The fallability of Man: Misguided trust in Encryption

When Bruce Schneier published Applied Cryptography back in the middle of the 1990's (1995 or 1996 I believe) my world changed. There was a fundamental resource book I could turn to that properly documented cryptography and allowed me to take advantage of encryption to store my secrets programatically. You know the ones, how to best pour a Guinness, and how to take over the world. Some even said it was the book the NSA didn't want published. Bruce was even quoted to have said that "It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics.".

In 2000, Bruce stunned the world in the preface of Secret & Lies, when he stated that the new book was partially written to correct a mistake he made in Applied Cryptography... that he erroneously talked about cryptography as if it was "The Answer" without putting it into context. He even admitted he was naive about it.

The reality is he quickly fixed that mistake and throughout Secret & Lies touted that "Security is a process, and not a product".

What is funny today, now going into 2004, is that many people still don't get this. Worse yet is that people still think encryption will solve everything, and they put a misguided trust into encryption tools without really understanding how they work, or what they do.

Tie that with misguided fear many have towards Microsoft, this becomes a deadly combination. I saw that today while in discussion with another information security professional who has a really misguided level of trust in his understanding of his tools and not enough experience with the tools available to him. I was so frustrated with this arrogant attitude towards his solution that I just had to call him on it. Soon after, he realized his mistake... and we left the conversation both having to document the experience. Although his documentation now has to deal with the audit he just finished... since he wrongly assumed some particular data was securely protected... when it may not be. I on the other hand... decided to blog about it. :)

Lets reflect back on how this all started with a little bit of history to set the stage. I was called into a situation where a particular client has a need to surrender a few mobile desktops to another division of the company for a period of time, and that the division cannot have access to the information that has been stored on the machines, and that these machines cannot currently be reinstalled. (There is actually a reason for this, but I can't disclose why.) The solution was that the users routinely PGP encrypted the data on disk, and all they would have to do is move the data off and delete it from the machine.

First off, simply deleting the information in question is not enough. There are plenty of tools that can scrape a harddisk and recover files. And he knew this as this was already disclosed in his report. Those findings didn't both me. He felt the risk was low because it was encrypted data, and that would make it virtually impossible to recover, even if they could get the ciphertext.

I then asked him why he didn't use XP's Windows encrypted file system. His response was that he didn't trust Microsoft, and felt the users followed the security policy and correctly PGP encrypted their information. (Lets assume for argument sake this was the case, and the weakest link was NOT the human factor) This is when I had to say something.

Now I must say I like PGP and I mean no disrespect to it or its use. But even though it provides strong encryption, it is useless if you can recover the plaintext from the information on disk. And this was the problem exposed in this particular situation. There was still a risk of information disclosure.

Why? Because the file system was NOT encrypted, the files were at one point plaintext on the disk. Somewhere on some platter in the harddrive the documents may still be stored in clear text. And it might be recoverable. Simply PGP encrypting it is not enough. Especially when there could easily be backup cache files from office related documents that were not wiped correctly.

Using EFS would have been a better solution. (Although it was to late at this point) The plaintext would never have ever touched the harddrive, which would mean it was truly unrecoverable (Well, except for the most determined attacker... but thats another story). And if he had MISTRUST in Microsoft he could have found another encrypted file system to use from a third party vendor.

Moral of the story? I dunno.. you make one up. Trust, but verify? Know what your tools do? Use a proper disk wiping tool? I'll let you build your own conclusions.