Security Implications of Ymode=40
Context:
Pre-Boot Authentication PBA operates in an environment in which sometimes no standards exist between different components, posing a challenge.
- For example: how does the PBA code transfer the disk encryption key or other data to the disk encryption component (driver) running on the OS.
- Another example is: in our V5 boot code sometimes we have to reboot the device after authentication, and yet we have to transfer the disk encryption key and other data to our component after the reboot.
The options:
One of the easiest ways to transfer data in those cases is to write them onto disk. Data on disk will survive the reboot, and this method could be used to transfer data into the OS as well. Naturally, since the transferred data is sensitive, these should be deleted from the disk after use.
Concern:
The big security drawback from this method of transferring data via the disk is that data, once written to disk, could be retrievable.
- On a magnetic disk, it’s well known that data could be recovered due to magnetic remnant characteristic. Even with overwriting 22 times with different patterns, magnetic remnants could reveal the data.
- On a SSD (Solid State Drive) the issue is even much more severe. Writing to the same (!) sector might actually go to a completely different sector, with the result that the sector containing the disk encryption key could still store it indefinitely – and could be read from the flash.
- As well, if for some reasons the software fails to erase the data – software bug, system power failure – these sensitive data stays on the disk.
Risks of YMode = 40
-SecureDoc YMode=40 means the data transfer will occur via the disk.
Even though the data is obfuscated before being written to the disk, and is deleted after being used, the result of doing this is that risks do exist.
Due to the risks mentioned above, we recommend users not to use this method. It may be necessary where there are no other options, to ensure that the customer understands these risks and accepts them.
So, when dealing with customers:
- Ymode 0 is the best option (if at all possible).
- Ymode 4 requires a reboot (slower) but the system remains secure.
Only Ymode 40 is a security concern!