The flood of worldwide laws and regulations regarding privacy and data protection, along with escalating penalties for breaches and violations, have made full-disk encryption a required capability in PCs. Once all the data on a disk drive has been encrypted, including the operating system, one of the technical challenges for full-disk encryption is how to provide a mechanism for authentication of authorized users before ‘unlocking’ the drive in order to boot the system and provide access to the user data.
Software-based full-disk encryption applications have been around for many years. Typically, software-based-encrypting drive solutions provide pre-boot authentication software, which modifies the master boot record and the operating system in order to gain control of the system at power up.
There are 2003 words in the rest of this article …
Library Access Required
Library subscribers have access to the full archives of more than 10,000 original news items and feature articles published by AVISIAN’s suite of ID technology publications (ContactlessNews.com, CR80News.com, DigitalIDNews.com, FIPS201.com, NFCNews.com, RFIDNews.org, SecureIDNews.com, and ThirdFactor.com).
For just $49, you receive unlimited password-protected access to content on all of AVISIAN’s sites for an entire year. Your subscription helps fund the continued creation of independent, insightful content. Find out more.
Sign in as a Subscriber
If you are already a subscriber, you may sign in now. Enter your Email Address and Password and click Sign In.
If you have forgotten your password, enter just your Email Address, and click Send Password.
In his harticle, Mr. Allen writes:
"...One PC maker, who has integrated support for both a full range of authentication devices and self-encrypting drives, provides an excellent implementation for multi-factor authentication to the drives. The PC has a hardware crypto vault for storing passwords in a security chip on the platform. Fingerprints are authenticated in hardware. Smart cards, both contact and contactless, are hardware supported in the platform, and the Trusted Platform Module (TPM) chip in the PC also protects credentials..."
The PC maker Mr. Allen refers to is Dell. The tech can be found in the Dell "Latitude" and "Dell Precision Workstations". The inclusion of the crypto vault in these models reflects a security model far more secure than is available from any other PC OEM.
Maybe I'm not getting it: the drive locks itself when it is powered down.
And what if the following scenario happens? I have a desktop and lock my Windows session while I'm not at my desk. However, a co worker opens my PC, supplies a parallel voltage to the drive, cuts all connections to my PC and connects it to a SATA to USB device.
As far as I can tell, the co-worker should have full access to the drive because it hasn't been powered down and therefore not locked by hardware. He also isn't stopped by Windows because he isn't in my Windows session. He just has plain access to the drive partitions. The only way for this to be secure would be a constant polling to the TPM for verification of 'something you have'. And probably even that can be circumvented by connecting the SATA to USB device in parallel over the SATA lines.
Granted, this won't happen in a few minutes and probably won't go undetected. However, if the stakes are high, risk of detection are probably the least risks.
Again: I may be mistaken, but as far as I see it now this is a security flaw.