Bitlocker Drive Encryption in Windows Vista
A very common threat to the security of Windows based systems have been offline attacks. Attacks that happen in order to steal the data from a system while the system is offline, or in the shutdown state, are termed as offline attacks.
The most likely victims of offline attacks are stolen laptops, or physically insecure systems. In case a laptop with Windows XP operating system protected with good password protection is stolen, the offline attack can be performed on this system by any of the following ways –
1. By detaching the hard disk from the system, attaching it as a slave disk to another system for which the attacker has an administrative access on the primary disk
2. By installing a fresh copy of another operating system on the available space on the existing hard disk, gaining administrative control on the new operating system (on drive d:), thereby gaining administrative access to drive c:, on which the original operating system with data is.
3. By booting the system with a Linux or other bootable disks (floppies or CDs) and running tools in order to change the administrative password on c: partition.
Notice, that in any of the above mentioned scenarios, the attacker needs to change the boot configuration of the hard disk on which the operating system with data resides.
To combat all the above common threats to information security, Microsoft has introduced a new security feature in the upcoming Windows Vista operating system. This feature is basically a hardware provided feature that is enabled through the operating system.
The Trusted Computing Group (TCG) (https://www.trustedcomputinggroup.org) now ships various certified laptops with a hardware chip installed on the motherboard, known as the TPM (Trusted Platform Module). TPM version 1.2 enabled systems provides the ability to store keys, password and even cryptographic keys in the form of certificates on the installed TPM chip.
In a Windows Vista system, the administrator has the ability to turn on ‘Bit locker Drive Encryption’ form the Security section in the Control Panel.
Bitlocker Drive Encryption consists of two parts –
1. Secure Startup –
a. Is used to protect the boot configuration of the system volume from any changes.
b. When turned on, the process generates two types of keys –
i. Startup Key – This key is created after encrypting the existing boot configuration of the system volume. It is created and stored on the TPM chip on the mother board, and is used to match the key generated after checking the boot configuration every time the system starts up. If the boot configuration remains unchanged, the key generated every time the system starts, matches the key stored inside the TPM and system starts without any prompts and the process is transparent to the user.
ii. Recovery Key – This key is generated for the administrator to store at another location which may be a USB Flash disk, a network drive or the active directory profile of the user. This key is used when the boot configuration of the system volume is accidently changed after enabling secure startup. When the system starts up and generates the key for the new boot configuration, it will not match the key stored in the TPM chip as the boot configuration was changed. In this case, the system enters into the ‘Recovery Mode’ where it prompts the user for a recovery key. In case the user is an authorized one (and has not stolen this laptop), he must have the recovery key provided to him at the time of enabling secure startup. This is a long numerical key that can be entered on the system by using the F1-F10 keys for (1-0 respectively) during this time, or can be provided through the USB disk in which the recovery key was stored.
2. Full Volume Encryption – This feature ensures that in case the attacker tries to mount this system as another volume using Linux operating system, or tires to access the system drive by making it a slave volume of another system, or by booting from another operating system volume in a dual boot system, he is not able to extract the data out of this volume. Once the Full Volume Encryption is enabled on the Windows Vista volume, it makes renders it incapable of being mounted through any other OS volume. Even in case of a dual boot system with Windows XP installed on drive C: and Windows Vista (with FVE enabled) on drive d:, and the attacker gains admin access to Windows Vista on drive c:, he will not be able to gain any access to data in drive d:. This happens because as soon as the attacker double-clicks drive d: to browse through it, he only gets a message box telling that the “drive is inaccessible. Do you want to format it now?” So the only option he is left with is to format and reuse the drive which keeps the confidentiality of the data inside the Windows Vista system.