Software Full Drive Encryption (FDE) has been the prime choice for protecting the confidentiality of data on laptops for over a decade, but more and more Self-Encrypting drives (SEDs) are becoming the obvious choice for FDE because of their advantages in performance, transparency and security.
Performance is pretty easy to gage, but by their very nature transparency and security are an odd couple. How does one get confidence or “assurance” that something is doing it’s job when it strives to be as invisible as possible? The standard approach for software FDE in the past has been FIPS 140-2 and Common Criteria EAL evaluations by third parties (i.e. accredited labs) but there are difficulties with this approach for software FDE let alone SEDs.
FIPS (Federal Information Processing Standard) 140-2 is a US and Canadian government standard and they have a CMVP (Cryptographic Module Validation Program) that can evaluate products against that standard. The key word in CMVP is “Module”. The major drawback in relying solely on a FIPS 140-2 certificate for security assurance is that its scope is the cryptographic module, not the overall security stature of the product. The other drawback is that being an American and Canadian standard, it is not necessarily recognized globally.
Common Criteria (CC) on the other hand is an international standard and recognized much more widely than FIPS. Also it applies to whole products or systems not just the cryptographic module. Historically the major drawback of Common Criteria is the “Security Target – EAL (Evaluation Assurance Level)” method with which it was applied. FDE product vendors would write a Security Target document describing the security functionality of the product and then submit it to a lab to have its implementation verified to a certain level of assurance (EAL). EAL could range from 1 to 7 with 7 providing the most assurance. The problem with this approach is that since every FDE Product’s security target would be different it was hard for customers to compare them. Also the EAL could vary from product to product and the uniqueness of each evaluation made assessments time consuming and very expensive for the vendor.
That brings us to the present day where SEDs and enterprise wide deployments of FDE are becoming more prevalent. The old assurance methods just doesn’t cut it, so a new approach was needed. To that end International Technical Community (iTC) work groups were formed to create a collaborative Protection Profiles (cPP) for FDE. The idea is that experts in Common Criteria and subject matter experts from the labs, academia, industry and governments would work together to create protection profiles. The cPP defines the security requirements that a product must meet, and the accompanying documentation describes the evaluation activities a lab must perform to verify that these functions exist and are operating properly. There is no EAL level with cPPs, and unlike the Security Target method, no extra or missing security features. These cPPs for FDE were completed in January and posted on the Common Criteria website in February 2015:
- https://www.commoncriteriaportal.org/files/ppfiles/CPP_FDE_EE_V1.0.pdf
- https://www.commoncriteriaportal.org/files/ppfiles/CPP_FDE_AA_V1.0.pdf
The purpose of the first set of Collaborative Protection Profiles (cPPs) for Full Drive Encryption (FDE): Authorization Acquisition (AA) and Encryption Engine (EE) is to provide requirements for Data-at-Rest protection for a lost device that contains storage. These cPPs allow FDE solutions based in software and/or hardware to meet the requirements.
WinMagic participated in the iTC work groups that created these cPPs for FDE and continues to participate in the groups working on the next versions. It is my hope that these cPPs will solve the problems that Security Target / EAL based evaluations had in the past resulting in quicker, cheaper evaluations for the vendors and meaningful, easier to understand “assurance” for customers. My understanding is that FIPS 140-2 is going to remain a requirement for the US and Canadian governments in addition to these cPPs, so there are still going to be multiple assurance certifications required in some cases but the FDE cPPs are a step in the right direction.