Security Testing and Evaluation Labs

PC Guardian: Encryption Plus® for Hard Disks 7.0

The following table shows the application components, main user visible functions within those components and the user role expected to use each function. This table is intended to clarify the relationships between the components and functions. The component names, function names and role names used in the table are used throughout this document.

Application component	Application Function	Intended User
User Module	Disk Encryption function	User
	User Login function
	Authenti-Check Login function
	Recovery function
	Admin login function	Local Administrator
		Corporate Administrator
Administrator tool	Administrator Login function	Corporate Administrator
	Configuration Update function	Corporate Administrator
Recovery tool	Recovery function	Local Administrator
		Corporate Administrator

The data written to and read from the partition or disk is respectively encrypted and decrypted on the fly as required driven by operating system use of the storage device. The encryption algorithm used is the Advanced Encryption Standard (AES) in CBC mode with 256 bit keys. The disk key used to encrypt the data on the disk, it is randomly generated and stored encrypted under the disk key encryption key (Disk KEK) which is derived from the username and password using the key derivation function PBKDF2.

It is recommended that all partitions on all disks be encrypted with EPHD to minimize risk of swap files and other application and operating system generated temporary files, being stored on an unprotected disk.

Another source of risk, this one outside the scope of the product, is the use of hibernation and suspend modes common on laptops, where the state of the machine memory are stored onto disk, typically in a separate disk partition outside the control of EPHD. It is recommended to disable these features to avoid risk that a stolen laptop or machine could have user data recovered from the suspend or hibernation partition.

EPHD also includes a corporate key recovery mechanism where designated administrators are able to remotely assist a user in regaining access to their data when they forget their passwords. The administrators use the recovery function of the recovery tool to do this. The recovery procedure recovers the disk key the disk is encrypted with, which allows the user to regain access to their data. Once access is regained, EPHD allows the user to choose a new password. The messages exchanged between the user and the administrator during the recovery procedure are compact so that the messages can be communicated verbally for example over a telephone. The recovery tool does not require the administrator to login. The administrator private key is stored in the recovery tool installation. The administrator must retain good physical security of the machine the recovery tool is installed on, the machine should preferably not have a network connection, or should have good network security measures.

In addition the administrators are also able to login to the User Module and gain access to user data without user assistance given physical access to the machine. To authenticate themselves to EPHD administrators have passwords. There are two classes of administrator: corporate administrator, and local administrators. Local administrators are assigned a domain of control (for example a department within the company) by the corporate administrator and are only able to fulfill the recovery and User Module login functions within their domain of control, corporate administrators on the other hand can access the entire domain of control covered by the installation. All users in an installation are under the administrative control of the corporate administrator; each user is under the administrative control of one of the local administrators. (Note in principle a company could have multiple installations, each with a separate corporate administrator with control within that domain. In a small site the local administrator role may not be used, and those tasks normally carried out by a local administrator instead carried out by the sole corporate administrator.)

The recovery procedure works technically as follows. The Disk Key is encrypted under the Elliptic Curve Key Recovery Key (ECKRK) with AES in CBC mode. The EC KRK is derived by first negotiating a key with Elliptic Curve Diffie-Hellman (ECDH) encryption using the corporate administrator and the local administrator's public ECDH keys, and then deriving the EC KRK from the negotiated key and the username with the KDF2 key derivation function. The EC KRK encrypted blocks are called recovery blocks, and there are two recovery blocks: the corporate administrator recovery block, and the local administrator recovery block. The AES encrypted Disk Key is also stored with the recovery block. During the access recovery protocol with the assistance of an administrator the user identifies and authenticates themselves to the administrator, and then transfers part of an administrator recovery block to the corresponding administrator. The administrator uses the recovery block part to negotiate a shared key, and then derives the EC KRK from the shared key and the authenticated users username using the KDF2 key derivation function, and transfers the EC KRK back to the user. The user recovers the Disk Key by decrypting the Disk Key with AES using the EC KRK. The Disk Key allows the user to access his files, and the user can then choose a new password. The recovery blocks are over-written with new recovery blocks, so that recovery messages captured by a threat agent eavesdropping on the recovery messages do not help the threat agent subsequently recover user data if he were to gain physical access to the user machine.

The same underlying key recovery cryptographic mechanism is used to allow the administrator to gain access to user data given physical access to the user machine.

As a final precaution to ensure availability of the recovery and User Module admin login functions in event that administrators leave the company without telling the company their passwords, there is a backup procedure for corporate and local administrator keys.

EPHD contains an alternative key recovery mechanism called Authenti-Check where the user is able to recover their disk key without assistance from an administrator. With Authenti-Check at configuration, the user is asked to provide a list of questions and answers. The Authenti-Check KRK is derived from the answers to the user provided questions. The Authenti-Check KRK is used to encrypt the Disk Key.

Users can at any time change their passwords. If corporate and local administrators wish to change their passwords there is a password update feature available to the corporate administrator in the Administrator Tool where the corporate administrator can create a signed password update that can be installed into installations of the User Module. The User Module then updates the recovery blocks with the new public keys corresponding to the new administrator passwords.

There are a number of configurable User Module security related options, such as messages to display at various points in the EPHD dialogs (for example phone numbers, methods of contacting the administrators) and options relating to numbers of allowed incorrect entries during password entry. These options are configured into the install package at install time. The install package is the software that is then installed on user workstations. There is support for automated network install, for example via network login scripts. Configuration changes can also be made to installations of the User Module by the administrator, using a signed configuration change package. Both configuration changes and administrator password changes can be automatically updated on the installations of the User Module using for example a network login script.

Configuration changes are signed with the current corporate administrators ECDSA signature key. Administrator password updates are signed with the old corporate administrator ECDSA, and the new administrator ECDSA key signifying transfer of authority from the old to the new key. The old ECDSA key will always be available even though the corporate administrator password may have been lost as the ECDSA key and the ECDH key are stored in the corporate administrator database.

The signed update message includes all signed ECDSA public key updates from the installation time, to ensure that a user who is offline for some time and misses some of the updates can verify signatures on updates in a chain of signatures with the previous key on the replacement key leading to the current ECDSA public key.

Administrator ECDSA and ECDH private key scalars are computed from the corresponding administrator password. The EC curve and public parameters used are Koblitz curves of size 113 bits, 158 bits, and 233 bits from ECDSA [FIPS-DSA]. In fact there are separate ECDH private keys derived from the same password one for each private key size. The smallest supported administrator key size larger than the estimated bit strength of the users password is used to encrypt the blocks. A proprietary password strength estimator is used to estimate the strength of the users password. This mechanism ensures that the strength of the recovery encryption is balanced with the strength of the users password and that the recovery messages are no larger than they need to be to provide a balanced level of security.

As a convenience to the user a single-sign on feature is provided. The login to the User Module is displayed before the windows login window. If the single sign on option is selected, EPHD manages authentication to windows so that the windows login window will not be displayed. The windows login name and password that EPHD supplies to the windows login function hooks to implement the single sign-on feature are stored encrypted inside the encrypted partition.