Microsoft BitLocker

From Security

Jump to: navigation, search

Introduction

Microsoft's built-in BitLocker Drive Encryption is a feature of Windows Vista (Enterprise and Ultimate versions) and Windows Server 2008. BitLocker's user interface applet in the Windows control panel allowed users to encrypt their operating system volume if their drive was properly configured. Initially, the operating system volume was the only volume that could easily be encrypted through the control panel applet, though service pack 1 provides support for encrypting additional volumes through the user interface (users could use a command line interface to encrypt other volumes prior to service pack 1).


Modes of Operation

BitLocker is primarily intended to be used with a hardware enhancement called a Trusted Platform Module (TPM). The TPM provides key storage and boot integrity in a tamper-resistant microchip on the motherboard. Using a TPM, users could utilize BitLocker in one of three modes: 1. Transparent operation No key or PIN is required if no components of the boot sequence have been tampered. The TPM uses platform configuration registers (PCRs) of selected (and configurable) elements of the boot sequence (including the CRTM, BIOS, MBR, and other components) to determine if something has been tampered with. If not, the boot sequence proceeds normally.

Pros: easy to use from user's perspective; easy to manage from IT perspective (no PIN or USB stick to keep track of for users = fewer headaches for IT staff). Cons: not as secure (i.e., a hacker could use an online attack against the operating system post-boot).

2. TPM + PIN Same as above, but requires a PIN number; the TPM does not release the key if the correct PIN is not entered. Pre-boot components are validated, as described above.

3. TPM + USB key Same as above, but user uses a USB flash memory stick to authenticate with BitLocker. The TPM supplies part of the key and the USB key provides the other portion.

4. TPM + PIN and USB key (if SP1 of Vista is installed) Same as above, but user must also enter a PIN.

Without a TPM, BitLocker can still be used for encryption via a USB key that must be present on startup. Note that only with a TPM will the user have the added benefit of integrity checking at boot-time.


Encryption

By default, BitLocker's sector-based encryption uses AES-128 with the Microsoft-created Elephant diffuser. The purpose of the diffuser is to make certain offline attacks more difficult by completely randomizing the decrypted text in an entire block if a single byte of the ciphertext is altered (by an attacker, for example).

An administrator can change the encryption that BitLocker applies to volumes if those volumnes have not already been encrypted. The options are: 1. AES-128 + diffuser (the default) 2. AES-128 3. AES-256 + diffuser 4. AES-256

Retrieved from "http://www.full-disk-encryption.net/wiki/index.php/Microsoft_BitLocker"
Personal tools