[Infowarrior] - Schneier on Microsoft's BitLocker

[Richard Forno]

Schneier on Security

http://www.schneier.com/blog/archives/2006/05/bitlocker.html

May 02, 2006
Microsoft's BitLocker

BitLocker Drive Encryption is a new security feature in Windows Vista,
designed to work with the Trusted Platform Module (TPM). Basically, it
encrypts the C drive with a computer-generated key. In its basic mode, an
attacker can still access the data on the drive by guessing the user's
password, but would not be able to get at the drive by booting the disk up
using another operating system, or removing the drive and attaching it to
another computer.

There are several modes for BitLocker. In the simplest mode, the TPM stores
the key and the whole thing happens completely invisibly. The user does
nothing differently, and notices nothing different.

The BitLocker key can also be stored on a USB drive. Here, the user has to
insert the USB drive into the computer during boot. Then there's a mode that
uses a key stored in the TPM and a key stored on a USB drive. And finally,
there's a mode that uses a key stored in the TPM and a four-digit PIN that
the user types into the computer. This happens early in the boot process,
when there's still ASCII text on the screen.

Note that if you configure BitLocker with a USB key or a PIN, password
guessing doesn't work. BitLocker doesn't even let you get to a password
screen to try.

For most people, basic mode is the best. People will keep their USB key in
their computer bag with their laptop, so it won't add much security. But if
you can force users to attach it to their keychains -- remember that you
only need the key to boot the computer, not to operate the computer -- and
convince them to go through the trouble of sticking it in their computer
every time they boot, then you'll get a higher level of security.

There is a recovery key: optional but strongly encouraged. It is
automatically generated by BitLocker, and it can be sent to some
administrator or printed out and stored in some secure location. There are
ways for an administrator to set group policy settings mandating this key.

There aren't any back doors for the police, though.

You can get BitLocker to work in systems without a TPM, but it's kludgy. You
can only configure it for a USB key. And it only will work on some hardware:
because BItLocker starts running before any device drivers are loaded, the
BIOS must recognize USB drives in order for BitLocker to work.

Encryption particulars: The default data encryption algorithm is AES-128-CBC
with an additional diffuser. The diffuser is designed to protect against
ciphertext-manipulation attacks, and is independently keyed from AES-CBC so
that it cannot damage the security you get from AES-CBC. Administrators can
select the disk encryption algorithm through group policy. Choices are
128-bit AES-CBC plus the diffuser, 256-bit AES-CBC plus the diffuser,
128-bit AES-CBC, and 256-bit AES-CBC. (My advice: stick with the default.)
The key management system uses 256-bit keys wherever possible. The only
place where a 128-bit key limit is hard-coded is the recovery key, which is
48 digits (including checksums). It's shorter because it has to be typed in
manually; typing in 96 digits will piss off a lot of people -- even if it is
only for data recovery.

So, does this destroy dual-boot systems? Not really. If you have Vista
running, then set up a dual boot system, Bitlocker will consider this sort
of change to be an attack and refuse to run. But then you can use the
recovery key to boot into Windows, then tell BitLocker to take the current
configuration -- with the dual boot code -- as correct. After that, your
dual boot system will work just fine, or so I've been told. You still won't
be able to share any files on your C drive between operating systems, but
you will be able to share files on any other drive.

The problem is that it's impossible to distinguish between a legitimate dual
boot system and an attacker trying to use another OS -- whether Linux or
another instance of Vista -- to get at the volume.

BitLocker is not a panacea. But it does mitigate a specific but significant
risk: the risk of attackers getting at data on drives directly. It allows
people to throw away or sell old drives without worry. It allows people to
stop worrying about their drives getting lost or stolen. It stops a
particular attack against data.

Right now BitLocker is only in the Ultimate and Enterprise editions of
Vista. It's a feature that is turned off by default. It is also Microsoft's
first TPM application. Presumably it will be enhanced in the future:
allowing the encryption of other drives would be a good next step, for
example.