From Source to Secure : Bitlocker

Bitlocker Broken/Cracked… NOT!

RockyH — Sat, 12 Dec 2009 11:06:35 GMT

Ok, I’ve been trying to keep my cool on this whole thing but enough is enough. A few days ago ars technica ran a hype-story called “First commercial tool to crack BitLocker arrives” (no, I’m not going to link to it because they don’t deserve the traffic IMHO) The claim is that Passware has created a commercial tool that cracks BitLocker encryption. This is misleading garbage. Sorry, there is no other way to put it well there is, but I edited that one out. First, the encryption hasn’t been cracked, second it still requires access to a live machine (sleep is still live).

What Passware actually does, is take an image of the RAM / Swap file and hunt for the decryption key in it. This is nothing new, and nothing that can’t be done with any full volume encryption system, yes including PGP and TrueCrypt. It’s the same thing as the frozen RAM trick and every other Administrator enabled Direct Memory access trick. Passware requires administrative access to a machine that is in a ‘non-off’ state in order to get a snap-shot of the memory and then troll through it to find the key. If your machine is turned off, non of these so-called encryption cracking techniques work, NONE of them.

ALL full volume encyrption systems must have the decryption key available in memory. And no you cannot protect it completely like some people claim PGP does, PGP is just as susceptible, if not more so, to this kind of thing commercial tools like McAfee Endpoint Encryption (formerly Safeboot) and BitLocker.

Now pay attention, Neither BitLocker nor any other drive encryption system is designed to protect data on a drive when the machine is booted, and someone with administrator privileges has access to the machine. People keep conveniently glossing over this fact. BitLocker is designed to prevent off-line attacks such as the ‘stolen/lost laptop’ scenario. If you login to your computer, then hand it to someone, nothing in the world will protect your data.

All of this sensationalist drivel would like you to believe that if you can get at the data which is protected by a disc encryption system from a logged in machine as an administrator that there is some huge security vulnerability. There isn’t. If you have that kind of access to the machine why not just turn off the encryption and save yourself the trouble.

If you don’t have the key in memory when a decryption operation is required, the decryption does not happen. Simple as that. Finding this key in a snap-shot of the computer memory is not rocket science nor is it cracking anything. It is using that key to decrypt the drive. Cracking would be breaking the encryption without the key, which is still not possible in any reasonable amount of time on modern computers.

Now, if someone can do this on a BitLockered machine, that is turned off (not sleep, but cold off) and configured for TPM+PIN+USB key (the recommended secure configuration), then I’ll be impressed. Oh one other thing, you have to be able to get to the data in my lifetime, brute forcing the encryption after about 40 Billion years doesn’t count.

If I locked a door, then hid the key under the mat and told you where the key was, is the door or lock cracked because you were able to unlock it and open the door? No, of course not. This kind of crap about saying BitLocker is cracked because someone had access to the key is garbage. It’s like saying notepad is broken because it saves files in plain text. Then again now that I’ve said that, some of these sensationalists are probably going to start writing headlines like Notepad File Format Cracked!

Ok all of you wanna-be journalists out there (you know who you are), start doing a bit of homework before you drivel onto your keyboard. Try being responsible for just a tiny little bit instead of wondering how many hits you can get on your page by spouting some sensationalist garbage.

Funny, but after being called to task on their sensationalist crap, the ‘writer’ (doesn’t deserve to be called a journalist) updated the post to say “this isn't exactly a "crack" for BitLocker” and “If a forensics analyst or thief has physical access to a running system, it is possible to take advantage of the fact that the contents are in the computer's memory. Other drive encryption programs have similar issues.”

Gee, you probably should have thought that out before you published the drivel.

There are a lot of journalists I respect out there and no they are not all pro-Microsoft. But they do their homework and they write thoughtful, insightful, and factual articles. Be a journalist, not a sensationalist.

Bitlocker To go

RockyH — Sun, 01 Mar 2009 13:57:00 GMT

Well with Windows 7 coming up, there’s been a bit of talk around Bitlocker To Go.(BTG) BTG is essentially Bitlocker for external drives. It’s full volume encryption for all your USB drives.

Jeffa and I have been talking about it quite a bit recently and there seems to be a lack of understanding on how it works. So I thought I would post this information.

Technically, you could have bitlockered a USB drive in Vista, but it was NOT a supported scenario. In Windows 7, not only is it supported, but encouraged.

There are even supporting GPO entries that you can set that will require all external drives to be encrypted. More on these in another post.

So back to BTG.

BTG is very similar to Bitlocker on the host. It still uses a 3 key system to protect the drive. so what you end up with is this:

The volume is encrypted with AES 128 with a Diffuser as the default (although you can use 256 bit AES) based on a Full Volume Encryption Key (FVEK)
{NOTE for the real geeks: The full key size is always 512 bits. The AES-CBC Componenet and the Sector Key compoenent are both always provided with 256 bits of key material so the full key is 512 bits. You can use smaller key sizes and the system will pad them out. This allows the system to accomodate larger key sizes without chaing the key management system.}
The FVEK is then encrypted with 256bit AES based on the Volume Master Key (VMK)
The VMK is encrypted and protected with a Key Protector that is based on a user defined password.

For more detail see the Bitlocker Architecture article.

Using BTG on a USB drive is really easy. Once you’ve inserted the drive and it’s been recognized by the system, just go to the Bitlocker Drive Encryption in Control Panel.

Just select Turn On Bitlocker next to the external drive you want to encrypt.

When you first set it up, you are presented with a choice on how you want to unlock the drive.

If you are using a Smart Card as your login, you can chose to save the key on there. If you do this, you’ll need your Smart Card every time you want to access the external drive.

In this case I selected ‘Use a password to unlock the drive’

You are presented with the traditional Bitlocker selection on where to save your recovery key.

Don’t worry, it’s smart enough not to let you save the recovery key on the drive you are trying to encrypt.

Once you’ve found a suitable location, you can start the encryption process.

Once you’ve started the encryption process, you can remove the drive before it is complete. However the system does tell you to pause the encryption before removing the drive. If you don’t…well, let’s just say you’ve been warned.

Once encryption is complete, and you remove, then reinsert the drive you are presented with the password dialog to access the drive.

If you chose to ‘Automatically unlock on this computer from now on’ the system will store your password (the Key Protector password) in an encrypted section of the registry. So the next time the drive is inserted, if you are the person logged on and have access to that registry key, the Key Protector password will be automatically entered for you and the drive will be accessible.

I would strongly suggest actually using the Context menu on the drive and selecting Eject when you want to remove the drive from the machine. Technically you should be doing this with all your USB drives, but with a Bitlockered one, you really need to get into the habit “just in case”.

But what if you chose not to unlock the drive?

When you try to access it you will get an access denied error. If you try to do a ‘dir’ from an Admin command prompt you’ll see that the volume isn’t even bound to the system. (go ahead, try it).

Now if you were to set the System Files Visibility on your machine and look at a USB drive protected by BTG, you’ll notice some files on there.

These files are indeed the keys to the drive. It’s the FVEK, and the VMK. You may also notice that they are stored in the unprotected section of the drive. I’m sure some sensationalist’s our there are freaking out just waiting to break a story on how you can use these keys to decrypt the drive so BTG is broken. Well, get a grip, that’s not the case.

As I said earlier, the FVEK is encrypted with the VMK, and the VMK is encrypted with the Key Protector which is hopefully locked safely away in the noggin of the user.

There’s not much point in trying to brute force the keys to get to the data on the drive. They are encrypted with the same strength stuff that’s used on the drive data anyway. If you are that determined to brute force something you may as well just target the drive data.

Good luck with that. With today’s computing power, and presuming that you have to go through an average of 52% of the keyspace before you find the right key, it’s going to take you about 20,000,000,000,000,000,000 years to do it. I plan on being dead by then do if you get to my data in 20 Quadrillion years, you just have the time of you life.

BTG is a great way to protect all of those external drives you have. You can protect a USB drive for each client, or account, or just keep your kids pictures safe from prying eyes if you happen to drop your USB key in the parking lot.

No, you probably can’t open it up on the local Wal-mart photo Kiosk. But you should be able to open it up on any bitlocker capable machine providing you remember the password. Such as Windows Vista or Windows Server 2008

In fact, BTG includes a Bitlocker Reader application on the USB drive. When you open the drive on a Vista machine it looks something like this:

You’ll notice that the drive has the Bitlocker icon on it. If you open it, you see the following:

You can see the BitlockerToGo exe there ready to serve you:

Once you run it you are asked for the password for the drive. If you enter it correctly the BTG Reader starts and presents you with the following dialog.

Now you are ready to access your files. But, you have to drag them to the local computer to use them. This will allow the on access decryption to decrypt the file as it copies it to your system all ready to use.

So give it a try. I personally use it on my external drives. Especially those that contain my laptop backups, and any client data that I’m working on. I don't tend to lose drives, but if I ever did, I know that the data on them would be very safe.