Evil maid goes after PGP whole disk encryption

Full disk encryption systems are widely used to protect the information from unauthorized access. A common application of such systems is laptop hard drive and removable media encryption, because these can be easily lost or stolen. Indeed, if we assume that an encryption system used by the FDE software is cryptographically strong, correctly implemented and properly used, and that the attacker does not possess a key for the stolen media then the data is safe. However, given physical access to the laptop (which is powered off to ensure that no keys remain in memory), an attacker can do other things besides stealing it: for example, he can modify its disk contents (e.g. an FDE loader code), leaving the laptop to the unsuspecting owner. Next time, when the password or a key will be provided by the owner, the code left by the attacker may silently record the decryption key and send it to the attacker. This type of physical attacks is called "Evil Maid" because such attacks can be easily conducted by a hotel maid when the owner leaves a laptop unattended in the room for a short period of time. This is why it is essential for a FDE system to assure the user that the system that just booted is actually the system that he or she wanted to boot (i.e. the trusted one) and not some modified system (e.g. compromised by an MBR virus). This is called trusted boot. Trusted boot can be implemented using either a Static Root of Trust or a Dynamic Root of Trust.

The Static Root of Trust approach (also known as Static Root of Trust Measurement or SRTM) is pretty straightforward - the system starts booting from some immutable piece of firmware code that we assume is always trusted (hence the static root) and that initiates the measurement process, in which each component measures the next one in a chain. So, e.g. this immutable piece of firmware will first calculate the hash of the BIOS and extend a TPM's PCR register with the value of this hash. Then the BIOS does the same with the PCI EEPROMs and the MBR, before handling execution to them. Then the bootloader measures the OS loader before executing it. And so on.

An alternative method to implementing trusted boot is to use Dynamic Root of Trust (often called Dynamic Root of Trust Measurement or DRTM). Intel's TXT technology, formerly LaGrande, is an example of a DRTM (more precisely: TXT is more than just DRTM, but DRTM is the central concept on which TXT is built).

We are aware of only one FDE system which makes use of SRTM to ensure a trusted boot (Microsoft BitLocker), and none that uses DRTM. Despite the fact that PGP WDE uses TPM as an additional authentication device to deter the attacks such as hard disk theft, it does not ensure a trusted boot. In our talk we discuss the general Evil Maid attack, and then elaborate on some critical aspects of PGP WDE implementation which allow for a successful attack even if two-factor authentication is used. Finally, a cryptographic flaw in PGP WDE is revealed which makes it much easier for an attacker to stealthily compromise the security of the protected laptop.