and RAM bus bridge chips. The costs of implementing these attacks have historically been quite significant, but they are decreasing as the required techniques and equipment become more widely available.
Required Authentication Factor Left with Computer
This risk applies to encryption technologies that can use an external device, such as a smart card or a USB device, to store encryption keys. Users who are unaware of the security risk of doing so may become careless and leave the device attached to their computer or stored in the same piece of luggage. Because this is a common scenario, most organizations will not rely on a single physical factor for their encryption solution. (This risk also applies to users who note PINs or pass phrases on paper, but such behavior should primarily be addressed through user education and is not addressed in this guidance.)
Users do not always understand everything about the technology they use or pay as much attention to policies as IT administrators would prefer. This risk includes users who don't do what they should because they don't know how to turn on encryption, because they forget to encrypt a particular file, or because they do not pay attention to data security policies.
Data Protection Approaches
The design and implementation of data protection technology involves choices that affect security, usability, and operational management of the technology when it is deployed. Although it is not comprehensive, a discussion of the technologies in the following list will help you understand the material presented in this guide. These data protection technologies include:
Software–based encryption is the standard for most data protection technologies and products. The alternative, hardware–based encryption, requires specialized cryptographic hardware that historically has not been commonly available on personal computers. With software–based encryption, cryptographic operations are performed in the computer's CPU. When the computer is turned off, hibernating, or sleeping, encryption keys are typically stored in encrypted form on disk. A typical option is to store an initial key separate from the computer, for example on a USB device, which is used to decrypt the stored key material. When the computer is operating, encryption keys are usually stored in memory.
The strengths of software–based encryption include:
The weaknesses and issues of software–based encryption include:
Some encryption mechanisms leverage special cryptographic hardware to isolate cryptographic operations from the main CPU and to provide increased security for key storage. Such hardware usually includes a means of securely storing one or more cryptographic keys, and might also include functions for performing cryptographic operations in hardware so that the key is never made available to other hardware or software components.
The strengths of hardware–based encryption include:
The weaknesses and issues of hardware–based encryption include:
Pre-boot (Pre-Operating System) Encryption
BIOS-level firmware can be added to computers so that all data written to a hard disk volume is encrypted and all data read from the disk is decrypted. This operation can be transparent to the operating system and can therefore be applied to the operating system files.
If cryptographic hardware such as a TPM is available, it can be used to make the pre-boot encryption and decryption more secure. Computers that incorporate a TPM can also create a key that is both encrypted and tied to certain platform measurements such as the Master Boot Record (MBR) Code, the NTFS Boot Sector, the NTFS Boot Block, and the NTFS Boot Manager. This type of key can only be decrypted when those platform measurements have the same values that they had when the key was created. This process is called sealing the key to the TPM, and decrypting it is called unsealing.
The TPM can also seal and unseal data generated outside of the TPM. The practical effect of this feature is that the ability to unwrap the key can depend on whether certain characteristics of the platform have changed, supposedly through malicious tampering that attempts to defeat security measures such as encryption.
Because encryption is applied to the operating system files, the key to decrypt these files must be supplied prior to the operating system boot sequence. The key might vary across different solutions and might be derived from a personal identification number (PIN) or a key stored on a hardware device such as a USB token or smart card.
The strengths of pre-boot encryption include:
The weaknesses and issues of pre-boot encryption include:
Post-boot (Operating System) Encryption
Post-boot encryption can be performed by the operating system or by any application running on the computer. EFS is an example of a post-boot encryption technology. It is built into the Windows operating system, and therefore cannot be used to encrypt the operating system itself. However, it is an effective means for protecting user and application data.
The strengths of post-boot encryption include:
The weaknesses and issues of post-boot encryption include:
Encryption can also be implemented outside of the BIOS or operating system levels and performed at the application level. Many applications today offer some capability to encrypt data, including WinZip, Microsoft Office, and Intuit Quicken.
The strengths of application-level encryption include:
The weaknesses and issues of application-level encryption include:
File/Folder Level Encryption
File and folder level encryption is a way to protect certain files and folders and the data they contain. With such a solution, only those files specifically configured to be encrypted are protected. All other data on the computer is unencrypted. A typical approach to file/folder level encryption is to create a unique encryption key for each file or folder. This approach has the added benefit of making it possible to implement per-user encryption as described later in this chapter.
The strengths of well-implemented file/folder level encryption include:
The weaknesses of file/folder level encryption include:
Full-volume encryption complements file/folder level encryption by mitigating common problems with file/folder-level encryption. If the volume to be protected contains operating system files, pre-boot encryption is a requirement for the full-volume encryption approach. If an organization chooses to configure a full-volume encryption solution that does contain operating system files, the weaknesses and strengths of pre-boot encryption should be considered.
The following main strengths of full-volume encryption are primarily mitigations to the file/folder level encryption weaknesses described earlier.
The weaknesses and issues of full-volume encryption include:
Encryption can be implemented in such a way that multiple users have the ability to decrypt the keys that are needed to encrypt and decrypt the data files on the computer using their own unique key, which might be a password or a key stored on a USB or similar device. When this approach is combined with individually keyed file/folder level encryption, it is possible to provide access to individual users on a file-by-file basis.
The strengths of per-user encryption include:
The weaknesses and issues of per-user encryption include:
Some data encryption implementations do not provide the ability for different users, each with a different key or password, to decrypt the master key(s) needed to decrypt data on the computer. In such an implementation there is exactly one key that can be used to access the computer, including all encrypted data.
The strengths of per-computer encryption include:
The weaknesses and issues of per-computer encryption include: