File System Security PDF - University of Prince Mugrin

Summary

This document is a presentation on file system security concepts, focusing on encryption methods like EFS and BitLocker, along with authentication modes. It discusses the advantages and challenges of each approach and includes potential security risks. It is a study resource from the University of Prince Mugrin.

Full Transcript

Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin
File System Security
University of Prince Mugrin
Dr Syed Sadiqur Rahman
University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin
Slides are prepared by Dr Syed Sadiqur Rahman.
Some slides and/or images are adapted from other sources mentioned in the last slide.
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

University
Learningof Prince Mugrin
Objective
Protecting System and User Data Stored on
University of Prince Mugrin
Computers
University of Prince Mugrin
Key Concepts
University of Prince Mugrin
Securing Data Stored on Computers
University of Prince
File, Folder, andMugrin
volume level encryption
Private and Public key Encryption
University of Prince Mugrin
Trusted Platform Module
University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Securing File System
University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin
File
System
University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Access Control without Encryption?
University of Prince Mugrin

University of Prince Mugrin
What if an Attacker bypasses the Host
University of Prince Mugrin

Operating System
University of Prince Mugrin

University
(OSofwhich
Prince is
Mugrin
installed on a Device) and its
University of Prince Mugrin
Access Control Mechanism?
University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Encryption for Access
University of Prince Mugrin Control

Offline Attack University of Prince Mugrin

University of Prince
Attacker can Mugrin
use a different boot disk and run a second OS, bypassing access
controls
University of Prince Mugrin
Need defense in depth
University of Prince
Encrypt files, Mugrin
folders, and volumes

Windows-encrypted files cannot be booted into
University of Prince
another operating system Mugrin

Windows stores decryption keys
University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
What Happens When We Encrypt System and OS
Security

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Encryption Algorithms
University of Prince Mugrin

University of Prince Mugrin
Same key to encrypt and decrypt
Symmetric
University of Prince Mugrin
Faster
encryption Sharing key is a challenge
University of Prince Mugrin

University of Prince Mugrin
Two (Related) Keys: Private key and Public key
Asymmetric
Only Public Key is shared
encryption (Public University
Slower with Additional of Prince Mugrin
Functionalities
key)
University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Safeguarding
University of Prince Mugrin Stored Data
University of Prince Mugrin

University of Prince Mugrin
Encrypting
Bitlocker to
File System
Go
University
(EFS) of Prince Mugrin

University of Prince Mugrin
Bitlocker Drive
Encryption University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Encrypting File System
University of Prince Mugrin
(EFS)

Works only with NTFS File Systems University of Prince Mugrin

Allows to
University ofencrypt
Prince individual
Mugrin files and/or folders
Uses Private/Symmetric Key Encryption (Hence, faster)
University of Prince Mugrin
The Encryption Key is encrypted with user’s public key
University
The filesofwill
Prince
becomeMugrin
inaccessible if you -
Forget the password and
University of Prince Mugrin
Remove or change the password except through Windows (Do you know
how?)
University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
Encrypting File System (EFS) System and OS
Security

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
Encrypting File System (EFS) System and OS
Security

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Encrypting File System
University of Prince Mugrin
(EFS)

University
The Encryption Key is encrypted with user’s public key of Prince Mugrin
Encryption
University of Key has toMugrin
Prince be decrypted with user’s private key
the private key is encrypted using a hash of the user's password hash
plus the user name. University of Prince Mugrin

The filesofwill
University Prince
becomeMugrin
inaccessible if you -
Forget the password and
University
Remove or change the password except through Windowsof
(DoPrince
you knowMugrin
how?)
University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Encrypting File System
University of Prince Mugrin
(EFS)

University of Prince Mugrin
▪ User selectively choses a
University of
file Prince Mugrin
or folder to be
encrypted.
University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Encrypting File System
University of Prince Mugrin
(EFS)

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Encrypting File System
University of Prince Mugrin
(EFS)

Can you Think of a Security RiskUniversity of Prince Mugrin
with Encrypting
Individual files with EFS?
University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Encrypting File System
University of Prince Mugrin
(EFS)

University of Prince Mugrin
When using single file encryption, the file is first written to the disk in
University
plaintextof(unencrypted)
Prince Mugrin
and then encrypted. The plaintext file is then
deleted.
University of Prince Mugrin
Security Risk: many utilities exist that make it easy to recover deleted
University of Prince Mugrin
files, if the data has not been overwritten..
University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Encrypting File System (EFS)
University of Prince Mugrin
So, avoid using EFS for a single file, especially if the file
contains sensitive data. University of Prince Mugrin

University of Prince
Only Mugrin
use Folder Encryption.

The encryption key is based on User’s
University of Prince Mugrin
password

Changing user password bypassing the OS (windows)
University of Prince Mugrin
will result in losing all encrypted data for that user.
University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

BitLocker (Volume/Drive Encryption)
University of Prince Mugrin

University of Prince Mugrin
BitLocker is a more current encryption method
University
Windowsof Prince
first Mugrin
introduced in the Ultimate and Enterprise versions of Windows
Vista.
University of Prince Mugrin
Unlike EFS, BitLocker only has two settings for each volume: on or off.
University of Prince Mugrin
You can't selectively choose which files or folders you want to encrypt.
University of Prince Mugrin
Everything on the selected volume is encrypted.
University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

BitLocker (Volume/Drive Encryption)
University of Prince Mugrin

University of Prince Mugrin
Only administrators can enable or disable encryption using BitLocker

University of Prince
Normal users Mugrin
cannot alter any BitLocker settings.

University
BitLocker also differs from EFS In how it encrypts data. of Prince Mugrin
BitLocker mostly uses Trusted Platform Module (TPM) microchip to manage &
University of Prince Mugrin
protect the key used for volume encryption and decryption.
University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

BitLocker (Volume/Drive Encryption)
University of Prince Mugrin

University of Prince Mugrin
The data is encrypted using the Full Volume Encryption Key (FVEK).
University ofisPrince
The FVEK Mugrin with the Volume Master Key (VMK).
in turn encrypted

The VMK is encrypted by multiple protectors.
University of Prince Mugrin

In the default
University configuration,
of Prince Mugrinthere are two protectors: TPM and
Recovery Key
University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

BitLocker (Volume/Drive Encryption)
University of Prince Mugrin

University of Prince Mugrin
One advantage of relying on the TPM hardware is that encryption can occur

University of Prince
with no input from theMugrin
user (the encryption operations are totally
transparent).
University of Prince Mugrin
Most computers manufactured in recent years contain TPM hardware to
University of Prince Mugrin
support BitLocker.

University
All but one of the Bit Locker operation modes ofcomputer’s
depend on the Prince Mugrin
Trusted Platform Module (TPM)
University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

BitLocker Authentication Modes
University of Prince Mugrin
MECHANISM AUTHENTICATION DESCRIPTION
MODE
TPM Only Transparent to University
No additional input is required from the user. of Prince Mugrin
the User

University
TPM + PIN
ofUser
Prince
authentication
Mugrin
The user is required to enter a PIN before
Windows boots.
TPM + PIN + User The user is required to enter a PIN and insert a
USB Key authentication USB key with authenticationUniversity BitLockerMugrin
of Prince
credentials before offers
Windows boots several
authentication
University ofauthentication
Prince Mugrin
TPM + USB Key User The user is required to insert a USB key with
authentication credentials before Windows boots modes, based
on required
depend on TPM hardware University
– user only inserts a of Prince Mugrin
USB Key Only USB Key mode The only authentication mode that does not
credentials.
USB Key with authentication credentials before

University of Prince Mugrin
Windows boots

Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

BitLocker and EFS Comparison
University of Prince Mugrin

BITLOCKER ENCRYPTING FILEUniversity
SYSTEM (EFS)of Prince Mugrin
Encrypts all files on the selected
Encrypts only selected files and folders
University
volume of Prince Mugrin
Either on or off for all users Encrypts files based on user actions — each
user can encryptUniversity
files or foldersof Prince Mugrin
selectively

Uses TPM or USB key as part of Does not require any special hardware
University of Prince Mugrin
the authentication process

University of Prince Mugrin
Must be administrator to turn Any user can choose to encrypt files or folders
BitLocker on/off
University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Bitlocker to Go
University of Prince Mugrin

University of Prince Mugrin
BitLocker To Go is BitLocker Drive Encryption on removable data drives.
University of Prince
This includes Mugrin
the encryption of USB flash drives, SD cards, external HDD,

University
and other drives formatted with NTFS, FAT16, FAT32, orof Prince
exFAT file Mugrin
systems.
University of Prince Mugrin
BitLocker To Go makes it easy to encrypt an entire device.
University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Bitlocker to Go
University of Prince Mugrin

University of Prince Mugrin
When you turn on BitLocker To Go for a device, Windows asks whether to use

University of or
a password Prince
a smart Mugrin
card to encrypt the data.

Once initialized, the removable device is encrypted.
University of Prince Mugrin
You'll need to enter the same password or smart card to decrypt the data.
University of Prince Mugrin
TPM encryption mode isn't an option for BitLocker To Go, as storing
encryption keys on a computer's TPM hardware would make the removable
drive unusable on other computers. University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Trusted Platform Module (TPM)
University of Prince Mugrin

University of Prince Mugrin
TPM also known as ISO/IEC 11889 is an international standard for a
University of Prince Mugrin
secure crypto-processor

A TPM chip is a secure crypto-processor University oftoPrince
that is designed provide Mugrin
hardware-based cryptographic operations for security
University of Prince Mugrin
The primary scope of TPM is to assure the integrity of a platform.
University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Trusted Platform Module (TPM)
University of Prince Mugrin

TPM ensures that the boot process startsUniversity ofcombination
from a trusted Prince Mugrin
of
hardware and software, and continues until the OS has fully booted
University of Prince Mugrin
and applications are running.
University
The TPM contains several Platform Configuration of Prince
Registers Mugrin
(PCRs) that
allow secure
University storage Mugrin
of Prince and reporting of security relevant metrics.
These metrics are used to detect changes to previous configurations and
decide how to proceed. University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Trusted Platform Module (TPM)
University of Prince Mugrin

University
PCRs allow secure storage and reporting of Prince
of security relevant Mugrin
metrics.
For example,
University If a laptop
of Prince is stolen, and the attacker does not
Mugrin
know your login password, they can not pull the drive and read
University of Prince Mugrin
the contents.
University of Prince Mugrin
Any modifications to the bios or boot loader code should
change the PCR values, and the TPM will not reveal the VMK.
University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Potential Risk: Hacking the TPM
University of Prince Mugrin

If we can sniff the Volume Master Key University of Prince
as its being returned by theMugrin
TPM then we can enter that information into any number of BitLocker
University
librariesof Prince
and decryptMugrin
the drive.
The VMK can be extracted by hard-wiring into the TPM chip and
sniffing communications via the LPC bus.University of Prince Mugrin
The extraction requires physical access to devices and will result in
University of Prince
the device’s Mugrin
destruction due to the hard-wiring.
Extra Reading: Extracting BitLocker keys from a TPM
University of Prince Mugrin
(pulsesecurity.co.nz)
University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Summary
University of Prince Mugrin

University of Prince Mugrin
Prevent bypassing the OS installed on a Computer
University of Prince
Don’t encrypt Mugrin
individual files; always encrypt folders
Store EFS or BitLocker recovery information in a separate, safe location
University of Prince Mugrin
Do not use TPM for storing encryption key while using BitLocker To Go
University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman
Syed Sadiqur Rahman University of Prince Mugrin UPM
System and OS
Security

Reference
University of Prince Mugrin

Michael J. Soloman, Security StrategiesUniversity of Prince
in Windows Platforms andMugrin
Applications, 2nd Edition, 2013, ISBN: 978-1284031652
University of Prince
Encrypting File SystemMugrin
- Wikipedia

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin

University of Prince Mugrin
Syed Sadiqur Rahman