9 Replies Latest reply on Apr 3, 2013 12:45 PM by SafeBoot

    EEPC 7, Windows 8 and TPM as PBA Alternative?

    web1b

      Does EEPC 7 support TPM and the functions of TPM as described in the link below?

       

      This article says TPM can be used as an alternative to using PBA and will save users the added complexity of PBA while allowing the system to be fully protected by encryption even in standby mode.

      http://technet.microsoft.com/en-us/security/jj884374.aspx

      However, the article only mentions Bitlocker.  Does McAfee EEPC 7 support the same functionality? 

      It would be great for the users if they didn't have to power off or put their laptops into hibernation when not  in use.  They would be able to use connected standby for super quick startups and not deal with PBA and also be fully protected by encryption all at the same time.

       

      on 3/31/13 2:19:02 PM CDT
        • 1. Re: EEPC 7, Windows 8 and TPM as PBA Alternative?

          Reading between the lines I don't believe bitlocker uses the Tpm for auth in the resume from standby state - it seems to just be rebooting the device after n attempts. The key still needs to be in memory to resume the device, and without user input, the key can't be stored anywhere secure.

           

          So, it doesn't seem to solve the cold boot problem at all.

           

          PBA seems only hard to deal with if you insist on separate usernames and passwords for the PBA and windows - most customers successfully implement PBA with synchronized passwords, without increasing their helpdesk call rate.

          • 2. Re: EEPC 7, Windows 8 and TPM as PBA Alternative?
            web1b

            When I read it, it seems to say they have addressed any viable way to accessing the key if you use a Connected Standby certified device and Windows 8

            It doesn't just reboot the device, it reboots and puts it into Bitlocker recovery mode, so there can be no reattempt at brute forcing.

            They are flatly saying that, if you have the right hardware and Windows 8, PBA is not needed with Bitlocker.

            Sounds like there is no McAfee EEPC integration with this feature and you would need to use Bitlocker to take advantage of it.

             

             

            In Windows 8 when an attack is detected the device will immediately reboot and enter into BitLocker recovery mode which makes the device inaccessible but has the added benefit of leaving it in a recoverable state if it is ever retrieved.:

             

            With all of this change going on, we took the opportunity to drive some new hardware improvements into the ecosystem. One of these improvements eliminates the need for pre-boot authentication in certain types of devices.


            Many Windows 8 tablets and convertibles will be designed to adhere to a new architectural standard called Connected Standby. These devices are effectively always on, run in a low power state when not in use, have great battery life, and are similar to smart phones from a power management perspective. As part of the Connected Standby certification requirements we’ve added language that prevents the inclusion of Direct Memory Access (DMA) ports and system memory can’t easily be removed. These changes eliminate the requirement for implementing pre-boot authentication on Connected Standby certified devices.

            • 3. Re: EEPC 7, Windows 8 and TPM as PBA Alternative?

              I'm not sure there's any feature to take advantage of - all they describe is a function of bitlocker itself, it's nothing really to do with the platform.

               

              Not allowing FireWire ports etc is a good hardware choice of course, though it doesn't stop the inevitable zero day network attacks which are discovered quite often.

               

              And of course, the lack of ports means eepc, and any other preboot software is just as secure as bitlocker still. The only thing which I can see they have done is as you say, put the preboot in this recovery state if they detect a guessing attack - Ie change it from tpm key storage to password required.

               

              Since eepc is already asking for a password preboot, and logging into windows for you, this use case seems already to be satisfied - we were already doing what bitlocker now does.

               

              To give a completely biased opinion, what they seem to be doing is addressing the completely awful and archaic user experience of their preboot by moving the user auth into windows and trusting everyone to have tpm enabled, when it would perhaps have been better to solve the root problem of the preboot interface to start with.

               

              All the benefits of the robust platform, always on, connected standby etc are available through any of the current top tier encryption providers, McAfee included, as well as many other things bitlocker can only dream of (native SSD performance for example, or AMT recovery).

               

              If its good enough though, and you can afford the management cost, and you assume the risk that Tpms are not as secure as we perhaps would like

               

              http://hackaday.com/2010/02/09/tpm-crytography-cracked/

               

              And even Microsoft recommend you use TPM plus pin, thus putting you back in their dire PBA, it's all good.

               

              As I say though. I'm a biased crypto-CTO. :-)

               

              Message was edited by: SafeBoot on 4/1/13 11:17:00 AM EDT
              • 4. Re: EEPC 7, Windows 8 and TPM as PBA Alternative?
                web1b

                SafeBoot wrote:

                 

                All the benefits of the robust platform, always on, connected standby etc are available through any of the current top tier encryption providers, McAfee included, as well as many other things bitlocker can only dream of (native SSD performance for example, or AMT recovery).

                 

                 

                How does EEPC integrate with connected standby? 

                We have been been setting policies to prevent the tablets from using standby, so they only choice is hibernate or shutdown.  Is it safe for users to use connected standby with EEPC so they need to deal with PBA and it's almost illegiblly tiny screen on a Surface Pro, plus the need to attach an external keyboard to type credentials only on cold boot? 

                 

                on 4/1/13 10:27:56 AM CDT
                • 5. Re: EEPC 7, Windows 8 and TPM as PBA Alternative?

                  I don't see how there's anything we need to do to integrate - connected standby is an OS feature, you can use it (or not) with any FDE product. When the device comes out of standby the user will get the normal Windows authentication screen.

                   

                  Is it safe? Theoretically not really, since there are many tricks hackers have discovered, and continue to discover to get past Windows authentication - on a fully patched machine, with no firewire or DMA ports, and no removable memory, it's probably  safe in practice - it depends on your risk profile of course. All it takes is for someone to make an unprotected share, or for someone to discover a zero day in one of the network attached services for the machine to be wide open.

                   

                  for example (one I found at random) http://technet.microsoft.com/en-us/security/bulletin/ms12-054

                   

                  These kind of attacks don't need the machine to be anything but on and connected to the network. They are not discovered every day, but are discovered regularly enough. I hazard that given a fully patched machine, within three months there will be a new zero day which does not require any user activity to execute.

                   

                  Yes - sorry about the PBA on a surface Pro - you'd have think Microsoft at least would have got the eUFI firmware right. I hope we will see a patch soon from them to correct it, or maybe the McAfee team will find away around the problem.

                  • 6. Re: EEPC 7, Windows 8 and TPM as PBA Alternative?
                    web1b

                    Reading through the arcticle again, I see one feature mentioned that may be Bitlocker specific.

                    It says after an attempted brute force attack on the Windows password, it would shut down to Bitlocker recovery mode.  That sounds like it needs some kind of integration to do that.

                    Can McAafee EEPC do the same thing?

                    The PBA is a hassle for users if they use multiple PCs and the PBA passwords get out of sync on infrequently used secondary systems such as a laptop they may keep in a drawer for months until needed for travel or when on call.  SSO definitely does not always go smoothly.  Bad PBA interface on Windows tablets just makes it worse.

                    Bitlocker with Widows 8 , TPM and connected standby would be the best balance of convenience with security, since it doesn't look like McAfee has anything similar such as ability to have no PBA unless there is a brute force attack on the Windows password that triggers a Windows 8 shutdown response.

                    .

                     

                    on 4/2/13 12:34:11 AM CDT
                    • 7. Re: EEPC 7, Windows 8 and TPM as PBA Alternative?

                      Have you seen this feature of v7.0 Patch 1?

                       

                      EEPC v7.0 Patch 1 FAQ - Reactive AutoBoot

                       

                      Now this isn't a great solution for tablets to have them without any authentication, but it does give you that little feature. In versions after 7.0 we are looking at improving the tablet experience and have a great solution in the works for AOAC devices, which will include some TPM usage in there too. For the touch interfaces, we're dependent on the OEM's implementing the various protocols in UEFI to support the touch interface there. I'll be publishing an article/KB on Windows 8 Tablets and the like soon that goes into more detail about our support for Windows 8 Tablets.

                       

                      Message was edited by: amerry on 03/04/13 18:03:44 CEST
                      • 8. Re: EEPC 7, Windows 8 and TPM as PBA Alternative?
                        web1b

                        It doesn't seems like that reactive autoboot provides nearly as much security as the Bitlock + TPM + Connected Standby Certified device and the AMT solution requires VPro, which I don't think any tablets have at this point.  I don't think VPro is offered on any tablet-suitable low power CPUs.

                        I guess it is a bit more secure than straight autoboot, since many people stealing at tablet would try guessing the Windows password a few times and then trigger the reactive autoboot and most other methods of obtaining the encryption key will not work especially with safe boot enabled..

                         

                        on 4/3/13 12:17:31 PM CDT
                        • 9. Re: EEPC 7, Windows 8 and TPM as PBA Alternative?

                          Its probably better for the user though, as a sequence of failed logins in Bitlocker puts you in a recovery mode requiring a helpdesk call, whereas a sequence of failed logins in EEPC puts you in an EEPC login screen (which most likely, you can authenticate to using your Windows user name and password).