Few ppl inquired about the differences between pre-boot authentication
(PBA) and ATA lock, so here is an overview:
ATA Lock (or drive lock) is a BIOS based security solution for
implementing FDE security with FDE hard drives. Once set, it prompt the
user to enter a password every time the computer is powered on to "unlock"
the drive. If the correct password is not entered, the drive becomes
disabled ("locked") and the computer does not boot up. Some manufacturers,
like HP, provide the capability of setting up two passwords for drive
lock, a Master and a Slave. This is convenient for administrative
purposes. The owner of slave password can only use the password to unlock
the drive, whereas the master password allows changing of the
passwords for both itself and that of the slave. Other manufacturers like
Dell only allows one password.
In terms of strength of security, it is as strong as the security provided
by AES 128-bit encryption. In the past drive lock has been vulnerable to
backdoor password reset (i.e password is blanked out) via a hacking
utility or to "forensic" access of drive via raw data extraction. This is
true only for regular drives. With an FDE drive, however, these security
holes are plugged up. Because the data resides on the FDE drive encrypted
with a unique key, raw data extraction is useless. If the hacker is
somehow able to reset the drive lock password, this attack is thwarted by
the fact that the encryption key is encapsulated with the original drive
lock password. If drive lock password were to changed by an attack, the
encryption key in effect becomes inaccessible.
Software based pre-boot authentication is another option for implementing
FDE security with FDE hard drives. There is two component to this
solution, the pre-boot authentication part and the OS client. The pre-boot
authentication is the part that comes up when the computer is first
powered on and asks for the access password (just like the ATA lock). The
OS client, on the other hand, is the part that installs on the OS
and provides other key features, in addition to basic password protection
to end-users. Some of these features includes the configuration of the
pre-boot authentication itself, password synchronization with a directory
service (AD, NDS, LDAP, etc), centralized administration of accounts,
remote mananagement of passwords, multiple authorized accounts per computer,
audit trail, backup services, etc.
In terms of strength of security, software based pre-boot authentication
is as strong as the security provided by AES 128-bit encryption. In this
respect, there is no difference between this and the ATA lock on FDE hard
drive.
SUMMARY TABLE:
ATA Lock Pre-boot Authentication
Encryption strength: High High
Centralized Management: No Yes
Number of accounts per PC: Very Limited Flexible
Additional cost: $0 ~$40/PC
Require software installation: No Yes
Additional Features: None Many
Scott
_______________________________________________
FDE mailing list
[email protected]
http://www.xml-dev.com/mailman/listinfo/fde
