Feature

Access is denied

Combined with careful key management and data backup procedures, file encryption provides a very strong measure of protection against disclosure threats

Threats

Every security solution ever devised is intended to counter some specific threats. To understand the solution and how to apply it, it is necessary to understand the threats it is intended to counter. Incorrectly applied, a security solution may be ineffective or even reduce the overall security of the system.

Accidental disclosure

Most current computers either have no access control at all, e.g. Windows 3.1x and Windows 95, or employ a Discretionary Access Control (DAC) system, e.g. Windows NT and Unix. This inevitably presents a security threat. On a computer without access control, anyone who can access the computer can read all information stored on it. This requires that access to computers containing confidential information is restricted only to persons with confidential security clearance. Unfortunately, this is not as easy as it may first appear. Confidential information is frequently copied to laptops or home PCs for easier access, or distributed on uncontrolled floppies that are easily lost. The requirement to keep classified computers inaccessible inevitably also makes them hard to use. Most users will try to overcome this obstacle as it hinders their work.

To make it possible to process confidential data on non-restricted computers, Discretionary Access Control can be applied. As the name suggests, computers with DAC in place include the possibility to restrict the access to files and folders. What files and folders are protected is at the discretion of the users ( any user may give everybody access to files under his control. Unfortunately, it is not always obvious which access restrictions are appropriate and in our experience most current computers have read access allowed to almost everyone for the majority of the files. To make matters worse, DAC is seldom available for floppies.

As users want easy access to their files, they tend to keep them in places where they can easily be accessed. Applying discretionary access control to files is not enough if users are not carefully trained to restrict the access privileges to the absolute minimum. On most current computers the majority of the files are easily readable by anyone who can access the system. Confidential information that is stored on an open computer is subject to accidental disclosure as users browse the directories in search for information.

Theft of information

The accidental disclosure scenario is aggravated further when the user browsing the system is actually seeking out confidential information. A determined snooper will eventually gather all such information that he can access, possibly over a long period of time. Thus a brief, possibly inadvertent, exposure of confidential information may compromise it immediately. A very large percentage of information theft is actually performed by authorised users. In many cases the user may have been granted some additional access privileges just for the sake of convenience. Later, when the user turns to snooping, these privileges give access to many documents that the user would have no business accessing in the first place.

Few systems audit privileged access to files, as a very large number of accesses occur every day. This means that a user that abuses his privileges silently can read and record all information he can access, without any trace of this being left in the system logs. If the user only memorises the information without recording it, the perfect crime has been committed. There is no way of later finding out who has read the information. A user that systematically browses directories in search for information will eventually face a directory where their DAC privileges are not sufficient. Many modern DAC systems include the option to log any such privilege violation attempts, but few computers have the option enabled. Of those that do, a large percentage only collect logs that nobody ever reviews. Careful log analysis may reveal the identity of a snooper, but can not be relied on as the only security measure in such cases. After all, the logs prove that the snooper did not manage to access the confidential information. A determined snooper may also seek the opportunity to browse a computer using an account with different privileges. In typical organisations, such opportunities are abundant. While the DAC system may be appropriately employed, access to the DAC accounts is seldom controlled in a reliable fashion.

Physical theft

Even computers where DAC is rigidly enforced and access to the accounts is carefully monitored are at risk. After all, the DAC scheme is enforced by the operating system, but the information itself is stored in plain computer-readable form on the hard drives. Bypassing the DAC thus is only a matter of getting access to the hard drives without the interference of the operating system. Secure file systems on modern computers rely on the operating system to control who gets to read the information off the disk. The file systems themselves only store the access control privileges required for the file system objects. A different operating system can silently ignore the privileges and allow access to any files within the file system regardless of the privileges.

To obtain information from a secure DAC computer, simply steal the computer. In today's world, where laptops are common and home-PCs contain much work-related information, stealing an interesting computer is seldom hard. If an attacker were prepared to go through the trouble of bypassing system security, he would hardly hesitate to resort to physical theft when required. Of course, it is hard to physically steal a computer without getting noticed. The much larger potential for obtaining confidential information is thus somewhat countered by the wish to remain undetected. Relying on this for security is not a viable option however. It is quite possible to create a miniature image of an operating system that boots off a few floppies. An attacker does not have to actually remove the computer, a few hours of undetected access to it is often more than enough.

Solutions

Now that we have briefly outlined the different threats that a modern computer faces, we present some solutions. As always, security solutions are two-edged, you loose some to gain some.

In the case of disclosure of information in persistent storage, the most effective solution is encryption. Encrypted data is safe as long as the encryption keys are safe. Storing a single encryption key securely is much easier than guarding a large amount of data. As a matter of fact, smart cards and different smart tokens offer the option of tamper-resistant secure key storage. Not all systems require that much security, for many a strong pass-phrase is adequate.

There is a major disadvantage with encrypting for persistent storage. The encryption key used has to be safeguarded for the entire lifetime of the stored data. If the key is lost, all data ever encrypted with it becomes inaccessible. In effect, the value of the key is the combined value of all information encrypted using it.

Disk encryption

A conceptually simple solution suitable for single-user computers is to encrypt the entire hard drive using a single key. The encryption is performed sector-by-sector regardless of the type of information stored. At start-up, the key or a pass-phrase that unlocks the key is entered to enable the system to boot off the encrypted drive. Using a single key gives a cryptoanalyst a lot of data encrypted with the same key to work from, which may lead to a compromise if the key is too weak.

Implementing a drive encryption system requires detailed knowledge of the low-level operations of both the computer hardware and the operating systems that need to access the drive. Working solutions exist, but have not gained widespread acceptance. Producing a shrink-wrap product that works reliably on a large array of systems seems to have been a difficult thing for most vendors.

There is no way to disable access once a disk encryption system is running. The computer needs to have access to its hard drive at all times. This means that a running disk encryption system is at the mercy of the DAC of the operating system. In general, the inflexibility of the solution combined with the compatibility issues seems to have made disk encryption a marginal solution.

Explicit file encryption

Multi-user systems necessarily require that files can be encrypted using different keys. The simple approach is to use a separate key for each encrypted file, but such an approach does not scale well. However, the per-file key can be separately encrypted using a master key and then stored together with the encrypted file. The result is a hybrid crypto system, where the user only needs to remember his master key.

In a hybrid system, different users have different master keys. This ensures that a user can only access files that have their per-file keys encrypted using his master key. All other encrypted files are inaccessible to the user. The use of different keys for each file also has cryptographic advantages, as the amount of data encrypted using any single key is limited. Advanced hybrid systems may allow several copies of the per-file key to be stored, each encrypted for a different user. The file is then accessible to several users, as long as the per-file key is not changed.

It is fairly easy to implement an application that simply encrypts and decrypts files in the file system on demand. However, the decryption process will always store a plaintext copy of the file on disk, which has to be destroyed securely later. Even worse, some applications may separately store parts of the information in temporary files that the encryption application has no knowledge of.

For a purely file-based encryption application to be secure, it must be used correctly. Any plaintext copies of the data must be explicitly identified and destroyed by the user, including the temporary files. On many systems, this is not possible without close integration with the operating system and may still leave some data unprotected.

To access encrypted files, the user has to have the appropriate key available. This means that the user cannot focus only on the primary task of working with the files. The encryption and decryption process directly involves the user, and if poorly designed, such a system may simply be seen as a nuisance. This will easily lead to a situation where the user avoids encrypting files to make his work easier.

Encrypting file system

Many of the drawbacks of file encryption applications can be countered by integrating the encryption functionality into the file system itself. The file system handles all access to files and directories on disk, so no disk activity can take place without passing through the file system handlers.

An encrypting file system can encrypt all files or only a named subset of files, at its discretion. It can also encrypt the directory entries themselves, although such systems often require more drastic changes in the file system structures themselves. Keying information relating to files can be stored separately from the encrypted files if desired, as long as the keys and the files cannot be separated from each other.

File system drivers are kernel-mode components. This means that keys can be securely stored by the file system once the user has provided them. The file system may require periodic re-validation of the user's credentials to ensure that the person using a file is the same one that originally opened it. However, user interaction is not necessarily required every time an encrypted file needs to be accessed.

Encrypting file systems seem to combine the advantages of file encryption with the advantages of disk encryption, without having to cope with the drawbacks of those methods. Essentially encrypting file systems enhance the DAC systems using encryption to ensure that unauthorised access is impossible.

Why then, might one ask, are not encrypting file systems the only prevailing file encryption solution? Perhaps the main reason is the fact that encrypting file systems have to be closely integrated with the operating system itself. Few companies, except the operating system manufacturers themselves, have the required skills and resources. The operating system manufacturers are limited by different national regulations on export of encryption software. If the operating systems were to include encryption functionality, they could not be freely exported and sold worldwide.

Administration

Using encryption to protect data in persistent storage requires careful planning. As noted earlier, the encryption keys are key components that must not be lost under any circumstances. Once deployed, the encryption system operates independently of the administrator. If key management was not in place when the system was deployed, a large amount of critical confidential data may be encrypted using keys that are not under the control of the administrator.

You must never underestimate the potential risks that a file encryption system introduces. After all, its main purpose is to keep information as secure as possible, out of the hands of unauthorised users. This can backfire inadvertently, making the information inaccessible even to the users that should have access to it. In worst-case scenarios large amounts of information are permanently lost.

Administration of a file encryption system basically consists of two tasks: initial deployment and management of encryption keys. We believe that a system should be self-enforcing. Thus the deployed system should ensure that confidential data is encrypted according to the system policies. If end-users are given the choice of not encrypting, there is a very real risk of some data remaining unencrypted.

Deployment

The deployment of a file encryption system consists of two separate phases, installation and activation. It is often possible to install the system without actually activating the encryption functionality. Having the software pre-installed makes it much easier to activate the encryption once a key has been created.

The activation of a file encryption system requires an initial encryption phase. During this phase, all currently unencrypted confidential data is encrypted and its plaintext securely wiped off the disk surface when necessary. If the amount of unencrypted data is large, the initial encryption process may take a long time. We also wholeheartedly recommend making a complete backup of the data to be encrypted before starting the process. File encryption should be coupled with a reliable system of secure backups of the unencrypted data whenever possible. This minimises the risks caused by a possible loss of the encryption keys.

During the deployment phase it is also important to take precautions against the loss of the encryption keys. The value of the keys is the combined value of all the data encrypted using those keys. If a key is compromised or lost, the damages can be very severe.

Key backups

The simple way to protect against the loss of encryption keys is to store backups of the keys in a separate secure location. This solution works well in small systems, where the number of keys is small and easily managed. In larger systems it is very hard to make sure that there is a current backup copy of each and every key in use at a given point in time.

Experience has shown that the management of backup keys is far from easy. If creation of encryption keys is uncontrolled, controlling the backup process is very hard. The system simply does not provide with enough control over key creation and storage.

Key recovery

Key backup solutions can be expanded to include management functions to enforce the protection of backup keys. There are several possible solutions, all of which are more complex than simple key backup.

One option is to centralise the creation of keys. Thus key creation is included in the ordinary administrative procedures of the organisation. The file encryption system does not allow users to arbitrarily create keys, the keys have to be created by a special key creation manager. The centralized facility will always store a secure copy of every decryption key, thus ensuring that data can be recovered if the main copy is lost.

A more advanced solution allows key creation to occur in a de-centralized fashion, but keys must be certified to be accepted by the encryption system. This solution requires a certification infrastructure that is not yet present in most organisations.

It is also technically possible to split the decryption keys into several pieces, often referred to as "shadows". To recover a key, a certain number of shadows are required. This is a highly desirable property for keys that are used to encrypt very sensitive data. The separate shadows can be given to different persons in the organisation. Only when enough of them agree on the need for key recovery can the encryption key actually be recovered.

The key splitting technique can also be employed by individuals to protect their personal encryption keys. You may give shadows to your friends and can later ask to get the shadows back for key recovery. It is quite unlikely that friends would collaborate against you to obtain your encryption key.

Key escrow

Several governments have been presenting "key recovery using Trusted Third Parties (TTP)" as a viable alternative. These systems require that the decryption keys be handed over to a TTP for safekeeping. The TTPs would be required to release the encryption keys to the authorities if presented with a valid warrant. In effect, these systems are simply a form of key escrow. In key escrow systems keys are deposited with the authorities to ensure legal access to encrypted data.

The Trusted Third Party approach has several deficiencies. The most evident problem is the question why a company would trust any third party with its encryption keys in the first place. As repeatedly stated, the value of the encryption keys is the combined value of the data encrypted using those keys. The more valuable the data, the more likely it will be encrypted to ensure that it remains secret. Handing over the encryption keys implies handing over access to the encrypted information.

The most valuable assets of a company are typically restricted to a small group of people. Not even all the employees of the company have access to the assets or even knowledge of their existence. Encrypting this data to keep it secret and then handing over the keys to a third party outside the company goes against all basic principle of information security.

( Data Fellows, Ltd 1999

Compiled by Ajith Ram


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in August 1999

 

COMMENTS powered by Disqus  //  Commenting policy