HomeEncryption ProductsSafeGuard EasyWhite paper

SafeGuard Easy White Paper

This white paper describes the features and functions of SafeGuard Easy which, with more than 1.7 million licenses sold, is the most widely sold application for hard-disk encryption and access protection worldwide. SafeGuard Easy works like an electronic fortress by creating a secure environment for users of PCs or notebooks; irrespective of where the notebook or laptop is taken. Whether in the office, on the road, at home - the data on the computer remains protected from unauthorized access and also remains unreadable for third parties should the device be lost or stolen. This is essential protection for valuable electronic information (e-assets), especially on mobile computers.

SafeGuard Easy allows rapid implementation of organization-wide data protection and, due to its durability and low ongoing costs during its life, is a very cost-effective solution. Utimaco Safeware guarantees comprehensive and permanent protection of data through using modern encryption algorithms considered secure by experts.

Furthermore, Utimaco Safeware has had the product analyzed and evaluated by independent organizations. Thus, the effectiveness, security and efficiency of the software is evaluated and certified by a third party. Besides official security certifications such as Common Criteria or FIPS, certifications include also vendor specific evaluations like "Aladdin eToken enabled" or tests in IT-magazines. The Secure Computing Magazine e.g. tested 12 encryption products (09/2002) and evaluated SafeGuard Easy as “Best buy” with an overall rating of 5 stars.

The following chapters show how SafeGuard Easy works and which options the program offers for data protection on PCs and Notebooks.

The Main Modules of SafeGuard Easy

Using four main modules, SafeGuard Easy creates a secure environment and the user is guaranteed that his data is secured in this electronic fortress wherever the computer is taken:

• Pre-Boot Authentication (user ID and password entry before operating system boot)
• Boot Protection (among other things, virus protection for the master boot record)
• Encryption (for the protection of all information on the computer)
• Centralized Management (for enforcement and configuration of uniform security policies on all computers of an enterprise)

Pre-Boot Authentication (PBA)

The Pre-Boot Authentication (PBA) creates a security area around a computer and can be compared to a defense trench working together with the drawbridge:

In case of a PC, this means that the user has to logon with his user ID and his password before the booting of the computer. Any further information required for booting the computer is derived from the password. None of this information is stored on the hard disk of the computer. Thus, it is made sure that only authorized individuals are able to boot the computer.

Entering the password cannot be avoided. As the Pre-Boot-Authentication works as an autarkic security sub system, it is therefore independent from the operating system; attacks against the operating system are ineffective.

Another potential approach to access a computer is to use a “trial and error” method i.e. repeatedly trying different passwords. If there was human intervention, a guard would soon suspect something was wrong if the visitor did not know the password and gave him several wrong ones instead. In the technical world, this method of attack is called dictionary¹ or brute force attacks². In order to avoid giving the false user of the computer a chance to systematically guess common passwords, SafeGuard Easy, after a definable time limit for typing errors, delays the new entry. After a few unsuccessful attempts, the waiting time between two entries is already up to 20 minutes, thus making it impossible to gain entry using this method.

As an optional extension, SafeGuard Easy supports the user authentication via a cryptographic hardware token (Aladdin eToken) in addition to the traditional UID/password authentication in the PBA. This adds the factor "possession" (the token) to the factor "knowledge" (the password) in the authentication process. Only persons who can present both are granted access. In addition, such a token serves well as key store for PKI certificates e.g. to create e-mail signatures etc.

Effect: Using Pre-Boot Authentication, the first potential wave of attacks on the data in the fortress is blocked!

Boot Protection

While booting, the operating system (caretaker and coordinator, as it were) is not yet active. Therefore, its security mechanisms are not effective either. In particular the Master Boot Record (MBR) which regulates the ongoing boot procedure is not protected by the operating system. The Master Boot Record is often attacked by one of the most frequent form of computer viruses - boot sector viruses. These are spread by copying themselves into the boot sectors of all systems used (floppy disks and hard-disks). Just through the use of disks, they can "infect" other systems unnoticed. These viruses are able to block, manipulate or delete files and drives.

Thus, the boot protection of SafeGuard Easy brings about two things:

1. "Enforced Booting from the Hard-Disk": The boot protection prevents the computer from being booted by unauthorized individuals using boot media other than that of the hard-disk. This is so important because use of other media (e.g. floppy disks or CR-ROMS) would mean that the booting of the operating system could be avoided and the attacker would be able to give himself administrator rights on the PC and would then have full access to all files. Using SafeGuard Easy guarantees that only authorized users are able to boot from a disk.
2. MBR protection: The MBR is particularly well protected. If SafeGuard Easy discovers that the MBR has been touched/manipulated or modified in any way for example by viruses, then it will force the use of the original MBR. At the time of the initial installation, SafeGuard Easy makes a backup of the original Master Boot Record and therefore SafeGuard Easy can use this MBR backup anytime. Thus, SafeGuard Easy effectively protects against boot sector viruses.

Effect: SafeGuard Easy takes away further potential attack opportunities. Attacking tools like MagicDisk which can tear holes in the walls by damaging the operating system become ineffective!

Encryption

Besides access control, encryption is a fundamental component of SafeGuard Easy. Using encryption, the data on the hard-disk is systematically "encoded". This is achieved by means of a pre-defined mechanism, the "encryption key", and a defined method, the so called encryption algorithm. This procedure is so large-scale that, for outsiders, the data remain unreadable without the "encryption key“.

For its products, Utimaco Safeware only uses publicly known, strong and internationally acknowledged standard algorithms. SafeGuard Easy includes the new, extended AES standard with 256 and 128 bit key length as well as IDEA 128 bit among several others. These algorithms have the advantage that their calculation methods are proven and well-known, but the results are unpredictable. Thus, from an encrypted hard-disk, neither the used key nor the original content can be found out.

SafeGuard Easy does not only secure local hard drives, but also removable media such as floppy, ZIP or USB memory sticks. Thus also these media remain secure and protected against unauthorized access in case they are lost.

Effect: By using strong and worldwide acknowledged algorithms, SafeGuard Easy is able to guarantee that the data is protected in the best way possible i.e. even if a notebook or storage media is lost or stolen, SafeGuard Easy customers do not have to worry as their data is kept secret!

Centralized Management

IT security must not rely on end users actions. Simple and effective methods for software installation and enforcement of security policies are basic requirements which are perfectly met by SafeGuard Easy. It allows itself to be integrated in existing deployment systems, but also provides its own policy server as an alternative. Scripting interfaces help automating administrative tasks and even if users should forget their passwords, secure methods are in place to help them and regain their productivity quickly.

Effect: Centralized Management ensures, that alls doors of your fortress remain closed and security relevant actions only happen on request of the commanding office without requiring him to present locally for his requests.

¹ Dictionary Attacks: At these attacks, it is tried to guess common password by the systematic (alphabetic) going through of word lists (in different and also exotic languages). This is successful with a very high number of PC systems as users like to use known words as passwords (or parts of passwords).

² Brute-force-Attacks: Systematic procedure to go through all (also non-plausible) character and number combinations. Much more slowly than dictionary attacks, but, nevertheless, successful sooner or later (depends on password length)