BitLocker Drive Encryption

Olivia Terrell

BitLocker Drive Encryption

What it isWhat it doesHow it works Just how Secure is BitLocker?Advantages/DisadvantagesQuestions and Treats

What is BitLocker Drive Encryption is

Every year, about 1—2% of

laptops are stolen, along with

the valuable information

contained within them.

BitLocker Drive Encryption is

one suggested solution to this

growing problem...

What is BitLocker Drive Encryption is

Full Disk encryption (FDE) Can be used with/without aTrusted Platform Chip

(TPC) Included on Windows Vista, both Ultimate and

Enterprise versions and on Windows Server 2008 Has AES encryption with a 128 key in Cipher

Block Chaining (CBC) mode Uses an Elephant Diffuser for additional security

Full Disk Encryption

Full Disk Encryption (FDE): either hardware or software that encrypts all data on disk or volume—excluding the 512-byte Master Boot Record (MBR, i.e. “Sector 0”) which contains the primary partition table or instructions to execute the Basic Input/Output of the System (BIOS)

3 Modes of BitLocker

Transparent operation mode: Requires a Trusted Platform Module (TPM) 1.2 hardware chip with built-in encryption key. The key used for the disk encryption is sealed (encrypted) by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified. The pre-OS components of BitLocker achieve this through a Static Root of Trust Measurement (specified by the Trusted Computing Group)

User authentication mode: User provides pre-boot PIN to boot the OS.

USB Key: (No TPM needed) Must use jump drive that contains a startup key to be able to boot the OS. (provided that the BIOS can read a jump drive before running the OS)

TPM TPM + PIN TPM + PIN + USB Key TPM + USB Key USB Key

Trusted Platform Chip

The TPM 1.2 chip utilized by BitLocker

Chip is tamper resistant—but communication channel from/to it isn’t. [1]

Trusted Platform Chip

The TPC is a hardware chip on the Motherboard.

Has several Platform Configuration Registers (PCR) whose current value at any given time can only be attained through the same sequence of operations after power-up.

Trusted Platform Chip: PCRs

PCRs keep track of the code that runsThe PCRs are initially 0 and are set using a

function called extend. Extend sets a PCR to a hash of its old value and a supplied data string.

There is no other way to set a PCR.

Trusted Platform Chip: Sealing/Unsealing

The seal/unseal functions of the Trusted Platform Module (TPM) then allow access to the cryptographic keys based on the PCR values.

Seal is used to encrypt keys into strings that can only be decrypted by that particular TPM

Can only decrypt if PCR has same value as it did at time of the seal.

TPM’s Cryptographic Keys…

The cryptographic encryption key on the TPM is called an Endorsement Key (EK) and is an RSA key created at the time of manufacture of the chip from the Direct Anonymous Attestation protocol (DAA), consisting of a public and private key.

The public key interacts in the creation of the sector key for each 512 byte sector encryption

The private key resides on the chip and is not revealed

What BitLocker is

A Windows Vista security FDE that employs Trusted Computing technologies to either allow operation of the OS, or contact a pre-determined (possibly) third party for further instructions if an error/modification is encountered.

What BitLocker Does

1) Laptop turned on2) Processor starts BIOS from

ROM3) 1st part of BIOS (which can’t

be modified) extends BIOS PCR with entire BIOS code

4) Rest of BIOS continues5) BIOS reads MBR of the hard

disk6) Extends boot sector PCR with

sector’s data

7) Executes code in the boot sector (the boot sequence takes several iterations)

8) PCRs measure what code is running

9) TPM unseals the BitLocker volume encryption key

10) Boot sector switches to BitLocker encryptions at first convenience

11) All data now read from encrypted volume [2]

What BitLocker Does

BitLocker encrypts the data on the Operating System (OS) which is practically the entire hard disk in most computers.

How BitLocker Works

BitLocker Encryption is done a sector at a time

Each sector is usually 512 bytes, but could be as much as 8192 bytes in the near future

Each sector is encrypted independently of the other sectors

How BitLocker Works

IVs := E(KAES; e(s))

XOR

Finding the Sector Key

The sector key derivation is the encryption of both the public endorsement key from the TPM chip along with the encoding function e() found in the AES-CBC layer.

The result is XORed into the plaintext (to make the key the same size as the block)

Why we need an IV?

Encryption of the same plain text with the same key results in the same ciphertext. This is very insecure.

By using an initialization vector (IV) XORed with the plaintext or included in front of the plaintext prior to encryption, we bypass the need for re-keying.

The Initialization Vector for AES-CBC component

IVs := E(KAES; e(s))The initialization vector of a sector is the

encryption of both the AES key and the encoding function that maps each sector into a unique 16-byte number.

IVs depends on the key and the sector number s—but not on the data

How BitLocker Works

The sector key and AES-CBC components each receive ½ of the 512 byte Endorsement Key, making them 256 bytes. Only 128 bytes are normally used, and the rest is discarded. It's easier to throw away bits you don't need than it is to accommodate for variations in key length.

A sector can be any power of two (from 512—8192 bytes). This is done in the hopes of creating a tweakable block cipher. That is—any alteration to the ciphertext creates randomness in that sectors plaintext. Ideally, if tweakable block cipher can be attained, then the algorithm changes slightly from one sector encryption to the next making it almost impossible to use one sectors ciphertext to decrypt another sector.

In short:

If an attacker can detect a non-random change in the plaintext by the alteration of the ciphertext—they can determine the key of that sector and gain access to it.

The Elephant Diffuser: A&B

The A and B diffusers are similar, but work in opposite directions. Each is for good diffusion properties in one direction and has poor diffusion properties in the other direction.

Thus, two are needed: one diffuser for each direction (i.e., decoding and encoding)

The Elephant Diffuser

The diffusers take the sector as a 32 word bit array Each word is encoded using the least-signiffcant-

byte first convention. Let n be the number of words in the sector, and

(d0, d1, … , dn¡) be the words of the sector array. Decryption function of A diffuser is:

di = di + (d i-2 XOR (d i-5 <<<R(a) mod 4))

A Diffuser: Decryption

Decryption function of A diffuser is:

di = di + (d i-2 XOR (d i-5 <<<R(a) mod 4))

1. <<< is the rotate-left operator

2. R(a) = [9,0,13,0] that specifies rotation

amount

A Diffuser: Encryption

Encryption function of A diffuser is similar,except that we run the forloop from n to 0, instead of0 to n. As before:

di = di + (d i-2 XOR (d i-5 <<<R(a) mod 4)) 1. <<< is the rotate-left operator 2. R(a) = [9,0,13,0] that specifies rotation amount

B Diffuser: Decryption

Decryption function of B diffuser is very similar toA, except that d i-2 changes into d i+2, and d i-5becomes d i+5 (because diffusion in opposite direction)

di = di + (d i+2 XOR (d i+5 <<<R(a) mod 4)) 1. <<< is the rotate-left operator 2. R(a) = [9,0,13,0] that specifies rotation amount

For Encryption, all that is needed is the reversal of the forloop

Why do we need the Elephant Diffuser?

AES-CBC does not protect integrity, hence the need for the diffuser.

The Elephant was released relatively untested. It was suggested that at the very least, the BitLocker could be no more insecure than the AES encoding.

Security of BitLocker

Because the key is stored in physical memory, it is vulnerable to cold boot attacks. The DRAM is literally frozen and the key is then read from it

Assumptions for cold boot attack: 1) Physical access to the machine 2) Laptop would likely have to be in sleep mode (rather than hibernate mode or powered off) 3) No implementation of the multi-factor pre-boot authentication

“I would posit that the opportunistic laptop thief is somewhat unlikely to carry a separate laptop on which they will have installed tools that allow them to reconstruct cryptographic keys - or for that matter have a can of compressed air handy," argued Microsoft senior product manager for Windows Vista security Russell Humphries.

Security of BitLocker

Or—if we are running BitLocker in Transparent operation mode (i.e., utilizing the TPM) then we could monitor the communications between the CPU and the TPM via the Lower Pin Count bus and either try to guess the encryption key or fool the chip into giving up a part of its internal key.

Advantages/Disadvantages of BitLocker

Advantages:• Better than Encrypted Files System (EFS) • Encrypts ENTIRE hard drive• Only know Full Disk Encryption (FDE)

active when it asks for password at boot up. • Only 5% performance cost when

reading/writing to encrypted file (excluding virtual memory)

Advantages/Disadvantages of BitLocker

Disadvantages:• Actual access time may increase by 56% to 86%

depending on how much the system utilizes virtual memory (because virtual memory also gets encrypted) and because the operating system is CONSTANTLY writing/reading data to hard disk, regardless of actions of the user.

• User fallibilities (i.e. user writes password on Post-it note and appends it to computer)

Questions?

Glossary of Terms

Full Disk Encryption (FDE): either hardware or software that encrypts all data on disk or volume—excluding the Master Boot Record (i.e. “Sector 0”) which contains the primary partition entries in its partition table.

Encrypted File System (EFS): A feature of the Windows 2000 and XP that allows encryption of particular files.

Glossary of Terms

White Elephant pictorial reference: any valuable object whose value is less than its cost in maintenance.

Hash function takes a string or message of any length as input and produces a fixed length string as output, sometimes termed a message digest or a digital fingerprint.

initialization vector (IV) is a block of bits that is required to allow a stream or a block cipher to produce a unique stream independent from other streams produced by the same encryption key.

References

[1] Klaus Kursawe, Dries Schellekens, and Bart Preneel, Analyzing trusted platform communication, Katholieke Universiteit Leuven Department Electrical Engineering-ESAT/SCD-COSIC, Kasteelpark Arenberg 10, 3001 Heverlee, Belgium

Available at: http://www.esat.kuleuven.be/cosic/, Accessed: Tuesday, March 18, 2008, 6:13:07 PM

[2] Niels Ferguson, AES+CBC+Elephant diffuser: A Disk Encryption Algorithm for Windows Vista, August 2006, niels@microsoft.com

[3] Infineon liefert erste auf Windows Vista abgestimmte Sicherheitslösung bestehend aus Management-Software und TPM für PCs in Unternehmen (picture of TPM chip) http://www.infineon.com/cms/de/corporate/press/news/releases/2007/216326.html

[4] Jan Camenisch, Better Privacy for Trusted Computing Platforms (extended abstract), IBM Research, Zurich Research Laboritory, CH-8803 Ruschlikon, Switzerland (pg 1-3)

References

[5] Preston Gralla. Big Book of Windows Hacks, pgs 400—407

[6] S. Frankel, R. Glenn, S. Kelly, The AES-CBC Cipher Algorithm and Its Use with IPsec, September 2003, available at: http://www.faqs.org/rfcs/rfc3602.html

[7] Marius Oiaga, Technology News Editor, Microsoft Downplays Windows Vista Encryption Cracks, available at: http://news.softpedia.com/news/Microsoft-Downplays-Windows-Vista-Encryption-Cracks-79541.shtml

Additional Resources

BitLocker user-end Microsoft products page http://www.microsoft.com/windows/products/windowsvista/features/details/

bitlocker.mspxSome BitLocker history http://www.windows-vista-hardware.info/bitlocker-vista-enterprise-ultimate.htmMember list of Trusted Computing Group (TCG) https://www.trustedcomputinggroup.org/about/members/Basic overview of trusted computing and use of the BitLocker http://en.wikipedia.org/wiki/Trusted_computingBasic description of the BitLocker http://en.wikipedia.org/wiki/BitLocker_Drive_EncryptionSteps to breaking a FDE system http://content.techrepublic.com.com/2346-1009_11-189078.htmlFor anyone interested in CBC Stream Cipher in C# http://madebits.com/articles/aes/index.php