Welcome to the SecAware blog

I spy with my beady eye ...

23 Jun 2008

Password protected =/= Encrypted

At last! Indiana has seen the light!

A new Indiana state law comes into effect on July 1st mandating disclosure of breaches involving loss or theft of laptops containing personal data, even if the data are 'protected by a simple password' (such as a normal Windows or Linux login password, presumably).

"Public Law 136 (House Enrolled Act 1197) requires businesses to notify consumers when any of their personal information is contained on a laptop that has been lost or stolen unless that information is encrypted," Pierce said. Current law does not require consumers to be notified about a lost or stolen laptop if personal information about them on the laptop is protected by a simple password.

The article goes on to explain that 'a simple password' can be compromised by brute force attack, which is often true but is not really the point. A hacker with unrestrained physical access to a laptop could remove the unencrypted hard drive, install it on another system and access all the data. Or they could run one of the 'retrieve lost admin password' utilities, typically booting the laptop from an external boot drive or compromising the system's Firewire connection etc.

Unfortunately, the article doesn't make it clear that brute force attacks might also work against the password/passphrase commonly used to secure encryption keys. Multifactor authentication, for example using biometrics or token in addition to the usual user password/passphrase, would make a significant difference, along with tamper-resistant hardware protection for the keys themselves (e.g. the "Trusted Platform Module" or cryptographic smart card). And even then, there are potential attacks if the attacker has sufficient resources, skills and experience.

I haven't read the statute but I'm curious about how it defines 'encrypted'. For example, does it mandate AES with a 256 bit key or would DES with a 56 bit key, or even a Caesar cypher with key of 5, be considered good enough? Defining such things in law would be tricky since the state of the art is moving along constantly. Caesar's cypher was considered good enough 2 millennia ago.

Continuing this line of thinking leads to the inevitable conclusion that personal data cannot be totally secured on a laptop or other device to which an attacker has unrestrained physical access. So, perhaps businesses that lose encrypted laptops containing personal data should come clean anyway since they can still rightfully state that the data were protected by encryption.

Previous posts on this topic: Password protected =/= hacker proof and "Password protected" again

No comments:

Post a Comment