3. Why we need encryption?
• Data wise because over 800000 devices get lost or stolen on the
biggest airports in US and Europe yearly
• Security wise because all Windows versions can be cracked with a
single command
• Secure decommissioning
• The format utility (since Windows Vista) deletes the volume metadata and
overwrites those sectors to securely delete any BitLocker keys and by doing so
makes the volume instantly unreadable
6. “Master keys”
• Every sector is protected with full-volume encryption key (FVEK)
• Never used by the System or the User
• FVEK in turn is encrypted with the volume master key (VMK)
• We don’t want to need to change the FVEK as every sector would need to be
re-encrypted
• Used by the system as it’s easier to replace if compromised
• The VMK is protected with another protector or several
7. Protectors for master keys
• Password protection (no TPM)
• The VMK is password protected
• Available for the OS drive since Windows 8 and used especially with Windows
To Go
• USB-key protection (no TPM)
• The protector key is saved on a USB key
8. Protectors for master keys
• TPM-protection
• The decryption key is stored on a TPM chip or firmware vault
• “On computers equipped with a compatible TPM, each time the computer
starts, each of the early startup components—such as the BIOS, the master
boot record (MBR), the boot sector, and the boot manager code—examines
the code about to be run, calculates a hash value, and stores the value in
specific registers in the TPM, called platform configuration registers (PCRs).
Once a value is stored in a PCR, the value cannot be replaced or erased unless
the system is restarted. BitLocker uses the TPM and the values stored in PCRs
to protect the VMK.”
• Brief:”If anything in the boot environment changes the disk cannot be
read”
9. Protectors for master keys
• TPM +PIN
• The TPM is secured with a PIN code
• Harder to break into but harder to administer
• Two-factor authentication
• Mental proof of ownership
• TPM + USB
• Part of the decryption key is stored on the USB key and part on the TPM
• TPM part is secured against changes in the boot environment
• Two-factor authentication
• Physical proof of ownership
12. Protectors for master keys
• TPM +PIN + USB
• Combines the two previously mentioned
• Network Unlock
• Decryption key stored on a network server
• When on the same network works like a TPM protected machine
• When outside of the network asks for a PIN-code
• Requires Windows 8 and UEFI
13. Recovery keys
• A recovery key is saved as well and secured by an authenticator
• Certificate or numerical password
• Usually saved to either Active Directory or MBAM
• The whole key or only the ”secret” to open the key
14. Gamechanger!
• Windows 7 vs Windows 8.1
• In Windows 7 it was recommended to use a two-factor authentication like
PIN-code to build a secure BitLocker implementation
• With Windows 8.1 and certified devices we can build a secure BitLocker
without a two-factor authentication for the first time! → One less password
for your users and easier centralized management for you!
• TPM-only is the recommendation for most companies!
20. DMA-attack countermeasures
• Block it with a policy: http://support.microsoft.com/kb/2516445
• Windows 8.1 blocks new devices with DMA from being installed
before the computer is unlocked!
• By Logo requirements
• Instant Go devices shouldn’t have DMA-ports
• Microsoft is driving for ThunderBolt devices to be turned on only after logging
on
22. Cold boot attacks
• Probably the best known case is called the Princeton attack
• Memory preserves its state even after losing power but quickly
becomes unreadable
• Can be slowed down with cooling/freezing
24. Removing the frozen memory
• You could technically remove the frozen memory and take it to
another computer that has a memory reader and read the key from
the memory
25. Memory removal countermeasures
• Hard to remove if it’s on-chip
• Denser memory gets the harder it gets to read it
• Again… There are some that require the Pre-Boot authenticator that
prevents this but in reality…
31. Different environments - Different needs
• High security environments could use BitLocker with a pre-boot/two-
factor authenticator to achieve a more secure or compliant solution
• Or a combination
33. Make it even more secure?
• Force screensaver and prompt for password
• No Username on Logon or Lockout screen
• Force Hibernate
• Lock TPM if too many logon failures to Windows
35. Recap
• For me BitLocker implementation starts when choosing my hardware
• No ThunderBolt, FireWire or PCI-Express → USB 3 rules!
• UEFI with SecureBoot
• TPM
• Even better if dense memory, on board
• Force strong passwords or phrases
• No administrative rights for end-users
• 95% are good with TPM only → Aim for it!
37. Basics of BitLocker recovery
• Save your recovery keys to AD
• http://technet.microsoft.com/en-us/library/jj592683.aspx
• If you are using BitLocker To Go for USB sticks, go for Data Recovery
Agent (DRA)
• http://technet.microsoft.com/en-us/library/dd875560(v=ws.10).aspx
39. How would you break into my devices?
• Let’s play I forgot these at the airport and you found them. This is
what we know:
• Computer models: Surface 2 RT and a Zenbook Prime UX31A
• OS: Windows 8.1
• The computers are on and locked - no user id visible on logon/lockout screen
• Passwords for users are more than 16 characters and complex
• BitLocker with TPM authentication only
• UAC enabled, no admin rights for the logged on user
• AppLocker enabled
• Firewall on with IPSec authentication for inbound connections
• How would you crack it? Bulletproof???