Attending DEFCON presentations that target a product you use or helped build can be exciting in a bad way.  And believe me – knowing the fix has already been shipped reduces that excitement… in a very good way.  This is what made Jonathan Brossard’s DEFCON 16 presentation Bypassing pre-boot authentication passwords  less exciting for me: I knew the fix had been delivered to customers seven months earlier as part of Windows Vista Service Pack 1.  That isn’t the complete story though.

The BitLocker Team collaborates with customers, partners, and world-class security-research organizations to complement its internal security analysis and penetration testing.  Sometimes Microsoft initiates the external analysis and other times this work is begun independently.  Reports of vulnerabilities flow from various sources through different channels. Each case is usually unique in some way.  For instance, sometimes the finder doesn’t want publicity. In other cases, public events change the situation in a way that prompts us to respond publicly.

The password artifact in the firmware, or BIOS, keyboard buffer is a real problem. The BitLocker Team fixed this in Windows Vista SP1 by flushing the PIN from the keyboard buffer. While Mr. Brossard and his employer iViZ Techno Solutions are due credit and thanks for independently identifying this problem and publicizing their multi-vendor findings, they weren’t the first to report it privately to Microsoft. That credit belongs to the German government’s Federal Office for Information Security (BSI) and the Fraunhofer Institute who reported this issue to us in 2007. Thanks to their close collaboration with us, we were able to get the fix into Windows Vista SP1 and Windows Server 2008.  We are also thankful that iViZ chose to responsibly disclose this to us and other vendors prior to publicizing their research.

There is an element of Mr. Brossard’s findings that is often ignored or misunderstood: The full, end-to-end, boot-component-modifying attack requires administrative privileges, or root, on all of the operating systems covered in his presentation – including Windows.   Mr. Brossard made this clear during his DEFCON 16 presentation and in the associated white paper.  On Windows, administrative privileges are required to write to the MBR and other boot components.  Even if offline attacks are considered, BitLocker, in its TPM modes, will detect any unauthorized modification of the boot components during its secure boot phase.

The prerequisite of administrative privileges makes the BitLocker PIN attack much less interesting.  If the attacker has administrative privileges, she could read disk encryption keys or, more simply, turn BitLocker off. I’m not trying to dismiss Mr. Brossard’s findings; the password artifact is a real problem that has to be addressed by a wide variety of vendors. But from a BitLocker TPM + PIN point-of-view, the vector provides limited capabilities to an attacker who doesn’t already have administrative privileges.

-- Douglas MacIver
-- BitLocker Test Team
-- Microsoft Corporation

As people start analyzing BitLocker, a question that keeps getting raised is "Can I break into BitLocker by installing another copy of Vista?" This blog entry intends to show how BitLocker allows and supports multi-boot without compromising security.

There is a saying that "if it walks like a duck and talks like a duck it is a duck." If I put two operating systems on a computer, at what point are they the same operating system? And at what point are they different? If it walks like a duck (boots) and talks like a duck (accesses unique encrypted data) then for all intents and purposes from an attacker’s perspective, it is a duck.

It’s important therefore for BitLocker to be able to differentiate a real duck from a fake duck using some form of DNA.  To ensure no genetic experiments on the duck, the DNA is kept secret. In the case of BitLocker, the DNA is a key called the "Volume Master Key" or VMK. Without the VMK, the "Full Volume Encryption Key" (FVEK) is not known. Without the FVEK, the content of the encrypted volume is not known. Not only is it not known, but it cannot be meaningfully modified as (with the aid of the Elephant algorithm) Decrypt(FVEK, OriginalSectorData + DeltaModification) results in an unpredictable change to the entire sector. Niels wrote a paper on the benefit of the Elephant algorithm, described in the preceding blog entry.

For this reason, the fully encrypted volume can be considered a black box and the VMK is it’s key. The next question that arises is can the VMK be passed to a red box. For this we need to understand what happens during boot.
I will describe the boot process as 3 stages:

• Early Boot
• Mid Boot
• OS Boot

In "Early Boot", all boot components write values (measurements) to the TPM as the boot process proceeds. An example of this is that the BIOS will measure the boot code in the MBR, and write this to PCR[4] of the TPM. If the MBR is correct, the correct value will be in PCR[4]. If the MBR has been modified, the wrong value will be in PCR[4]. In either case, the MBR (legitimate or malicious) will be measured and will be executed. The TPM accumulates these measurements in a manner that cannot be undone unless the hardware is reset. It is important to ensure that all measurements are correct (therefore no modification to code) to successfully have the necessary PCR pre-conditions to allow the TPM to unseal the VMK.

In "Mid Boot", the time comes where the VMK is required to transition from "Mid Boot" to "OS Boot". BOOTMGR communicates with the TPM sending it a block of data previously encrypted by the TPM, and requests that the TPM decrypts the block of data. The TPM checks the values of PCR’s along with the values and policy conditions encoded into the block of data. The TPM also verifies the MAC (Message Authenticity Check) to ensure that the block of data was not tampered with. A legitimate BOOTMGR can obtain VMK, or know that it cannot obtain a VMK. A modified BOOTMGR will only know that it cannot obtain a VMK. If the VMK cannot be obtained, then there is nothing the modified BOOTMGR can do to open the black box. It is obvious therefore that the legitimate BOOTMGR must be used to retrieve the VMK at this point.

In "OS Boot", the legitimate BOOTMGR transitions to an active role to protect the VMK. The legitimacy of the BOOTMGR has been proven (above) implicitly by the fact that it has the VMK for a given volume. BOOTMGR must transition to the OS Loader, and it must do so without giving the VMK to the wrong OS Loader. This is where things get interesting. The metadata associated with the OS Volume contains a set of requirements indicating what boot executables are considered valid - more than one is required to support memory testing and to support resume from hibernate. BCD policy is also stored to ensure most BCD settings cannot be modified. To ensure the metadata is not tampered with, a MAC exists. Calculating the MAC requires knowledge of the VMK.

Before BOOTMGR transitions to the OS Loader, it verifies that the OS Loader and BCD settings are trusted. At this point the OS Loader can be trusted with multiple keys, but only if the metadata for the associated volumes indicate explicit trust. Modifying an OS Loader will immediately invalidate this trust. BOOTMGR also ensures that no more BitLocker keys can be accessed by writing a value to PCR[11] that is akin to locking a safe until the next boot.

Prior to transitioning to the OS, the OS Loader ensures that it will hand off at most one key (VMK) to the OS. Prior to handing the key off to the OS, the following conditions must apply:

• All components up to and including BOOTMGR must be correct. If they were not correct, the VMK would not be available.
• VMK must be correct to validate the MAC of the metadata. BOOTMGR verified this MAC.
• OS Loader must be the loader approved by metadata associated with VMK. Verified by BOOTMGR.
• BCD settings must be the settings approved by metadata associated with VMK. Verified by BOOTMGR.
• VMK must correctly decrypt FVEK stored in the validated metadata. Verified by BOOTMGR.
• FVEK must successfully decrypt data stored on the volume. Incorrect FVEK will result in invalid executable code or invalid data. In some cases this is caught by code integrity.
• MFT must be encrypted by correct FVEK to access all files.
• Phase 0 drivers including fvevol.sys must be encrypted by correct FVEK.
• Registry must be encrypted by correct FVEK.
• Kernel and Hal must be encrypted by correct FVEK.
• Phase 1 components must be encrypted by FVEK, as fvevol.sys (encrypted by FVEK) will only decrypt using the same FVEK.
• Phase 2 components must also be encrypted by FVEK etc.

The last point is particularly important, and is only true if the data on the volume is entirely encrypted - i.e. a volume where encryption was paused half way through is not secure. The black box OS described earlier will therefore meet these requirements; whereas the red box OS will not.

Conclusion

As only the OS that was encrypted by a given VMK/FVEK combination can access the VMK, multi-boot is not only secure, but very much a central part of the BitLocker design and threat analysis.

Jamie Hunter 

Recently the BitLocker Penetration team was asked some questions about the security of the recovery password. Even if you use BitLocker every day, you may never have seen the recovery password entry screen – it is displayed by the Boot Manager in the situation where the key it needs to unlock your BitLocker protected volume is not available for some reason. A simple way to see this screen in TPM & PIN mode is to forget your PIN - you will be asked to enter a 48-digit recovery password. This password allows you to boot into Vista and set a new PIN.

Figure 1 - Please enter 48 digits!

To help ensure that the password is entered correctly, we have you type it in in eight blocks of 6 digits. If you make a typing error while entering any block, we let you know that an error is present, and allow correction before continuing. Why do we do this? Well, manually entering 128 bits of a cryptographic key via the keyboard is not particularly easy. Users making a small error entering the key would simply be told 'incorrect key' and would have to re-enter the whole key. One of the enterprise scenarios we picture is a helpdesk technician reading a recovery key over the phone to a remote user - re-reading long keys increases support costs as well as user frustration!

The question we are being asked is 'doesn't this verification stage weaken the security?'. The answer is, as you'd hopefully expect, no - and here's why:

When we create the recovery password, we start with a random 128-bit key, which we split it into eight groups of 16 bits. Each group contains 16 bits of entropy, and can be written as a value between 0 and (2^16 - 1). We take this value and multiply it by 11. The range of values this now describes is from 0 to 11 x (2^16 - 1) (0 thru 720885). Notice that only 1 in 11 of the output are now 'valid' values. We pad with zeros, and write this as a six-digit value. This value still contains the original 16 bits of entropy, but now distributed over a larger range. We repeat the process for the other seven blocks, producing a 48 digit password.

When a user is entering the key, we accept it 6 digits at a time, and then check to see if the number they just entered is exactly divisible by 11. If it is then we know it might form part of the key - if it doesn't then we know for sure it isn't a valid block. This guards against swapped digits, mis-entered numbers, etc, and we can safely report the entry error to the user.

But does this check reduce the amount of work an attacker would have to do to brute force the underlying key? Consider that when we check a group of digits we aren't saying that they are the 'correct' group for that location in the key - merely that they could be a correct group, as they are divisible by 11. To verify this, try swapping two groups when entering your key - the individual groups will validate correctly, but the overall key will still be rejected. The work that an attacker has to do to brute-force the key is equivalent to the situation without the group-check.

Here's a small toy example, where we start with an 8-bit key (01101101). We will split it into two blocks of 4 bits:

0110 1101 =  06  13 (decimal)

we now multiply by 11:

          =  66 143

Which gives us a recovery key of 6 digits [066-143]

Mistyping these blocks as 067, 606, 134, 413 etc. will result in an error - but we can't verify the whole key until we have both blocks. How much work would an attacker have to do to brute-force this key? Each block has potentially 1000 values - but the attacker knows that only those divisible by 11 can be valid keys - thus the exhaust work space is reduced to 90 values. More so, the attacker knows that all values above 165 are not valid keys (because there is no way that 4-bit value x 11 would be greater than 165), so there are only actually 16 valid values per block (0, 11, thru 165); with two blocks, this gives a key space of 16 x 16 = 256 keys to try, which is, unsurprisingly, 2^8 - or the same as the key space we began with. If the example is expanded to the full key of 48 digits the same facts about the key space hold, and the amount of work required for the attacker is not diminished.

 - Jon (Penetration Test Engineer)

BitLocker Drive Encryption offers users a number of different modes to protect the key used in encrypting/decrypting data. One of these modes requires a PIN be entered at boot time, which is used as authorization data to the TPM, and allows the key to be unsealed. As a penetration tester on BitLocker, I’ve been examining the strength of this PIN.

BitLocker processes the PIN before localized keyboard support is available, and as a result, only the Function keys (F0-F9) may be used. Naturally, this limits the entropy of the key, so brute force attacks become a concern. Fortunately, the TPM authorization data mechanism is designed to be resistant to dictionary attacks. The details vary from vendor to vendor, but if we make some basic assumptions, we can begin to calculate how strong our PIN needs to be, given this TPM protection. For argument’s sake, let’s suppose that the dictionary attack mitigation mechanism makes guessing 5000 PINs take one year (an average of ~1.8 hours per guess), and call this an acceptable level of security.

Since we have ten keys available to us, the number of possible PINs of length n is equal to 10ⁿ, and the average time to guess a length n PIN is 10ⁿ / 2. So we can get our desired security level with a 4-digit PIN: 10⁴ / 2 = 5000. For the sake of comparison, suppose we instead used a password composed of alpha-numeric characters plus standard keyboard symbols (of which there are about 32, by my count), but did not have anti-hammering protection. Assuming even a modest average time-per-guess of one millisecond, in order to get the same level of security, we would need close to 6 characters. Plus, the TPM protects us against offline pre-computed dictionary attacks, because there is no way to access the hash of the correct PIN.

An interesting challenge arises out of the fact that only the Function keys are used in the PIN: due to the infrequent use of these keys for other purposes, an adversary might be able to perform a wear analysis to determine which keys are used in the PIN. If finger oil or corrosion on the F3, F4, F7, and F9 keys is noticeably greater than on the others, a clever adversary would just try the 4! = 24 possible orderings of these keys. So, how can you help protect yourself against this attack?

The question is: if an adversary knows which keys you used in your PIN, how many guesses will it take them to find the PIN itself? The following table helps answer this question. Here, the columns show a length-n PIN, and the rows correspond to a PIN using exactly k distinct keys:

So, in order to raise the expected number of required guesses to the previously described level, even against an attacker who can successfully analyze key wear, the PIN must contain at least 7 digits with at least 4 different keys. An important note is that the maximum in each column is not the bottom entry: it actually strengthens the PIN (against this particular attack) to have a repeated character or two. Thus, when choosing your PIN, you may want to consider intentionally having multiple occurrences of the same key(s).

Bear in mind that the wear analysis attack is still hypothetical. The BitLocker penetration testing team hasn’t tried to do this, so any guess of what’s possible is merely speculation. Nevertheless, for those looking to go the extra step to protect their data, it never hurts to consider all the attacks, even the unproven ones. If you’re concerned about wear analysis attacks, you may want to look into other mitigations (beyond smart PIN choice), such as wear-resistant keyboards, regular cleaning, or increasing use of the Function keys during normal operation.

With some smart use and a good TPM anti-hammering mechanism, your PIN can provide a major additional layer of security, without need for carrying an external key.

- Kevin Litwack (Penetration Test Engineer)

Two weeks ago BBC News published an article speculating about a possible “back door” in BitLocker (http://news.bbc.co.uk/1/hi/uk_politics/4713018.stm). The suggestion is that we are working with governments to create a back door so that they can always access BitLocker-encrypted data.

Over my dead body.

Well, maybe not literally---I’m not ready to be a martyr quite yet---but certainly not in any product I work on. And I’m not alone in that sentiment. The official line from high up is that we do not create back doors. And in the unlikely situation that we are forced to by law we’ll either announce it publicly or withdraw the entire feature. Back doors are simply not acceptable. Besides, they wouldn’t find anybody on this team willing to implement and test the back door.

We are of course talking to various governments; we want them to buy Vista and use BitLocker for their own security. We get the typical questions you always get: ease of use, performance, security, etc. We also get questions from law enforcement organizations. They foresee that they will want to read BitLocker-encrypted data, and they want to be prepared. Like any security technology BitLocker has its avenues of attack and law enforcement should know about them. For example, if they search a house and find a computer, they should also take all USB thumb drives, as these might contain a BitLocker key. This information is not secret; our users need to have the same information when they make the security vs. convenience tradeoff of choosing a key-protection option (TPM only, USB key, TPM + USB key, etc.) We plan on having a KB article with the details when Vista ships.

 - Niels Ferguson (developer & cryptographer)