Re: New DoD encryption mandate

2007-08-20 Thread Jack Lloyd
On Fri, Aug 17, 2007 at 05:21:16PM -0700, Alex Alten wrote: Agreed, for most requirements. Sometimes one may need to keep keys in trusted hardware only. The only real fly-in-the-ointment is that current hash algorithms (SHA-1, SHA-2, etc.) don't scale across multiple CPU cores (assuming you

Re: New DoD encryption mandate

2007-08-19 Thread Ali, Saqib
On 8/17/07, Ivan Krstic [EMAIL PROTECTED] wrote: How so? If your computer goes bad, you need a *backup*. That's entirely orthogonal to the drive encryption problem. One of the functions provided by the TPM is to wrap/bind and store the bulk encryption keys. Now let's us say the mother board or

Re: New DoD encryption mandate

2007-08-19 Thread Ivan Krstić
On Aug 18, 2007, at 3:30 PM, Ali, Saqib wrote: One of the functions provided by the TPM is to wrap/bind and store the bulk encryption keys. Now let's us say the mother board or the TPM goes bad on your notebook or you simply want to upgrade the computer. You need to be able to restore+transfer

Re: New DoD encryption mandate

2007-08-19 Thread Ali, Saqib
I still don't follow. BitLocker explicitly includes a (optionally file-based) recovery password. If you want central management, why not centrally manage _that_? On if MS provided some way to manage them centrally. Using a encrypted DB to manually store the keys in it, is simply not feasible.

Re: New DoD encryption mandate

2007-08-19 Thread Ivan Krstić
On Aug 19, 2007, at 12:13 PM, Ali, Saqib wrote: On if MS provided some way to manage them centrally. Using a encrypted DB to manually store the keys in it, is simply not feasible. Your argument just went from TPMs are bad for volume encryption with BitLocker because they can't be centrally

Re: New DoD encryption mandate

2007-08-17 Thread Ivan Krstić
On Aug 16, 2007, at 8:30 AM, Ali, Saqib wrote: The other problem is that it lacks any centralized management. If you are letting TPM manage your Bitlocker keys you still need a TPM management suite with key backup/restore/transfer/migrate capabilities in case your computer goes bad. How so? If

Re: New DoD encryption mandate

2007-08-17 Thread Alex Alten
At 04:02 AM 8/17/2007 -0700, =?UTF-8?Q?Ivan_Krsti=C4=87?= wrote: On Aug 16, 2007, at 8:30 AM, Ali, Saqib wrote: The other problem is that it lacks any centralized management. If you are letting TPM manage your Bitlocker keys you still need a TPM management suite with key