Pre-boot authentication

Last updated

Pre-boot authentication (PBA) or power-on authentication (POA) [1] serves as an extension of the BIOS, UEFI or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PBA prevents anything being read from the hard disk such as the operating system until the user has confirmed they have the correct password or other credentials including multi-factor authentication. [2]

Contents

Uses of pre-boot authentication

Pre-boot authentication process

A PBA environment serves as an extension of the BIOS, UEFI or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. [2] The PBA prevents Windows or any other operating system from loading until the user has confirmed he/she has the correct password to unlock the computer. [2] That trusted layer eliminates the possibility that one of the millions of lines of OS code can compromise the privacy of personal or company data. [2]

Generic boot sequence

in BIOS mode:

  1. Basic Input/Output System (BIOS)
  2. Master boot record (MBR) partition table
  3. Pre-boot authentication (PBA)
  4. Operating system (OS) boots

in UEFI mode:

  1. UEFI (Unified Extensible Firmware Interface)
  2. GUID Partition Table (GPT)
  3. Pre-boot authentication (PBA)
  4. Operating system (OS) boots

Pre-boot authentication technologies

Combinations with full disk encryption

Pre-boot authentication can by performed by an add-on of the operating system like Linux Initial ramdisk or Microsoft's boot software of the system partition (or boot partition) or by a variety of full disk encryption (FDE) vendors that can be installed separately to the operating system. Legacy FDE systems tended to rely upon PBA as their primary control. These systems have been replaced by systems using hardware-based dual-factor systems like TPM chips or other proven cryptographic approaches. However, without any form of authentication (e.g. a fully transparent authentication loading hidden keys), encryption provides little protection from advanced attackers as this authentication-less encryption fully rely on the post-boot authentication comes from Active Directory authentication at the GINA step of Windows.

Security concerns

Microsoft released BitLocker Countermeasures [3] defining protection schemes for Windows. For mobile devices that can be stolen and attackers gain permanent physical access (paragraph Attacker with skill and lengthy physical access) Microsoft advise the use of pre-boot authentication and to disable standby power management. Pre-boot authentication can be performed with TPM with PIN protector or any 3rd party FDA vendor.

Best security is offered by offloading the cryptographic encryption keys from the protected client and supplying key material externally within the user authentication process. This method eliminates attacks on any built-in authentication method that are weaker than a brute-force attack to the symmetric AES keys used for full disk encryption.

Without cryptographic protection of a hardware (TPM) supported secure boot environment, PBA is easily defeated with Evil Maid style of attacks. However, with modern hardware (including TPM or cryptographic multi-factor authentication) most FDE solutions are able to ensure that removal of hardware for brute-force attacks is no longer possible.

Authentication methods

The standard complement of authentication methods exist for pre-boot authentication including:

  1. Something you know (e.g. username/password like Active Directory credentials or TPM pin)
  2. Something you have (e.g. smart card or other token)
  3. Something you are (e.g. biometric attributes like fingerprint, face recognition, iris scan)
  4. Automatic authentication in trusted zones (e.g. boot key provided to company devices by the enterprise network)

Related Research Articles

Next-Generation Secure Computing Base software architecture

The Next-Generation Secure Computing Base was a cancelled software architecture designed by Microsoft which aimed to provide users of the Windows operating system with better privacy, security, and system integrity. NGSCB was the result of years of research and development within Microsoft to create a secure computing solution that equaled the security of closed platforms such as set-top boxes while simultaneously preserving the backward compatibility, flexibility, and openness of the Windows operating system. The primary stated objective with NGSCB was to "protect software from software."

Secure cryptoprocessor Device used for encryption

A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike cryptographic processors that output decrypted data onto a bus in a secure environment, a secure cryptoprocessor does not output decrypted data or decrypted program instructions in an environment where security cannot always be maintained.

GNU GRUB Boot loader package

GNU GRUB is a boot loader package from the GNU Project. GRUB is the reference implementation of the Free Software Foundation's Multiboot Specification, which provides a user the choice to boot one of multiple operating systems installed on a computer or select a specific kernel configuration available on a particular operating system's partitions.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Unified Extensible Firmware Interface Specification that defines a software interface between an operating system and platform firmware

The Unified Extensible Firmware Interface (UEFI) is a specification that defines a software interface between an operating system and platform firmware. UEFI replaces the legacy Basic Input/Output System (BIOS) firmware interface originally present in all IBM PC-compatible personal computers, with most UEFI firmware implementations providing support for legacy BIOS services. UEFI can support remote diagnostics and repair of computers, even with no operating system installed.

Disk encryption software is computer security software that protects the confidentiality of data stored on computer media by using disk encryption.

GUID Partition Table standard for the layout of the partition table on a physical storage device used in a desktop or server PC

The GUID Partition Table (GPT) is a standard for the layout of partition tables of a physical computer storage device, such as a hard disk drive or solid-state drive, using universally unique identifiers, which are also known as globally unique identifiers (GUIDs). Forming a part of the Unified Extensible Firmware Interface (UEFI) standard, it is nevertheless also used for some BIOS systems, because of the limitations of master boot record (MBR) partition tables, which use 32 bits for logical block addressing (LBA) of traditional 512-byte disk sectors.

Trusted Platform Module international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys

Trusted Platform Module is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.

The Apple–Intel architecture, or Mactel, is an unofficial name used for Apple Macintosh personal computers developed and manufactured by Apple Inc. that use Intel x86 processors, rather than the PowerPC and Motorola 68000 ("68k") series processors used in their predecessors. With the change in architecture, a change in firmware became necessary; Apple selected the Intel-designed Extensible Firmware Interface (EFI) as its comparable component to the Open Firmware used on its PowerPC architectures, and as the firmware-based replacement for the PC BIOS from Intel. With the change in processor architecture to x86, Macs gained the ability to boot into x86-native operating systems, while Intel VT-x brought near-native virtualization with Mac OS X as the host OS.

BitLocker disk encryption software for Microsoft Windows

BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining (CBC) or XTS mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.

Boot Camp (software) Proprietary dual-boot wizard

Boot Camp Assistant is a multi boot utility included with Apple Inc.'s macOS that assists users in installing Microsoft Windows operating systems on Intel-based Macintosh computers. The utility guides users through non-destructive disk partitioning of their hard disk drive or solid state drive and installation of Windows device drivers for the Apple hardware. The utility also installs a Windows Control Panel applet for selecting the boot operating system.

The EFIsystem partition or ESP is a partition on a data storage device that is used by computers adhering to the Unified Extensible Firmware Interface (UEFI). When a computer is booted, UEFI firmware loads files stored on the ESP to start installed operating systems and various utilities.

Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

This is a technical feature comparison of different disk encryption software.

In computer security, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random access memory (RAM) by performing a hard reset of the target machine. Typically, cold boot attacks are used to retrieve encryption keys from a running operating system for malicious or criminal investigative reasons. The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes after power has been removed.

Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD/SSD) vendors, including: Hitachi, Integral Memory, iStorage Limited, Micron, Seagate Technology, Samsung, Toshiba, Viasat UK, Western Digital. The symmetric encryption key is maintained independently from the computer's CPU, thus allowing the complete data store to be encrypted and removing computer memory as a potential attack vector.

InstantGo is a Microsoft specification for Windows 8 hardware and software that aims to bring smartphone-type power management capabilities to the PC platform, as well as increasing physical security.

VeraCrypt free and open-source disk encryption utility

VeraCrypt is a source-available freeware utility used for on-the-fly encryption (OTFE). It can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device with pre-boot authentication.

Evil maid attack Type of computer security breach

An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device, or the data on it.

References

  1. "Sophos brings enterprise-level encryption to the Mac". Network World. August 2, 2010. Archived from the original on October 12, 2012. Retrieved 2010-08-03.
  2. 1 2 3 4 5 "Pre-Boot Authentication". SECUDE. February 21, 2008. Archived from the original on 2012-03-04. Retrieved 2008-02-22.
  3. Dansimp. "BitLocker Countermeasures (Windows 10) - Microsoft 365 Security". docs.microsoft.com. Retrieved 2020-01-30.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.