Addressing loopholes in encryption

jmt356
SilverLounger
Posts: 2102
Joined: 28 Mar 2010, 01:49

Addressing loopholes in encryption

Post by jmt356 »

There is a huge loophole in encryption. It only works while a drive is locked. Once you unlock the drive, the information is vulnerable.

For example:
Jane logs on to Windows and unlocks her data drive. Her laptop is stolen. All of the unencrypted information is stolen. The battery dies and the thief restarted it after he gets a power cord. The data drive is locked again and encrypted, but it is too late. The thief already has all of Jane's information.

Is it possible to set up Bitlocker so that it automatically encrypts a data drive every time a computer hibernates (or even better, each time it locks)?

Is it possible to set up encryption on certain files within a data drive so that even when a data drive is unlocked, certain files within the data drive remain encrypted until and unless they are specifically unlocked so that they remain secure even if the laptop is stolen while the data drive is unlocked/
Regards,

JMT

User avatar
StuartR
Administrator
Posts: 11127
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: Addressing loopholes in encryption

Post by StuartR »

There are many ways you can encrypt files, each has benefits and disadvantages.

If you use Veracrypt instead of Bitlocker then you have options to auto-dismount when user session locked, or when entering power-saving, or even after no data has been read/written to the partition for a specified period of time.

You can encrypt individual Microsoft office files using the built in features in Word, Excel etc. Similarly you can encrypt PDF files when you create them.
StuartR


jmt356
SilverLounger
Posts: 2102
Joined: 28 Mar 2010, 01:49

Re: Addressing loopholes in encryption

Post by jmt356 »

StuartR: Thanks. Can I encrypt individual folders using Bitlocker or MS Office? Or does this software work only with individual drives / files?
Regards,

JMT

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 11700
Joined: 24 Jan 2010, 23:23
Location: paused.undefined.exposed

Re: Addressing loopholes in encryption

Post by ChrisGreaves »

StuartR wrote:
08 Jan 2021, 17:38
If you use Veracrypt ... you have options to auto-dismount when user session locked, or when entering power-saving, or even after no data has been read/written to the partition for a specified period of time.
Thanks Stuart, for prompting me to see what I have been missing since I started using Veracrypt! :thankyou:
Cheers
Chris
More than the minimum is less than enough

JoeP
BronzeLounger
Posts: 1590
Joined: 25 Jan 2010, 02:12

Re: Addressing loopholes in encryption

Post by JoeP »

The first rule of security is if you don't physically control the device you are not secure. There has to be some personal responsibility involved too. Perhaps Jane should re-boot the machine if she is going to leave it in a position to be stolen. Or just re-boot whenever it is left unattended. There are some things you can't fix.

See How to Lock BitLocker Encrypted Drive in Windows for options.
Joe

User avatar
StuartR
Administrator
Posts: 11127
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: Addressing loopholes in encryption

Post by StuartR »

jmt356 wrote:
08 Jan 2021, 17:52
StuartR: Thanks. Can I encrypt individual folders using Bitlocker or MS Office? Or does this software work only with individual drives / files?
Bitlocker will encrypt partitions
MS Office will encrypt files
Veracrypt (or similar tools) can encrypt individual folders, or partitions.
You could use a password protected zip file to protect a set of files that you store together, so that's a bit like an encrypted folder.
StuartR


jmt356
SilverLounger
Posts: 2102
Joined: 28 Mar 2010, 01:49

Re: Addressing loopholes in encryption

Post by jmt356 »

StuartR wrote:
08 Jan 2021, 22:00
You could use a password protected zip file to protect a set of files that you store together, so that's a bit like an encrypted folder.
That's a great idea.
Regards,

JMT

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 11700
Joined: 24 Jan 2010, 23:23
Location: paused.undefined.exposed

Re: Addressing loopholes in encryption

Post by ChrisGreaves »

StuartR wrote:
08 Jan 2021, 22:00
You could use a password protected zip file to protect a set of files that you store together, so that's a bit like an encrypted folder.
Hi Stuart.
I can't see how this solves what I think is the problem in the original post, to wit "Once you unlock the drive, the information is vulnerable."

When TrueCrypt or VeraCrypt unlocks my data partition, all 219GB of data is visible to malware that wants to exploit it.
When PKZip unzips my password-protected zip file, all 10MB of data is visible to malware that wants to exploit it.

This is a difference in magnitude, to be sure, but not in logic. If I use a different password for each 10MB zip file I have reduced my vulnerability, but still an all The Thief already has all or some of my information.

I may have misunderstood the problem, in which case I hope I will be corrected!
Cheers
Chris
More than the minimum is less than enough

jmt356
SilverLounger
Posts: 2102
Joined: 28 Mar 2010, 01:49

Re: Addressing loopholes in encryption

Post by jmt356 »

Chris,

The point is that if you have very sensitive data that you need protected, you can always keep it protected while the drive is unlocked, except for when you specifically need to access it. However, if you do not use the method that StuartR proposed, then that data is always vulnerable, even when you are not accessing it, the moment your drive is unlocked.

You will never be 100% safe, but StuarR's suggestion gets you more security than just using Bitlocker alone does.
Regards,

JMT

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 11700
Joined: 24 Jan 2010, 23:23
Location: paused.undefined.exposed

Re: Addressing loopholes in encryption

Post by ChrisGreaves »

jmt356 wrote:
10 Jan 2021, 18:39
You will never be 100% safe, but StuarR's suggestion gets you more security than just using Bitlocker alone does.
Agreed.
That was behind my thought that "This is a difference in magnitude, to be sure, but not in logic."
A degree of probability.

Take my password file, for example. "Passwords.doc" as a poor example.

Whether or not I have opened that file in MSWord, as long as that file is exposed and available to be opened by MSWord, it is vulnerable.
Had you a second keyboard available on my computer, you might see that file "T:\Greaves\Administration\Passwords.doc" using File Explorer, and quickly copy that file to a memory key and be a thousand dollars (my net worth!) richer by nightfall.
The same applies if "you" were a piece of malware that spent ten seconds every minute looking for new or changed files.

But this point is true regardless of whether the partition is encrypted (BitLocker, Truecrypt, Veracrypt) or whether just a part of the folder is unzipped (T:\Greaves\Administration\ImportantStuff.zip).

"Vulnerable" is "Vulnerable" no matter how it is made "Invulnerable" at intervals.

Cheers
Chris
More than the minimum is less than enough

User avatar
StuartR
Administrator
Posts: 11127
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: Addressing loopholes in encryption

Post by StuartR »

If this is important to you then use Veracrypt, which is free, and set your data partition to auto-dismount after you have not read/written to it for 5 minutes
You do not have the required permissions to view the files attached to this post.
StuartR


jmt356
SilverLounger
Posts: 2102
Joined: 28 Mar 2010, 01:49

Re: Addressing loopholes in encryption

Post by jmt356 »

How heavy is VeraCrypt's dismounting and mounting process on processing resources? I imagine mounting and dismounting will occur very frequently throughout the day if it is set to auto-dismount after 5 min. of inactivity.
Regards,

JMT

User avatar
Jay Freedman
Microsoft MVP
Posts: 1118
Joined: 24 May 2013, 15:33
Location: Warminster, PA

Re: Addressing loopholes in encryption

Post by Jay Freedman »

ChrisGreaves wrote:
10 Jan 2021, 19:24
Whether or not I have opened that file in MSWord, as long as that file is exposed and available to be opened by MSWord, it is vulnerable.
If the document file has been assigned a password for opening, and if the file is not currently open, then it isn't vulnerable any more than any other file encrypted in the same way with the same encryption key would be. According to https://en.wikipedia.org/wiki/Microsoft ... protection,
Office 2007–2013 employed 128-bit key AES password protection which remains secure. Office 2016 employed 256-bit key AES password protection which also remains secure.

The Office 97–2003 password protection used 40-bit key RC4 which contains multiple vulnerabilities rendering it insecure.
That might be a reason for you to give up Word 2003 at long last... :sad:

User avatar
StuartR
Administrator
Posts: 11127
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: Addressing loopholes in encryption

Post by StuartR »

jmt356 wrote:
16 Jan 2021, 16:38
How heavy is VeraCrypt's dismounting and mounting process on processing resources? I imagine mounting and dismounting will occur very frequently throughout the day if it is set to auto-dismount after 5 min. of inactivity.
Dismounting uses very little. Mounting intentionally uses many iterations of a compute intensive process, to increase how long it takes, and make it harder to use a brute force attack.
StuartR


User avatar
ChrisGreaves
PlutoniumLounger
Posts: 11700
Joined: 24 Jan 2010, 23:23
Location: paused.undefined.exposed

Re: Addressing loopholes in encryption

Post by ChrisGreaves »

Jay Freedman wrote:
16 Jan 2021, 20:29
ChrisGreaves wrote:
10 Jan 2021, 19:24
...that file is exposed and available to be opened by MSWord, it is vulnerable.
If the document file has been assigned a password for opening, and if the file is not currently open, then it isn't vulnerable any more than any other file ...
Quite so, Jay. That was sloppy writing on my part.
I was thinking of a regular, non-Word-password-protected document.

I think of three levels of protection:
(1) Encryption of a partition or folder tree by a product such as Veracrypt or Truecrypt.
(2) Encryption of a folder tree or collection of files by a product such as PKZip25 or WinZip variants
(3) Password protection of a Document by MSWord, or of an Excel workbook by Excel.
I was trying to say that whether one or both of levels (1) and (2) are employed, once the DOC/XLS is exposed, it is vulnerable.
I might then have added that "password protection at the application level would provide a third level of protection"
... That might be a reason for you to give up Word 2003 at long last... :sad:
That day may yet come, Jay. The defining moment will be when my Word6.0 program code, migrated to Word97, then Word2000, and then Word2003 ceases to function, or I find myself trying to parse a string of characters that absolutely needs a feature of Office 2043 that I absolutely cannot code for myself in what is in essence Word97/VBA. By that time I will be 97, and it may be time for me to say goodbye to Word97 :laugh:

Cheers
Chris
More than the minimum is less than enough