• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Safeboot - a couple of questions

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page Previous  1, 2
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Software and Hardware

View previous topic :: View next topic  
Author Message
Mr_SafeBoot
Just Arrived
Just Arrived


Joined: 03 Jul 2004
Posts: 0


Offline

PostPosted: Sat Jul 03, 2004 9:13 pm    Post subject: Solo Recovery Reply with quote

ChewiePM misses the point (again) - the code Control Break gives companies to recover the data just makes the tool run. the actual encryption key for the disk is stored in the customers encrypted management system - noone else has access, not Control Break, not other customers, noone.

If it was that bad a design it wouldnt have been voted "Best Encryption Product of 2004" by secure computing magazine...
Back to top
View user's profile Send private message
JustinT
Trusted SF Member
Trusted SF Member


Joined: 17 Apr 2003
Posts: 16777215
Location: Asheville, NC, US / Uberlāndia, MG, Brazil

Offline

PostPosted: Fri Jul 09, 2004 6:19 am    Post subject: SafeBoot. Reply with quote

I recently checked out the parent site for SafeBoot, and it doesn't appear to be littered with the hype and incompetence that plagues a majority of commercial cryptographic providers. However, it doesn't really stand out, in terms of providing adequate information in regards to the cryptography in use. I don't see detailed information pertaining to elements such as mode of operation, key derivation, key management, authentication, et cetera. It's nice to see that 256-bit keys are used with AES, but on the other hand, I am curious as to the design rationale behind the algorithms you are able to select from, and why this included RC5 and DES over much more conservatively secure designs. There should also be more flexibility or modularity (or both). Overall, there should have been a greater emphasis placed on the actual cryptography in use, and with what procedures it was implemented, parameters included; otherwise, it's hard to develop any sort of trust in it.

Aside from whatever convenience these products may address, there is not ground-breaking security here that's worth investing a significant amount of capital into. Cryptographically, it lacks much of what most other's lack - analytical detail. Just because the implementation works doesn't mean the implementation is secure. Just because the cryptography should be kept simple doesn't mean that the implementation will be a breeze. Nothing strikes me as insanely incorrect, here, but there are some concerns with their design rationale's security, and I would definitely request more analytical information before ever contemplating it as a solution.

I wonder if this is yet another company without a seasoned cryptographer or cryptanalyst on their design team? This is in dire need of addressing. If any entity that implements cryptography is without these specialists, their products aren't worth using. It's as simple as that.
Back to top
View user's profile Send private message Visit poster's website
Mr_SafeBoot
Just Arrived
Just Arrived


Joined: 03 Jul 2004
Posts: 0


Offline

PostPosted: Fri Jul 09, 2004 11:05 pm    Post subject: Seasoned Crypto.. Reply with quote

No, it's not "just another company"... you'll see from the website SafeBoot (the whole PRODUCT, not just a cryptographic kernel) is FIPS 140-1 certified, also the AES implementation is NIST certified, as is their DES, SHA-1, and DSA implementations, and thier PNRG. The product was voted "The Best Encryption Product of 2004" by the user community in general (hosted by Secure Computing), and has recieved 12 consecutive 5* ratings since 1996. I

It's not the best web site in the world, but would you rather have a great web site and vapourware, or a naff web site where at least everything said is fact.

So, a long term player in the field, with an established corporate user base, a company with REAL cash, (privtely owned), who take global use serious (12 languages), and global support (42 countries with their own local support teams).
Back to top
View user's profile Send private message
Mr_SafeBoot
Just Arrived
Just Arrived


Joined: 03 Jul 2004
Posts: 0


Offline

PostPosted: Fri Jul 09, 2004 11:06 pm    Post subject: Forgive my typos in the post above Reply with quote

Sorry - I should have used the spell checker..
Back to top
View user's profile Send private message
cpconstantine
Trusted SF Member
Trusted SF Member


Joined: 15 May 2004
Posts: 0
Location: Denver, CO

Offline

PostPosted: Sat Jul 10, 2004 12:12 am    Post subject: Reply with quote

So, erm, Mr_SafeBoot (!)

could there possibly be a chance that you actually work for the company in question..?

If you are, there's nothing wrong in publically defending your product, but don't talk in the third person in that capacity, makes you sound like you're trying to make yourself out to be an 'impartial third party' or the like.

Dont be an AstroTurfer

Not trying to get in your face about it, just that your post came off sounding like a lot of canned marketting material. So if you do work for safeboot, saying 'them' when you mean 'we' is just deceptive language.

If I'm completely off the mark, no worries and I'll drop it.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
JustinT
Trusted SF Member
Trusted SF Member


Joined: 17 Apr 2003
Posts: 16777215
Location: Asheville, NC, US / Uberlāndia, MG, Brazil

Offline

PostPosted: Sat Jul 10, 2004 3:43 am    Post subject: Two cents. Reply with quote

I think some points were missed.

Sure, great - "the general user community." If something works with convenience and smooth functionality, overall, the general user community will deem it "good." This doesn't make it cryptographically secure. Why? Because just how much of this "community" is composed of seasoned cryptographers and cryptanalysts? An award of that sort really means little. Not pointing fingers at SafeBoot, but only such an award would pull the wool over the eyes of a novice; it wouldn't, however, convince a cryptographer. We don't rely on them, because general end consumers aren't product specialists.

As for the website - nothing was ever mentioned about it, in general. It could be composed of nothing but text, for all a cryptographer cares. The primary issue is whether or not adequate information about the cryptography in use has been provided on the site. I would rather have a site that explains to me just how they utilize the alleged cryptography, and it's apparent that there isn't an explanation that detailed on the site for me to obtain. This is common among commercial cryptographic service providers. The problem I have is not that the site contains unnecessary or outlandish hype, but that it doesn't contain enough of the vital information that's going to convince me that I'm given the range of flexibility and security that I look for, as a cryptographer, when determining the limitations of an implementation.

Overall, the rationale could have been constructed a bit more conservatively. Better configurations of cryptographic algorithms could have been sanctioned. What's given will likely suffice, but there is still a lot of room for more flexibility and conservative security margins. It's not as good as it could be, yet the potential it has, fortunately, remains untainted by incompetent hype that bloats most others.
Back to top
View user's profile Send private message Visit poster's website
chewiepm
Just Arrived
Just Arrived


Joined: 05 Jul 2003
Posts: 3
Location: hellbound

Offline

PostPosted: Sat Jul 10, 2004 1:38 pm    Post subject: Reply with quote

The interesting thing about best crypto product of 2004 is the fact that 2004 isn't over yet. Anyway, this thread is so old that i can barely remember what it was about. And I do apologise for being a thick idiot who misses points left, right and centre. I'm just a dumb programmer with 10 years of experience who happens to like all things crypto. If you wanna impress explain the design rationale behind this extra password you get from the company. If you do indeed think your product is the greatest, explain the concepts of the additional decryption key function. I'm sure someone, probably not me, wll just about grasp the ideas.
________
Mercedes-benz m138 engine history


Last edited by chewiepm on Sat Feb 19, 2011 5:11 am; edited 1 time in total
Back to top
View user's profile Send private message
Mr_SafeBoot
Just Arrived
Just Arrived


Joined: 03 Jul 2004
Posts: 0


Offline

PostPosted: Sat Jul 10, 2004 2:00 pm    Post subject: canned marketing... Reply with quote

You're right - it does read like canned marketing material doesn't it. I apologize. Heat of the moment etc, won't happen again etc.

The award is voted on by the public prior to the Secure Computing show in April 2004, So I suppose it's based on the perception of the users and administrators who can be bothered to vote prior to that event. Next year I think the ceremony is later in the year in LA, but regardless, it will be voted on by the user community again.

Re the password you mention (*we* call it a 'tech code'), it simply unlocks the dangerous options of the disaster recovery tool - options like write sectors, write original MBR etc - things which if you didn't know what you were doing would lead to a big mess.

The thing you actually need to decrypt the data is created on the machine itself, and stored by the user or administrator of the product, it's not some silly fixed recovery key - it's unique for every machine, and every user, well as unique as 2^256 (AES) or 2^1024 (RC5) or 2^64 (DES) can be. So given the tech code from *us*, and your own unique recovery disk, you can reset your forgotten password, or remove the encryption, because the keys needed are on *your* rescue disk, or in *your* recovery database.

Finally JustinT, I know what you mean about web sites - unfortunately in general people who understand crypto rarely have budgets to buy products, and people who only understand gloss do, so web sites tend to be geared to the uneducated masses who pick products, then pass them over to the educated to work out if they are good or not. I do take your point though that there should be a section detailing better how the crypto works - I suppose *we* always thought that if anyone cared they'd go and download our FIPS documents from NIST and see what they said...

Unless there's anything else I'll shut up. Smile
Back to top
View user's profile Send private message
JustinT
Trusted SF Member
Trusted SF Member


Joined: 17 Apr 2003
Posts: 16777215
Location: Asheville, NC, US / Uberlāndia, MG, Brazil

Offline

PostPosted: Sat Jul 10, 2004 10:30 pm    Post subject: Hmm. Reply with quote

Mr_SafeBoot wrote:

I suppose *we* always thought that if anyone cared they'd go and download our FIPS documents from NIST and see what they said...


Reading FIPS and NIST documentation is what users should do, and be educated enough to understand, but then again, FIPS and NIST approve and sanction many things. It's one thing to establish that something adheres to a specification, but there are many aspects covered in a specification - such as the modes of operation. CBC, ECB, CFB, and OFB have always been the four general approved modes of operation, with CTR being a recently suggested mode. Does the product allow the flexibility for any of these modes? Or just something naļve, like ECB, or common, like CBC? There are many other questions that could be answered.

It would also be beneficial to include a breakdown of all cryptographic components, regardless of what sort of validation they hold; this makes it trivial to quickly determine the security margin of these concatenated components. I'm willing to bet that I could outline blueprints that would make this product more conservatively secure, regardless of whether or not it fits perfectly, hand-in-hand, with a government sanction.

Mr_SafeBoot wrote:

The award is voted on by the public prior to the Secure Computing show in April 2004, So I suppose it's based on the perception of the users and administrators who can be bothered to vote prior to that event. Next year I think the ceremony is later in the year in LA, but regardless, it will be voted on by the user community again.


As far as the award goes - it's not something you shouldn't be proud of. However, "users" and "administrators", in general, will be able to vouch for any and everything, pertaining to functionality, and how pleasing it is. These types of folks can vouch for the functional appeal of most anything. When it comes to vouchers for the security of a cryptographic implementation, these types won't suffice; you need a cryptographer.

Mr_SafeBoot wrote:

Finally JustinT, I know what you mean about web sites - unfortunately in general people who understand crypto rarely have budgets to buy products, and people who only understand gloss do, so web sites tend to be geared to the uneducated masses who pick products, then pass them over to the educated to work out if they are good or not.


I'm not sure I see how there is a correlation between budget and cryptographic know-how, or why an uneducated consumer must first obtain the product, and then pass it along to an educated cryptographer, to determine its worth (unless, of course, we're talking about different departments within a corporate setting, where one makes decisions and the other analyzes those decisions; even then, there should detailed white papers available from the get-go). That seems much too inconvenient and unnecessary. Those who understand cryptography know better than to invest in most any product found on the commercial shelf today. The revenue of such products is dependent upon those oblivious to its merit.

Out of curiosity, what are the complete encryption and authentication specifications? How are keys derived and managed? What design rationale is there? What would convince a cryptographer that this product was designed by someone that knows their ground?
Back to top
View user's profile Send private message Visit poster's website
cpconstantine
Trusted SF Member
Trusted SF Member


Joined: 15 May 2004
Posts: 0
Location: Denver, CO

Offline

PostPosted: Mon Jul 12, 2004 4:51 pm    Post subject: Re: canned marketing... Reply with quote

Mr_SafeBoot wrote:

(*we* call it a 'tech code')


I'm taking this as being that yes, you do work for the Safeboot company then?

if so, you should put that in your info, after all, now you're here, we know who to direct to for customer support Smile

Anyway, niftiness, and welcome. (It's always nice to see vendors get directly involved with discussion of their products outside the formal channels, instead of the 'send in the lawyers' response)
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
simlock
Just Arrived
Just Arrived


Joined: 29 Mar 2005
Posts: 0
Location: uk

Offline

PostPosted: Tue Mar 29, 2005 7:48 pm    Post subject: Safeboot Where To Reply with quote

hi does anybody know where to download sfeboot 3.1????????? Very Happy
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Software and Hardware All times are GMT + 2 Hours
Goto page Previous  1, 2
Page 2 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register