New DoD encryption mandate
Ivan Krstić
krstic at solarsail.hcs.harvard.edu
Fri Aug 17 07:02:34 EDT 2007
On Aug 16, 2007, at 8:30 AM, Ali, Saqib wrote:
> The other problem is that it lacks any centralized management. If you
> are letting TPM manage your Bitlocker keys you still need a TPM
> management suite with key backup/restore/transfer/migrate capabilities
> in case your computer goes bad.
How so? If your computer goes bad, you need a *backup*. That's
entirely orthogonal to the drive encryption problem. Bitlocker uses
the TPM to provide assurance that your drive -- really, volume -- is
locked to your computer, and that the early boot environment hasn't
been messed with. When either check fails, you use the BitLocker
recovery password (either on a USB stick or entered manually) to
recover your data. This holds in the event that you take your drive
out and stick it in a different machine. In other words, the TPM is
not a single point of failure, so I don't understand why you think
you care about TPM backup/restore/transfer.
> The third problem is that it is software based encryption, which uses
> the main CPU to perform the encryption.
Security is never free, but in 2007, we can afford the cycles. What's
a better use for them? Drawing semi-transparent stained glass window
borders?
--
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list