July 10th, 2008
I was recently asked how IceLock could delete keys and recover them without putting user’s data at risk. Great question and the answer requires an understanding of IceLock’s dual layer, multi factor key system.
In software encryption systems there are typically two approaches to keys. The first one is very direct. You enter a password, that word is hashed into a longer string mathematically and that string is used as the key. This is direct, relatively easy to implement and requires long complex passwords to avoid dictionary attacks.
The second approach is to generate a set of keys from random numbers. This obviously requires more work to generate and requires very careful attention to one important detail. The key, this number, must be cached locally on the computer so it is available to decrypt the data. Few of us will remember a key like E49DAG43C5, which is what one of these keys might look like. So the key must be protected! How to protect it? A password of course!
To provide sufficient protection for the key you have to have a password like $0n3yd03sN’Tgr0w0NTr33$, just like you would have for a direct password key.
IceLock takes a different approach. We use a randomly generated number as the basis for our crypto keys. The trick is how we protect that key on the computer.
To protect the crypto key we use a temporary or ephemeral key. This key, created automatically during every login, unlocks access to the crypto key which then allows access to the protected data. Think of the crypto key as the combination to a data safe. To protect the combination we hide it in a lockbox that can only be unlocked if every piece of the ephemeral key (there are 8 discrete elements to the ephemeral key) is present. And the IceLock password is kept in yet another lockbox with another security around it! So we have a safe with its combination in a lockbox. Access to that lockbox depends on a variety of elements being correct, one of which is the decoding of a password stored in a third lockbox!
All protection by the IceLock system involves destroying pieces of the ephemeral key. If IceLock’s protection is mistakenly invoked by a user, the IT Administrator can login to our website and re-enable access. The user restarts IceLock on their computer and they are automatically enabled again.
Since the ephemeral key is completely abstracted from the crypto key, IceLock is never close to a user’s data.
July 1st, 2008
According to a recent Ponemon Institute study done for Dell, highlighted here in PC World, over 10,000 laptops are lost each week in airports alone!But here’s the crazy part:
“About 53 percent said that laptops contain confidential company information, with 65 percent taking no steps to protect the information.”
It’s really hard to understand why this is not a giant red flag, for government, for liability insurers, for business owners everywhere, given how readily confidential information is bought and sold at this point.Maybe it’s still just too hard to use most encryption solutions? This is what we believe and the problem IceLock is intended to solve.
June 22nd, 2008
This survey, described in PC World, and ZD Net claims that “One in Three IT Admins Admit Snooping.” This threat is completely unnecessary.
One of the most important parts about building an encryption system is selectively providing access to files to allow IT workers/admins to service and support the equipment while maintaining confidential information private. Early whole disk encryption systems fail at this, as IT workers need to authenticate and decrypt the entire system to support it. Systems like IceLock take a smarter approach, letting IT support the machine while keeping secrets secret.
June 17th, 2008
Here’s an interesting story that shows another way that targeted encryption systems, like IceLock, (as opposed to Full Disk Encryption) can really be useful.
Here’s the background: A woman sent in her laptop for servicing to Best Buy. They lose her computer, and after making her jump through some irritating hurdles, the offer her a gift certificate to partially defray the cost of replacing the hardware.
She then sues Best Buy for $54 million simoleons on the basis of their failure to notify her that her personal information had been compromised.
Best Buy’s customer service shenanigans aside, this points out an interesting potential application of encryption systems.
If she had a secure partition on her system, she could have saved her sensitive documents, including her tax returns, in the encrypted partition, and had perfect peace of mind that her confidential personal information would stay confidential. If she were using IceLock, she could also perform a secure, audited delete when the system next connected to the Internet.
Here’s another idea: what if service operations like Best Buy’s required confidential information on systems to be encrypted before taking them in for servicing?
Here’s a point to ponder: If she were using a Full Disk Encryption, like PGP, BitLocker, TrueCrypt or the like, she would have had to give up her password to get the system serviced. The machine is at that point out of her control, and compromised. And she has no way to effect a clean wipe remotely.
May 22nd, 2008
A ton of energy gets put into advising and insisting that users create long, complex passwords to thwart guessing attacks. For many people (possibly as many as 1/3 of all users) this becomes such a pain in the a$$ that their ultra-secure passwords get written on yellow sticky notes attached to their laptop screen.
If the system under attack can’t monitor itself for hacking attempts, a strong complicated password makes sense, as the only defense between your data and a cracked system is compute time, which will only continue to get cheaper and more accessible.
But for mobile-aware encryption systems, intelligent monitoring and a more thought-out crypto architecture can make long complicated passwords (and the yellow stickies that go with them) unnecessary.
IceLock protects its crypto system with a multi-factor ephemeral key and a local autonomous monitoring system. When these are combined, the crypto system is protected by other defenses, beyond the brute force compute-time required to guess an unlikely password.
Some background on how we got here: In early generation data security systems, crypto keys are stored in hash tables on a key server. The password is mathematically altered, and then stored in this table and used to encrypt and decrypt data. To crack this, you keep trying different passwords until data decrypts to clear text. In hopes that a password might be a human-language word, guessing strategies often start by trying permutations of dictionary words in sequence (i.e. a dictionary attack) which is why policies often require symbols be used in passwords.
Another way unmonitored systems defend against brute force attacks is to slow down the authentication process, to reduce the number of guesses the software can perform in any given time frame. (No, we’re not kidding about this.)
IceLock works differently. It doesn’t mathematically alter a password to create the crypto key (the randomly generated key used to encrypt and decrypt data, unique for each computer). In fact the password is just one of 8 factors that make up the ephemeral key, all of which have to be present to unlock the crypto key. So guessing the password doesn’t get you access to the system all by itself. You also need to have a number of other conditions come together as you are authenticating in order to get access to encrypted data.
In addition, IceLock continuously monitors user activity. If a thief tries to guess the password, the system breaks down the ephemeral key after a pre-defined number of tries, which is determined by a policy setting you maintain in the IceLock service center. Once the ephemeral key has been decomposed, it can’t be recomposed until it obtains an “all clear” signal from the service center. Another policy setting controls what authorizes an “all clear” signal; it can be granted automatically upon reconnection, or policies can require a technician to manually re-enable access for machines that may have been hacked.
In addition, when a system’s ephemeral keys have been broken down due to the number of guessing attempts being exceeded, a service technician is notified as soon as the system reconnects to the Internet, so that the fact that someone tried to break into the machine is made known to support personnel.
Long, complicated passwords are a requirement for unmonitored systems. IceLock leverages web connectivity and other technology to provide more sophisticated and user-friendly defense mechanisms. Making passwords harder to guess is not a terrible idea, but there should be more working to defend the security of your confidential data than the brute force mathematics of probability.
And making yellow stickies unnecessary would go a long way to making encryption more secure.
May 20th, 2008
Bruce Schneier recommends TrueCrypt and PGP full disk encryption programs in this otherwise very useful post last week in the Guardian. Both programs were cracked by the Princeton cold boot attack. He goes on to make this recommendation:
And turn your computer off - don’t just put it to sleep - before you go through customs; that deletes other things. Think of all this as the last thing to do before you stow your electronic devices for landing.
The “other things”, of course being the passwords and encryption tables that these products leave in memory during sleep mode, making them vulnerable to attack. How much of a threat cold boot constitutes remains a pregnant question, given the apparently wide open market for stolen data. The first generation of data security products simply overlooked the fact that portable devices automatically switch into low power consumption modes, and do so frequently. Can you imagine a laptop that doesn’t have sleep mode? PGP, TrueCrypt, Microsoft, Apple and many others can protect data on such an imaginary device quite well.
While Bruce’s long history of eloquent championship of privacy and individual rights is commendable, shouldn’t he avoid recommending products that have known vulnerabilities, or at least more responsibly explain those vulnerabilities? In fairness, some of the bloggers who posted on this issue in the hours and days before Bruce’s post also plugged these flawed products. Some didn’t.The really important question is why isn’t Bruce’s affiliation with PGP spelled out in journalistic pieces when he plugs their products?
If he receives compensation for his role with PGP, his role as a commentator becomes significantly more complex, as the Guardian itself has pointed out here, here, and here. Without specific disclosure of the nature of Bruce’s relationship with PGP, one is left to wonder.
Here’s our disclosure: HyBlue, the sponsor of this blog, produces IceLock, the first laptop data security product that uses web-based, software-as-a-service policy and key management to reduce complexity and cost of ownership. IceLock disrupts the data security market in which PGP is an incumbent vendor. And yes, IceLock stops the Cold Boot Attack. Thus our commercial interest in the subject matter of this post is made transparent.
May 13th, 2008
A very nice write up on the launch of IceLock by Jon Brodkin at Network World, highlighting our protection against the cold boot attack:
“They’re the first ones I’ve seen that [erase the keys from DRAM],” says analyst Michael Santarcangelo of the Security Catalyst. “I think it’s pretty clever.”
The problem with similar products is they don’t “have an awareness of their environment. They assume when you go to sleep or turn off the computer, that RAM is erased,” says HyBlue CEO Matthew Sutton.
The article goes on to describe our Software-as-a-service approach to management:
While IceLock requires software to be downloaded onto each computer, the product’s management tools are delivered over the Web in the software-as-a-service (SaaS) model. These tools include a Web-based central policy management and key recovery system, and ability to remotely wipe data from stolen or missing computers – assuming the computer is connected to the Internet.
May 13th, 2008
After months of hard work, IceLock has emerged from the labs. IceLock is now available for Windows XP and Windows Vista, with more platforms coming soon. The press release has all the details, and many thanks to Michael Santarcangelo, the SecurityCatalyst for his helpful comments.
Some of the unique things about IceLock:
- It’s the only centrally managed laptop data security solution you can purchase, download, and install from the web. If there is another, please let us know.
- It’s the only laptop data security solution that combines SaaS key management for easy, low cost administration with autonomous monitoring to protect against hacking at the point of attack.
- It provides defense against the now famous Princeton cold-boot attack.
IceLock can open up the market for laptop data security and take it beyond banks and insurance companies to the many thousands of organizations that have sensitive data on employee laptops and don’t secure it today. We’re excited about where IceLock is going, and this is just the beginning.
May 12th, 2008
There was a lot of attention given recently to a fast-thinking Apple store employee, who used Leopard’s Back to My Mac feature to help police catch burglars who had stolen her computer. It’s a great story, as first reported in the New York Times by Lisa Foderaro.
From our standpoint here at Hyblue, the interesting part is the role the .mac service played in the whole episode. What made this possible is the tether that the Back to My Mac client software established with the .mac service.
Now, the fact that she recognized the thief as an acquaintance was a big part of why Ms. Duplaga (the fast thinking Apple employee) was able to get law enforcement interested, and if the machine had been wiped before logging onto the Internet, it never would have been recovered.
One of the key things about Icelock’s design is that it protects your data from unauthorized access, whether your equipment is connected to the Internet or not. It’s not enough to just remotely address risks after the fact, you have to pro-actively protect against data theft.
It’s a great story.
May 1st, 2008
Here’s a precis of Joshua Corman’s (of IBM) widely discussed talk at Inter0p, thanks to Tim Greene of Network World. Note the second dirty little secret:
2. There is no perimeter. Vendors say that the network perimeter must be defended, but most data that is actually lost doesn’t go through the firewall. Half of all breaches are the result of either lost laptops or lost thumb drives or other removable media. Businesses need to tighten up their business processes at least as much as they need to tighten up network perimeters, he says. “If you still believe in perimeters, you may as well believe in Santa Claus,” he says.