New DoD encryption mandate

Ivan Krstić krstic at solarsail.hcs.harvard.edu
Fri Aug 17 07:02:34 EDT 2007


On Aug 16, 2007, at 8:30 AM, Ali, Saqib wrote:
> The other problem is that it lacks any centralized management. If you
> are letting TPM manage your Bitlocker keys you still need a TPM
> management suite with key backup/restore/transfer/migrate capabilities
> in case your computer goes bad.

How so? If your computer goes bad, you need a *backup*. That's  
entirely orthogonal to the drive encryption problem. Bitlocker uses  
the TPM to provide assurance that your drive -- really, volume -- is  
locked to your computer, and that the early boot environment hasn't  
been messed with. When either check fails, you use the BitLocker  
recovery password (either on a USB stick or entered manually) to  
recover your data. This holds in the event that you take your drive  
out and stick it in a different machine. In other words, the TPM is  
not a single point of failure, so I don't understand why you think  
you care about TPM backup/restore/transfer.

> The third problem is that it is software based encryption, which uses
> the main CPU to perform the encryption.

Security is never free, but in 2007, we can afford the cycles. What's  
a better use for them? Drawing semi-transparent stained glass window  
borders?

--
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list