1
00:00:00,180 --> 00:00:05,460
Wilkinson module devoted to encryption and mechanisms implemented directly by windows that allow data

2
00:00:05,460 --> 00:00:10,700
encryption restart from the operating system protects the confidentiality of critical data.

3
00:00:10,770 --> 00:00:13,140
For example various types of credentials.

4
00:00:13,200 --> 00:00:18,660
Above all we have to clipboards boards for data data protection API is a Windows subsystem responsible

5
00:00:18,660 --> 00:00:19,680
for security.

6
00:00:19,680 --> 00:00:24,400
It protects both user data each user in a separate storage and the computer itself.

7
00:00:24,570 --> 00:00:30,570
Let's see how it looks for keys secure communication using SSL protocol or secure communications using

8
00:00:30,570 --> 00:00:36,780
a secure version of Internet Protocol or IPS require secure key storage keys are stored locally on the

9
00:00:36,780 --> 00:00:37,860
system drive.

10
00:00:37,980 --> 00:00:42,930
They're not however stored in plaintexts but encrypted to encrypt something you need to have the key

11
00:00:42,930 --> 00:00:45,000
that encrypts it and later decrypt it.

12
00:00:45,000 --> 00:00:51,160
In this case it's the Data Protection API DP API key on the same level as the DPA API.

13
00:00:51,210 --> 00:00:54,420
There's this security account manager database the SAM file.

14
00:00:54,420 --> 00:00:59,040
If we're talking about a local computer or the Active Directory database if we're talking about domain

15
00:00:59,040 --> 00:01:05,160
controllers as well as Zella say local security authorities subsystem security secrets Elisei secrets

16
00:01:05,160 --> 00:01:08,280
include account passwords use to start system services.

17
00:01:08,340 --> 00:01:13,020
If the computer is a domain controller when it promotes this role we need to give the password of the

18
00:01:13,020 --> 00:01:15,960
local administrative account and domain controllers.

19
00:01:15,960 --> 00:01:18,450
There are no de-facto local accounts.

20
00:01:18,450 --> 00:01:23,250
It's difficult to imagine running a domain controller while not running the domain at the same time

21
00:01:23,460 --> 00:01:27,410
if different errors or inconsistencies appear in the Active Directory database.

22
00:01:27,480 --> 00:01:30,060
The safe mode must be available in the safe mode.

23
00:01:30,060 --> 00:01:32,580
We log onto the account with the appropriate password.

24
00:01:32,670 --> 00:01:37,870
Secrets of that level are then encrypted with the start key whose location we can configure using Assissi

25
00:01:37,890 --> 00:01:39,390
program by default.

26
00:01:39,420 --> 00:01:43,370
It's stored in the registry on a hard disk drive where Windows is installed.

27
00:01:43,380 --> 00:01:45,780
We can also transfer it to a floppy disk.

28
00:01:45,840 --> 00:01:48,990
Then this disk would need to be connected to the system during startup.

29
00:01:48,990 --> 00:01:52,760
It can also be derived from the password that Windows asks for during logging.

30
00:01:52,830 --> 00:01:55,900
In regards to the user the situation is very similar.

31
00:01:55,950 --> 00:01:58,570
The user may have for example keys.

32
00:01:58,620 --> 00:02:00,330
We'll talk about them in this module.

33
00:02:00,330 --> 00:02:06,120
In other words encrypting file system keys a user may also have kids that allow a safe exchange of data

34
00:02:06,120 --> 00:02:06,990
by email.

35
00:02:06,990 --> 00:02:11,120
In other words as mime protocol keys these kids are stored locally.

36
00:02:11,220 --> 00:02:16,530
By default they're protected by DPA API keys on the user account not on the computer or account on the

37
00:02:16,530 --> 00:02:17,190
same level.

38
00:02:17,190 --> 00:02:18,910
There's a user's profile data.

39
00:02:18,930 --> 00:02:21,380
This level is also protected with a start key.

40
00:02:21,390 --> 00:02:26,470
The result is such that if we have the startup key we have access to data from the sound file level.

41
00:02:26,550 --> 00:02:33,180
If however we have the DPA API key we automatically have access to the SSL and IPS keys everything is

42
00:02:33,180 --> 00:02:37,200
encrypted but the user does not need to provide any decryption keys.

43
00:02:37,230 --> 00:02:41,970
The default configuration is fully automatic though the configuration is automatic.

44
00:02:41,970 --> 00:02:44,370
It does not mean that it is absolutely safe.

45
00:02:44,370 --> 00:02:47,990
The purpose of the encryption is to guarantee the confidentiality of data.

46
00:02:48,060 --> 00:02:52,290
Someone who is not familiar with encrypted messages may haphazardly change it.

47
00:02:52,290 --> 00:02:54,570
The ciphertext can always be changed.

48
00:02:54,720 --> 00:02:57,000
In the simplest case you can delete it.

49
00:02:57,000 --> 00:03:02,190
We've seen the programs work in this way to allow resetting the local administrator password if we wanted

50
00:03:02,190 --> 00:03:04,490
to encrypt all the data or we've talked about earlier.

51
00:03:04,500 --> 00:03:08,440
Plus everything on the computer disk we would need to encrypt the entire disk.

52
00:03:08,490 --> 00:03:13,650
At this point several problems appear one of the immutable principles of computer security states that

53
00:03:13,650 --> 00:03:17,310
the ciphertext is only as safe as the key used to decrypt it.

54
00:03:17,340 --> 00:03:21,130
Once we encrypt the entire disk where will we write the key to decrypt it.

55
00:03:21,150 --> 00:03:22,550
This is the first problem.

56
00:03:22,620 --> 00:03:26,370
The strength of the ciphertext depends on the way in which we encrypt the data.

57
00:03:26,490 --> 00:03:29,370
As end users we don't have much impact on this.

58
00:03:29,430 --> 00:03:34,710
However we can always consciously choose the algorithm the strength of the ciphertext depends on the

59
00:03:34,710 --> 00:03:35,970
length of the key.

60
00:03:35,970 --> 00:03:38,180
This is not a proportional relationship.

61
00:03:38,190 --> 00:03:42,000
Generally however a longer key improves the safety of the ciphertext.

62
00:03:42,030 --> 00:03:46,590
It's not that key which is two times longer will give us two times higher security but we will be a

63
00:03:46,590 --> 00:03:47,540
little safer.

64
00:03:47,580 --> 00:03:52,850
Disk encryption uses symmetric algorithms that do not allow data encryption of any links.

65
00:03:52,860 --> 00:03:56,300
They only allow encrypted data blocks with a strictly defined length.

66
00:03:56,310 --> 00:04:01,710
If we use the same algorithm to encrypt many successive blocks it turns out that the ciphertext is very

67
00:04:01,710 --> 00:04:05,730
easy to break even if the queue was long and the algorithm secure.

68
00:04:05,730 --> 00:04:11,070
Here we're talking about cryptographic systems and in particular block cipher modes when selecting the

69
00:04:11,070 --> 00:04:15,990
method of encrypting the disk when needed not only to deliberately choose the algorithm in length but

70
00:04:15,990 --> 00:04:17,520
also the block cipher mode.

71
00:04:17,520 --> 00:04:23,460
If we have such in the case of bit locker and true crypt this can be selected if we encrypt disks we

72
00:04:23,460 --> 00:04:29,930
need to use solutions that when saving automatically encrypt each sector meaning 512 bytes of disk space.

73
00:04:29,940 --> 00:04:33,370
The solution also needs to automatically decrypt sectors while reading.

74
00:04:33,450 --> 00:04:37,830
It would also be good that during the entire encryption and decryption computer performance would not

75
00:04:37,830 --> 00:04:43,170
visibly be reduced when designing bit Locker which was quite a few years ago it was assumed that when

76
00:04:43,170 --> 00:04:49,290
reading a single byte the processor can execute from 50 to 100 individual instructions or cycles.

77
00:04:49,290 --> 00:04:54,300
Therefore the assumption was adopted that the encryption of one byte data units cannot burden the processor

78
00:04:54,300 --> 00:04:56,030
with more than 35 cycles.

79
00:04:56,130 --> 00:05:02,790
But Lucker uses the ABS algorithm to encrypt a single chunk of which requires about 20 processor cycles

80
00:05:02,970 --> 00:05:04,440
This means that it's in the range.

81
00:05:04,460 --> 00:05:06,800
Even for computers produced five years ago.

82
00:05:06,960 --> 00:05:11,820
Since we're deciding on data encryption we should be certain not only as to its confidentiality but

83
00:05:11,820 --> 00:05:17,690
also its authenticity ensuring the authenticity of encrypted data on the entire disk is relatively difficult.

84
00:05:17,790 --> 00:05:22,620
Most often the method used is attaching a signature to the ciphertext at the same time.

85
00:05:22,620 --> 00:05:25,870
This indicates whether someone has changed the ciphertext or not.

86
00:05:25,950 --> 00:05:30,690
In the case of encrypting the entire disk This is not an option because where will the signature be

87
00:05:30,690 --> 00:05:31,370
saved.

88
00:05:31,470 --> 00:05:36,780
Some intermediate solution needs to be adopted a haphazard change to the ciphertext needs to be more

89
00:05:36,780 --> 00:05:37,490
difficult.

90
00:05:37,620 --> 00:05:38,880
How can this be done.

91
00:05:38,910 --> 00:05:41,920
Diffusion can be applied in other words a diffuser.

92
00:05:41,970 --> 00:05:46,890
It works so that a change of one byte in the sector will cause a pseudo random change of a large number

93
00:05:46,890 --> 00:05:48,600
of bytes in other sectors.

94
00:05:48,600 --> 00:05:53,090
The effect will be as such that if someone suspects that at a certain place in the ciphertext there

95
00:05:53,090 --> 00:05:58,380
is a SAM file and tries to reset the administrator password by deleting the corresponding ciphertext

96
00:05:58,380 --> 00:06:03,570
bytes than the contents of many files of the operating system will automatically be changed.

97
00:06:03,600 --> 00:06:06,330
The result will be that the system will not boot at all.

98
00:06:06,330 --> 00:06:12,090
That's why in addition to the ABS algorithm and bit locker and original algorithm by Microsoft Research

99
00:06:12,090 --> 00:06:14,340
is used which is called defuser.

100
00:06:14,370 --> 00:06:17,400
It requires about 10 cycles for use in one byte.

101
00:06:17,400 --> 00:06:22,560
The result is such that for today's computers the activation of the almost invisible protection of the

102
00:06:22,560 --> 00:06:27,550
entire hard disk drive is connected with the reduction of efficiency of about 5 percent.

103
00:06:27,570 --> 00:06:33,030
That's all concerning the basis of cryptography and data security encrypted disks must be managed in

104
00:06:33,030 --> 00:06:35,080
some way especially in companies.

105
00:06:35,160 --> 00:06:40,050
We need to have the possibility of remote administration and remote program configuration that will

106
00:06:40,050 --> 00:06:41,850
encrypt and decrypt data.

107
00:06:41,880 --> 00:06:44,850
After all we will not do it to each computer separately.

108
00:06:44,850 --> 00:06:48,090
In addition some embedded emergency mode is mandatory.

109
00:06:48,090 --> 00:06:53,160
What do you do in a situation when a user we encrypted data for or the user encrypted the entire disk

110
00:06:53,160 --> 00:06:55,180
himself forgets a password.

111
00:06:55,230 --> 00:07:00,390
For example the password that allows him to decrypt the disk there must be some way to decrypt data

112
00:07:00,390 --> 00:07:02,420
on the disk on behalf of the user.

113
00:07:02,430 --> 00:07:06,600
Of course this affects security because it's based on trust to the administrator.

114
00:07:06,600 --> 00:07:11,010
Additional benefits of programs that encrypt the disks could be something like hiding the fact of the

115
00:07:11,010 --> 00:07:12,870
presence of data on the disk.

116
00:07:12,870 --> 00:07:15,770
This is something that has not been implemented in bit locker.

117
00:07:15,780 --> 00:07:19,360
This is something that makes true Krips stand out as compared to a bit locker.

118
00:07:19,440 --> 00:07:24,480
Sure Krips has such functionality that when one disk is encrypted it will create a second disk encrypted

119
00:07:24,480 --> 00:07:25,710
with a different key.

120
00:07:25,710 --> 00:07:31,030
Since both these disks are encrypted the analysis of these disk content for example when the computer's

121
00:07:31,050 --> 00:07:35,130
off does not show any difference between one encrypted disk and the other.

122
00:07:35,130 --> 00:07:38,370
In general it should be maximum pseudo random data.

123
00:07:38,370 --> 00:07:44,190
Now if someone asks us to decrypt a disk in most cases those who authorize to do so such as the police

124
00:07:44,400 --> 00:07:49,370
if they ask us we have the obligation to reveal to them the password for this type of security.

125
00:07:49,440 --> 00:07:54,000
If we have the password to one disk it will be decrypted and its content made available.

126
00:07:54,000 --> 00:07:58,770
If however we don't give a second password everything that was encrypted and was on the internal hard

127
00:07:58,770 --> 00:08:04,410
disk will remain invisible at least in theory an additional advantage to disk encryption could also

128
00:08:04,410 --> 00:08:06,570
be checking the integrity of the computer.

129
00:08:06,690 --> 00:08:10,740
This function is only available in bit locker and is not available in true crypt.

130
00:08:10,740 --> 00:08:15,780
It's idea is that interference in the computer for example moving the hard disk or a change in the order

131
00:08:15,780 --> 00:08:20,100
of the starting devices causes automatic blocking of the encrypted disk.

132
00:08:20,100 --> 00:08:22,190
We've already mentioned authenticity.

133
00:08:22,220 --> 00:08:24,210
Said that a signature is used for it.

134
00:08:24,210 --> 00:08:29,570
However in the case of disks that's not possible since the sector has a fixed sector size.

135
00:08:29,610 --> 00:08:35,130
We can't force manufacturers of hard disks and low level software to reserve for us a few extra bytes

136
00:08:35,130 --> 00:08:36,170
in each sector.

137
00:08:36,180 --> 00:08:40,920
We also can't write checksums to another sector since there are programs that are based on the fact

138
00:08:40,920 --> 00:08:43,050
that sectors are independent of each other.

139
00:08:43,050 --> 00:08:48,470
Examples of such programs are database servers which in their own way manage writing and reading.

140
00:08:48,510 --> 00:08:53,430
It cannot be that a change in data in one sector causes their automatic change in another sector.

141
00:08:53,430 --> 00:08:58,050
This is what would happen if a check somewhere there we could solve the problem by artificially doubling

142
00:08:58,050 --> 00:08:59,300
the size of the sector.

143
00:08:59,370 --> 00:09:01,000
Then all the problems are solved.

144
00:09:01,020 --> 00:09:02,930
We have a lot of space for the checksum.

145
00:09:02,940 --> 00:09:07,920
In addition the operating system is only half of the sectors and there are no relationship between the

146
00:09:07,920 --> 00:09:08,670
sectors.

147
00:09:08,790 --> 00:09:14,610
Unfortunately we'd have to convince users that when buying for example a 500 gigabyte disk it really

148
00:09:14,610 --> 00:09:16,750
has to be 250 gigabytes.

149
00:09:16,920 --> 00:09:20,750
We could meet some resistance there for disk encryption software.

150
00:09:20,760 --> 00:09:26,880
Instead of using Macs signature's broadcast bits on as many sectors as possible in addition to encryption

151
00:09:26,940 --> 00:09:30,970
specific sectors use keys to avoid simple mathematic relationship.

152
00:09:31,090 --> 00:09:31,450
Well then.