Pre-boot authentication

Last updated

Pre-boot authentication (PBA) or power-on authentication (POA) [1] serves as an extension of the BIOS, UEFI or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PBA prevents anything being read from the hard disk such as the operating system until the user has confirmed they have the correct password or other credentials including multi-factor authentication. [2]

Contents

Uses of pre-boot authentication

Pre-boot authentication process

A PBA environment serves as an extension of the BIOS, UEFI or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. [2] The PBA prevents any operating system from loading until the user has confirmed he/she has the correct password to unlock the computer. [2] That trusted layer eliminates the possibility that one of the millions of lines of OS code can compromise the privacy of personal or company data. [2]

Generic boot sequence

in BIOS mode:

  1. Basic Input/Output System (BIOS)
  2. Master boot record (MBR) partition table
  3. Pre-boot authentication (PBA)
  4. Operating system (OS) boots

in UEFI mode:

  1. UEFI (Unified Extensible Firmware Interface)
  2. GUID Partition Table (GPT)
  3. Pre-boot authentication (PBA)
  4. Operating system (OS) boots

Pre-boot authentication technologies

Combinations with full disk encryption

Pre-boot authentication can by performed by an add-on of the operating system like Linux Initial ramdisk or Microsoft's boot software of the system partition (or boot partition) or by a variety of full disk encryption (FDE) vendors that can be installed separately to the operating system. Legacy FDE systems tended to rely upon PBA as their primary control. These systems have been replaced by systems using hardware-based dual-factor systems like TPM chips or other proven cryptographic approaches. However, without any form of authentication (e.g. a fully transparent authentication loading hidden keys), encryption provides little protection from advanced attackers as this authentication-less encryption fully rely on the post-boot authentication comes from Active Directory authentication at the GINA step of Windows.

Security concerns

Microsoft released BitLocker Countermeasures [3] defining protection schemes for Windows. For mobile devices that can be stolen and attackers gain permanent physical access (paragraph Attacker with skill and lengthy physical access) Microsoft advise the use of pre-boot authentication and to disable standby power management. Pre-boot authentication can be performed with TPM with PIN protector or any 3rd party FDA vendor.

Best security is offered by offloading the cryptographic encryption keys from the protected client and supplying key material externally within the user authentication process. This method eliminates attacks on any built-in authentication method that are weaker than a brute-force attack to the symmetric AES keys used for full disk encryption.

Without cryptographic protection of a hardware (TPM) supported secure boot environment, PBA is easily defeated with Evil Maid style of attacks. However, with modern hardware (including TPM or cryptographic multi-factor authentication) most FDE solutions are able to ensure that removal of hardware for brute-force attacks is no longer possible.

Authentication methods

The standard complement of authentication methods exist for pre-boot authentication including:

  1. Something you know (e.g. username/password like Active Directory credentials or TPM pin)
  2. Something you have (e.g. smart card or other token)
  3. Something you are (e.g. biometric attributes like fingerprint, face recognition, iris scan)
  4. Automatic authentication in trusted zones (e.g. boot key provided to company devices by the enterprise network)

Related Research Articles

<span class="mw-page-title-main">Wake-on-LAN</span> Mechanism to wake up computers via a network

Wake-on-LAN is an Ethernet or Token Ring computer networking standard that allows a computer to be turned on or awakened from sleep mode by a network message. It is based upon AMD's Magic Packet Technology, which was co-developed by AMD and Hewlett-Packard, following its proposal as a standard in 1995. The standard saw quick adoption thereafter through IBM, Intel and others.

<span class="mw-page-title-main">Secure cryptoprocessor</span> Device used for encryption

A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike cryptographic processors that output decrypted data onto a bus in a secure environment, a secure cryptoprocessor does not output decrypted data or decrypted program instructions in an environment where security cannot always be maintained.

<span class="mw-page-title-main">Boot sector</span> Sector of a persistent data storage device

A boot sector is the sector of a persistent data storage device which contains machine code to be loaded into random-access memory (RAM) and then executed by a computer system's built-in firmware.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

<span class="mw-page-title-main">UEFI</span> Operating system and firmware specification

Unified Extensible Firmware Interface is a specification that defines an architecture for the platform firmware used for booting a computer's hardware and its interface for interaction with the operating system. Examples of firmware that implement the specification are AMI Aptio, Phoenix SecureCore, TianoCore EDK II, InsydeH2O.

Disk encryption software is a computer security software that protects the confidentiality of data stored on computer media by using disk encryption.

<span class="mw-page-title-main">Trusted Platform Module</span> Standard for secure cryptoprocessors

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard ISO/IEC 11889. Common uses are to verify platform integrity, and to store disk encryption keys.

Intel Trusted Execution Technology is a computer hardware technology of which the primary goals are:

<span class="mw-page-title-main">Apple–Intel architecture</span> Unofficial name used for Macintosh models that use Intel x86 processors

The Apple–Intel architecture, or Mactel, is an unofficial name used for Macintosh personal computers developed and manufactured by Apple Inc. that use Intel x86 processors, rather than the PowerPC and Motorola 68000 ("68k") series processors used in their predecessors or the ARM-based Apple silicon SoCs used in their successors. As Apple changed the architecture of its products, they changed the firmware from the Open Firmware used on PowerPC-based Macs to the Intel-designed Extensible Firmware Interface (EFI). With the change in processor architecture to x86, Macs gained the ability to boot into x86-native operating systems, while Intel VT-x brought near-native virtualization with macOS as the host OS.

<span class="mw-page-title-main">BitLocker</span> Disk encryption software for Microsoft Windows

BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the Advanced Encryption Standard (AES) algorithm in cipher block chaining (CBC) or "xor–encrypt–xor (XEX)-based Tweaked codebook mode with ciphertext Stealing" (XTS) mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.

<span class="mw-page-title-main">EFI system partition</span> Partition used by Unified Extensible Firmware Interface

The EFIsystem partition or ESP is a partition on a data storage device that is used by computers that have the Unified Extensible Firmware Interface (UEFI). When a computer is booted, UEFI firmware loads files stored on the ESP to start operating systems and various utilities.

<span class="mw-page-title-main">Windows Boot Manager</span> Boot process used in modern Windows NT-based products

The Windows Boot Manager (BOOTMGR) is the bootloader provided by Microsoft for Windows NT versions starting with Windows Vista and Windows Server 2008. It is the first program launched by the BIOS or UEFI of the computer and is responsible for loading the rest of Windows. It replaced the NTLDR present in older versions of Windows.

Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

This is a technical feature comparison of different disk encryption software.

In computer security, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) by performing a hard reset of the target machine. Typically, cold boot attacks are used for retrieving encryption keys from a running operating system for malicious or criminal investigative reasons. The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes following a power switch-off.

Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD/SSD) vendors, including: Hitachi, Integral Memory, iStorage Limited, Micron, Seagate Technology, Samsung, Toshiba, Viasat UK, Western Digital. The symmetric encryption key is maintained independently from the computer's CPU, thus allowing the complete data store to be encrypted and removing computer memory as a potential attack vector.

InstantGo, also known as InstantOn or Modern Standby, is a Microsoft specification for Windows 8 hardware and software that aims to bring smartphone-type power management capabilities to the PC platform, as well as increasing physical security.

<span class="mw-page-title-main">VeraCrypt</span> Free and open-source disk encryption utility

VeraCrypt is a free and open-source utility for on-the-fly encryption (OTFE). The software can create a virtual encrypted disk that works just like a regular disk but within a file. It can also encrypt a partition or the entire storage device with pre-boot authentication.

<span class="mw-page-title-main">Evil maid attack</span> Type of computer security breach

An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device, or the data on it.

References

  1. "Sophos brings enterprise-level encryption to the Mac". Network World. August 2, 2010. Archived from the original on October 12, 2012. Retrieved 2010-08-03.
  2. 1 2 3 4 5 "Pre-Boot Authentication". SECUDE. February 21, 2008. Archived from the original on 2012-03-04. Retrieved 2008-02-22.
  3. Dansimp. "BitLocker Countermeasures (Windows 10) - Microsoft 365 Security". docs.microsoft.com. Retrieved 2020-01-30.