Encryption

Discussion in 'privacy technology' started by dleggett, Feb 26, 2008.

Thread Status:
Not open for further replies.
  1. dleggett

    dleggett Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    5
    We are getting ready to implement encryption on some tablets and notebooks that we have. Is there a good one out there that supports the Novell world and Windows XP Pro and Windows XP Tablet Edition 2005? Have peaked inside a few, TrueCrypt (didn't know if it supported XP Tablet Edition 2005 or not), a product that we may be purchasing not this coming up budget year, but maybe the next one with a company called Winmagic SecureDoc. Saw them at a conference and was very impressed. Is there any free ones out there that could help us in the meantime? What do you like/dislike about it? Any information that you could provide would be greatly appreciated. Thanks
     
  2. docfleetwood

    docfleetwood Registered Member

    Joined:
    Apr 6, 2004
    Posts:
    36
    You might want to listen to the Steve Gibson podcast regarding Free Compusec (episode 131). You can find the podcasts at www.grc.com/securitynow

    This Thursday (2/28/08.) he is going to do a full podcast on TrueCrypt 5. No doubt it will have some good information for you in your decision-making.
     
  3. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    I'm not sure if I'm misreading or if you got confused in writing this, but TrueCrypt is free. There is no purchasing, just implementing.

    As for XP Tablet Edition, I'm tempted to believe it will work just fine since it is based on the XP system. Try it in a Virtual Machine to confirm, but I think it will work.

    I just looked at the webpage for the software you mentioned, and immediately I see a "Caution" word. Anytime something advertises itself as "The Most Secure," that red flags to me. When something advertises itself as "The Best" of something, I want to know why it advertises it. Is it true, because if it were why doesn't its reputation speak for itself.

    I have never used WinMagic, but just looking at its bullet points, some more "cautionaries" pop up to me. (My comments are in bold.)

    From http://www.winmagic.com/
    Summary of the Strengths and Unique Differentiating Features in SecureDoc Version 4.3
    • Easy to configure, deploy and manage - Fluff. Most software makes this claim.
    • Centralized Management of key and key files through MS SQL Server - Legitimate "Feature", Definitely can qualify as Unique and/or Differentiating. Something to note here, is now your Dependant upon the security of your database. If your Database is compromised, so is every system encrypted referenced in this database. This is potentially one argument against centralized management.
    • Strong Access Control with Multifactor Authentication via passwords, Hardware Tokens, PKI, smart card, or biometrics - Also a legitimate feature, but I'm not sure how unique this is, considering I've seen most of this in other products.
    • No back door. All recovery features are governed and controlled by your organization, not by WinMagic. Source code validation by third parties and by different governments ensures that no back door exists. - Feelgood statement. Definitely not unique. PGP Offers its source to customers, TrueCrypt and GPG are Open Source.
    • Support of Trusted Platform Module (TPM v1.2) - Legitimate, not necessarily Unique.
    • Interoperability with imaging software - This general statement is not unique. But I'm not sure whats special without looking deeper.
    • Virus Recovery - Whaaa? This says nothing. What kind of recovery? Why would you want to recover a virus? (I know thats not what they mean but.) -- After digging deeper, this means the disk is still accessible if infected with viruses.
    • Compatible with VMWARE - Possible Fluff. Most software is. TrueCrypt works fine with it. -- Deeper: They're claim is it works with VMWare "Out of the Box." Isn't VMWare's goal to work with everything "out of the box"?
    • Supports removable media including USB externals drives, CD / DVD's Fluff. Again, not unique or differentiating.
    • Power Out Protection Huh? They arn't talking about the recent "Cooled Ram" attacks. I did a site search and this is only mentioned on two pages of the whole site (according to Google.) this is: "Robust capabilities that allow the initial encryption (conversion) to be interrupted by a power outage without data loss." This doesn't apply to normal usage apparently.
    • Large Disk Support - Again, seems commonplace to me. I know TrueCrypt supports them.
    • Support for RAID controllers - Possibly unique, but I feel that its not.
    • Full Disk, File / Folder Encryption - Fluff. This is the whole point of Encryption Software. Definitely not unique.
    • Supports Microsoft Windows Vista, XP, 2000 - Fluff. Counts mainly as a indicator, not as unique/differentiating.

    This is not a review of any software mentioned above, just an example from my perspective only of things that don't seem "quite right".

    I'm not trying to dissuade you or cause you to use any specific software, but I think it does say lots for a company who's "key advertising points" contains significant fluff, treating some of the above as if they are major selling points. In the interest of transparency, I will admit that I have an do use TrueCrypt (limitedly looking to expand my usage), as well as using GPG occasionally.
     
  4. dleggett

    dleggett Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    5
    Ok, I have another question. What is a product that we can use, that does not store that actual key on the hard drive, requires a USB thumb drive and/or that only user intervention that is required is entering a password or something?
     
  5. dleggett

    dleggett Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    5
    Excuse, my last reply, I should have said either requires a password from the user. Was looking at XP's, but if you remove the certificate from the hard drive, you have to import it back in and then make sure that you delete it out again. The workers here will not go that route. If they put it in once, if we are lucky, then they will not want to delete it. We need something that can be read from the USB device, or requires them to enter a password.
     
  6. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    TrueCrypt works with Keyfiles And / Or Passwords.

    Currently, Keyfiles don't work with Pre-Boot Authentication, only containers, but they are looking to add support for them as well as other token methods (such as SecurID tokens) in the future.

    By not storing the key on the hard drive, I'm not understanding you, or did you just mean Key files?
     
  7. dleggett

    dleggett Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    5
    We don't want anyone to be able to get to the system, but yet we don't have to make all of our mobile users to have to remember 4 more passwords, they already have so many to remember, probably somewhere along the neighborhood of 5 as of now. This is the setup as of right now. They are using either the X41 or the X61 tablets from Lenovo. They have fingerprint capability and some users are using them wonderfully. Some we have had to go in there and adjust so they could use their password to access Windows. They are in the field with these pretty much all of the time. As soon as they come back they are "supposed" to move the files over to the network as we are getting ready to test aircards pretty soon. Any tips for encryption? The tablets come with Utimaco Safeguard on them, which pretty much lets you do the same thing as TrueCrypt. Creates a private volume only accessible with a passphrase. It does have the ability for hard disk password and administrator passwords, I am not sure as to where to go from here. The Client Security Solution which is a different passcode from the Utimaco one, is iffy. Sometimes it works and sometimes it don't. We don't need the workers to not be able to login. Hope I haven't confused anyone. Thanks
     
  8. Fontaine

    Fontaine Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    245
    With Truecrypt, you just have them remember one password. I believe it has an administrator function to it as well. So if the user forgets their password, there is an overriding admin password that the administrator could enter to unlock the container file (assuming you used container files. not sure if this option is available with whole disk encryption).
     
  9. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    There's no "backdoor" password per-se, however if you backup the headers with a certain password, you can change the headers on the drive (using PBA) or container to give it a new password. If you replace the headers with the backup made with the "old" password, you can then use the "old" password to access the container or drive.
     
  10. garrymc

    garrymc Registered Member

    Joined:
    Mar 5, 2008
    Posts:
    1
    Location:
    Mississauga, Ontario, Canada
    Dear Kookyman,

    We would like to thank you very much for your comments. You are right; our statement of “Unique differentiating features” is not correct.

    Also, thank you for pointing out the various mistakes and in-completeness in the list and spending the effort to search deeper. We appreciate your attention.

    As you can see, we have removed that text from our web site. With respect to “virus recovery” we mistakenly posted some internal notes on the web without proper review. Clearly we do not want to recover a virus ;-). The terms “Unique” and “Differentiating” were taken from our paper “SecureDoc's 23 Unique Features (3/5/2007) 191kb“ whereby we stated that while the features are not unique, most of competition’s products won’t have them.

    In our paper “SecureDoc's 23 Unique Features (3/5/2007) 191kb” you can read that, for example, we support CD/DVD encryption at the sector level, which is unique; or support for VMWare at the FULL disk encryption level whereby SecureDoc utilizes smartcard authentication at “pre-boot” for the VMware environment. (TrueCrypt has provided virtual disk encryption (“container encryption”) and only recently introduced full disk encryption).

    We here at WinMagic do sincerely believe that we have the most comprehensive set of features and that taken together SecureDoc is truly a unique product offering providing unsurpassed functionality and security. We apologize for our mistakes in the text on the web and getting carried away when describing each individual feature. We value our customers and the community and would not certainly want to mislead users. We would like to thank you again for your attention and will try to do better.

    …GARRY
     
  11. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Way to go, Kookyman! Good work. Pretty impressive that the guy took the time to respond on the forum. WinMagic's no small outfit, I put in 'Garry' and 'Winmagic' in Google and see that he's Vice President for Research and Development. Thanks for the post Garry!
    http://www.winmagic.com/corporate_info/bios.asp

    I would have loved to have seen his face when he typed, "Dear Kookyman." :)
     
  12. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    Wow. I'm floored.

    I guess it just goes to show you how much weight these particular forums hold among those "in the know."

    I would just like to thank Garry for taking the time to respond, and take the actions he did. I think it definitely says something for him, and by extension WinMagic.
     
  13. gemini44

    gemini44 Registered Member

    Joined:
    Feb 12, 2008
    Posts:
    2
    Hello ,

    As I saw you have got a lot of answers to your question, so I dare to tell you about the encryption software I use for my laptop. Is called DriveCrypt Plus Pack, it has a preboot autentication function and the password can be stored in a file but also in a eToken, USB stick. The software has also different useful features and you can test it for free 30 days.
    My opinion is to give it a try :thumb:
     
Loading...
Thread Status:
Not open for further replies.