ESI-winning CTOs in the last few days, I just thought I'd chime in.
(And, yes, the sales dept. here *did* threaten me with castration if I
remained silent.)
At 12:19 PM 7/3/2007, Brad Lhotsky wrote:
... OMB-06-16 states "all _government owned_ portable computing
devices" must be FDE.
Not at all -- what the directive says is that you must "encrypt all data"
(by which they, of course, meant sensitive data):
http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf
FDE might be one (cumbersome) way to do that, but it's certainly not the only
way.
(Please note that this OMB memorandum mandates the *identification* of
sensitive data as a first step toward protecting it -- see flowchart on p. 3.
But as long as you're forced to identify it, why not just encrypt *it* and
not the entire system? That way you avoid the overhead of runtime decryption
of OS and application components that do not need to be encrypted, and the
performance hit will be barely noticeable... we promise.)
[For comic relief, one should also note that the OMB memo claims that, as
of June 2006, "most departments and agencies have these measures already
in place." You have Clay Johnson III's word on that.]
Those of you who correctly suspect that FDE is overkill in many situations
might be interested in an alternative: auto-encryption of virtual disk
partitions. ISC's product in this arena, toward which I'm "naturally biased"
(yep, as CTO!) is SpyProof!:
http://www.infoseccorp.com/products/spyproof/contents.htm
The approach here is to create an encrypted virtual partition and map the
user's My Documents folder, temp and paging files into it. The 'disk' can
only be accessed via a certificate-based ACL, is portable, and shareable;
and the encryption is completely application transparent. Encrypted 'disks'
can be even be burned to DVD or other media and widely distributed; only
designated 'recipients' can 'mount' them.
Yes, this approach has its advantages and disadvantages w.r.t. FDE. Customer
must decide which approach is best... but enough of this 'FDE is everything'
mentality! (OTOH, one could argue that there's already too much non-FDE
traffic on this fde list!)
At 12:29 PM 7/3/2007, Ciolfi Laurence (Larry) CONT NPRI wrote:
Did PGP participate in the Data At Rest (DAR) Encryption Contract Proposal?
For those of you unfamiliar with this development, the "winners" list is here:
http://www.esi.mil/newsDetail.asp?iContentID=361
SpyProof! is there, as is ISC's SecretAgent (file-based encryption for
data-at-rest as well as data-in-transit, that also satisfies OMB requirements)
and DAS (facilitates secure document sharing within communities of interest).
At 12:12 PM 7/3/2007, Bryan Glancey wrote:
Only one.. Mobile Armor - 100% US made and US Developed.
All ISC products are "100% US made and US Developed." And it's been that way
since we started in 1983. The core crypto module is FIPS validated, and (now
that the cat is out of the bag) NSA-evaluated and approved for classified use.
(See third PDF posted on above referenced ESI page, pp.64-65.) TPMs, HSMs,
and smartcard/USB tokens are supported, as is optional data recovery by
trusted administrators.
At 12:44 PM 7/3/2007, Robert Jueneman wrote:
Since everyone else is introducing themselves, I will also.
I actually think this is your second time, Bob, but it's good to hear from
you!
All other FDE vendors (at least to the best of my knowledge) wrap the disk encryption key in RSA-2048, or only RSA-1024. Worse yet, many only wrap the key in a password and then write that obfuscated key blob to the disk or removable token, making it highly vulnerable to an exhaustive search attack.
You can argue that ISC is not really doing FDE -- and you'd be partially
right! -- but ISC always wraps encryption keys in the RSA, DH, or ECC certs
of the user's choosing. *All* NIST-approved/Suite B-recommended algorithms
and key sizes are supported (ECMQV 'by appointment only'); whatever you
don't like can be mapped out by imposing an appropriately crafted 'security
policy' on users. (Don't have certificates yet? Generate a key pair and self-
signed certificate with our client; get a free 1-year cert from us with each
client license; or look into our low-cost webserver-based CA, "CertAgent.")
You couldn't drag the info out of me with hot irons, but those of you with
DoD connections can inquire (through appropriate channels) which encryption
products NSA puts on all of their desktop systems. DIA is another good
reference for ISC's PKI management tools. Did someone mention Intel?
BTW, Bruce Schneier had some brief comments on the DAR initiative back in
January that in retrospect are fairly amusing:
http://www.schneier.com/blog/archives/2007/01/us_government_t.html
It turns out that there are roughly 10 "winners":
http://www.esi.mil/newsDetail.asp?iContentID=361
-mjm
_______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
