金融在线交易产业链博览会之2017IFE广州金融博览会

When Microsoft announced that Windows Vista was going to be available in multiple editions, curiosity turned toward the higher-end versions of Vista targeted at corporate environments (Vista Enterprise) and enthusiasts (Vista Ultimate). Among the features in these high-end editions is BitLocker Drive Encryption, which Microsoft included to address “the theft or unwanted disclosure of data made available through physical loss of computer devices.”

Say what?

In plain language, BitLocker is an on-disk encryption system that encrypts the computer’s boot drive, making the system data on it unreadable to unauthorized users — someone who’s just made off with your laptop at the airport, for example. Without a boot key — either a manually entered PIN, a USB flash drive or a secure module on the PC itself — everything on a BitLocker-encrypted drive is indistinguishable from random data.

In the face of any number of new stories about government agencies and businesses losing notebooks and the data on them, Microsoft has stumped hard to convince users that BitLocker is the best means of preventing data loss through theft or espionage. A lost BitLocker-protected computer, Microsoft argues, can be safely written off without concern that the data on it could be compromised; and, as we are all well aware, the cost of a lost notebook is minor compared with the cost of losing the data on it.

But how realistic are Microsoft’s declarations about BitLocker? What the company promises that BitLocker can do doesn’t always match up with how BitLocker faces the challenges of the real world. Or, to put it another way, like many other encryption products, BitLocker is only as capable as the hands it’s in.

Getting the Goods

Organizations considering BitLocker for their notebook PCs can find themselves confronting some cost issues from the word go.

BitLocker is included only in the Enterprise and Ultimate SKUs of Vista — the two most expensive editions of Vista on the market. Also, Vista requires 512MB of RAM minimum (and most experts recommend 1GB or higher), which means companies might find themselves having to add RAM to existing machines or spend their money on a new fleet of notebooks.

Finally, to get the most out of BitLocker, Microsoft recommends using it on a computer equipped with a Trusted Platform Module (TPM), a microchip embedded in a PC’s motherboard that stores passwords, keys and digital certificates. (See the following section for more information about TPM.)

BitLocker in Action

In front of the system volume to be encrypted, BitLocker creates a 1.5GB boot partition that contains decryption and boot data. When Vista was first released, users had to create this partition manually before installing Vista, but after a number of complaints, Microsoft revised the BitLocker setup process so that you can create the partition on an existing system.

One of the Vista Ultimate Extras (also available for the Enterprise Edition) is labeled “BitLocker and EFS enhancements,” which contains the BitLocker Drive Preparation tool. This program automates the setup process and encrypts an existing drive for BitLocker while the system is running. (It’s still always best to have BitLocker set up on a system before it has been personalized for a given user so there is no chance of unencrypted data being stored on it at any time.)

There are three possible ways to implement BitLocker on a given system, each with its own benefits and drawbacks:

On a computer with TPM hardware, Revision 1.2: The TPM chip stores BitLocker’s decryption keys, so any attempt to reverse-engineer a key through tampering will leave the system unbootable (and the drive unreadable). Any attempts to tamper with the unencrypted boot loader will cause the system to fail.

TPM, however, is not something that can be added to a PC after the fact — it’s something that has to be included in its design from the ground up. It’s difficult to determine exactly how much TPM adds to the cost of a notebook, because TPM hardware is typically offered as part of a bundle of features in “business-class” machines. But at this point, the cost premium doesn’t appear to be a lot.

Dell, for example, typically includes TPM as a feature in its business-class notebooks, which cost about $250 more than their consumer-class counterparts but appear to make up the cost with a different mix of hardware. Consequently, an exact comparison can be somewhat difficult to figure. For instance, I priced out a business-class Dell Latitude D630 (which features TPM) at $849. A consumer-class Dell Inspiron 1420 (with no TPM, but with the same CPU, hard drive and so forth) came to $899 — with 1GB of RAM and a 160GB SATA drive added “free.” In short, whatever affects most of the cost differences between systems, it’s not likely to be TPM. (A Dell spokeswoman maintains that the cost of including TPM hardware on a given system is effectively zero because it doesn’t add anything in a way that has to be offset by raising the retail price.)

On a system without TPM hardware that boots from an external USB drive: In this scenario, the system’s boot key is stored on an external drive. The system boots from that drive first, which then supplies the decryption key that allows the rest of the system to boot.

However, this plan will not work on a system that does not support booting from a USB device, and by no means do all business-class machines support that capability. The USB boot device itself also can be stolen — and leaving the USB drive plugged in while the system is running (as many people are wont to do) is on the order of unlocking the front door of your house and leaving the key in the lock.

For this reason, using the USB drive method is probably not suitable for corporate deployments, although it’s a useful way to allow an individual to use BitLocker.

On a system without TPM, no additional hardware required: You can opt to have users enter a 48-digit PIN number at boot time, though they may find that process cumbersome and slow. Because the PIN cannot be set by the user and is difficult to memorize, most people will be inclined to write it down — another security breach waiting to happen. In light of all this, it’s clear that adding BitLocker to an existing system, with the possible risks of USB drive loss or the inconvenience of a 48-digit PIN, is inferior to using a TPM-enabled system from the outset. Running BitLocker transparently over TPM is the best option but also the most costly to implement, since in many instances it entails buying a new computer.

Whatever method you choose, when setting up BitLocker policies for your organization, be sure to enable encryption key recovery through Active Directory. When a BitLocker computer is configured, the administrator can (and should) make a backup of the encryption key into an AD repository. This way, if the key is lost but the data itself is not — for instance, if you’re using a USB drive and it goes missing — any needed data can be recovered from the system without declaring the whole thing scorched earth.

Scope of Protection

So, how well does BitLocker succeed in its stated goal of functioning as a “seamless, secure and easily manageable data protection solution for the enterprise”? It all hinges on the scope of the protection it provides.

On the plus side, BitLocker thoroughly encrypts something that has traditionally not been encryptable in Windows without the aid of third-party software: the operating system itself. An encrypted drive will remain unreadable even if mounted in another computer. This is crucially important with notebook computers, since it’s trivially easy for an attacker to gain physical access to a system and remove the hard drive.

However, BitLocker doesn’t by default encrypt anything other than the boot drive. It is possible to encrypt drives other than the boot drive with BitLocker, but this is not something that can be done automatically through BitLocker’s configuration GUI (at least not yet). Microsoft does not yet support encrypting data volumes with BitLocker either.

That said, Microsoft is reported to be providing support for this feature on a case-by-case basis with specific customers, according to Gartner analysts Jeffrey Wheatman and Neil MacDonald. However, the pair don’t expect official support from Microsoft for this kind of feature until late in 2007 or the first quarter of 2008. (A Microsoft spokesman said the company has “no information to share at this time.”)

For the time being, Microsoft recommends that companies encrypt data volumes using its Encrypting File System. EFS, which has been in existence since Windows 2000 was rolled out, is a way to perform file-by-file encryption on NTFS volumes in Windows.

EFS encrypts data only at the file level, not the volume level, so it’s possible to make educated guesses about what might be in an EFS-encrypted file through the file name or other items on the same disk. (One possible way to get around this is to place sensitive information in .zip files or in other archives that are EFS-encrypted — making sure, of course, that the name of the archive itself isn’t some kind of giveaway.)

Likewise, BitLocker doesn’t encrypt removable drives by default. But again, it’s possible to do this manually, using a process that’s much the same as encrypting a non-boot drive.

That said, in order to unlock an encrypted removable drive for use, you need to provide users with a 48-digit PIN, much as you would for any other BitLocker volume. It’s easy enough to create a batch file that handles this job, then store that batch file on the main BitLocker volume, but there’s no guarantee that the main BitLocker drive can’t be compromised in ways that have nothing to do with BitLocker’s own security (e.g., if a user walks away from the machine while it’s still logged in).

As before, it is possible to use EFS to encrypt files on removable drives or other partitions, but again, this comes with the risk of someone being able to read file names and make educated guesses about their contents.

If you want to encrypt multiple volumes in a BitLocker-protected system, you need to do one of three things: manually encrypt all the volumes (which is possible but officially unsupported); consolidate all the data to be protected on the boot volume (typically an inconvenience); or use a third-party encryption tool, either alone or in conjunction with BitLocker, that does encrypt data drives. One such product, TrueCrypt, is free and open-source and also works across operating system platforms.

Back Doors and other Vulnerabilities

So you’ve properly BitLocker-secured your machine. Could it still have exploitable vulnerabilities that remain undisclosed? Let’s ask a few more questions:

1. Has Microsoft provided any back doors into BitLocker-encrypted volumes? When the feature was announced, there was no small amount of speculation that Microsoft had made a back door of some kind available in BitLocker that would allow the encryption on a drive to be reversed.

Microsoft is unambiguous in denying this rumor. Niels Ferguson, one of the key Microsoft engineers who developed BitLocker, made the company’s position clear in his blog: “Over my dead body. … The official line from high up is that we do not create back doors.” Ferguson went on to insist that if any such thing existed, Microsoft would be required by law — not just U.S. law, but the laws of every country in which it does business — to mention it or to withdraw BitLocker entirely.

Garter’s MacDonald likewise dismisses the specter of a BitLocker back door. “Microsoft’s entire source-code base is available for limited public review, primarily to governments and universities,” he points out, “and there are many governments in the world, including U.S. allies, that want to ensure that BitLocker has no such back door.”

If such a thing did exist, it stands to reason that news of it would surface very quickly.

2. Can criminals exploit known weaknesses in the way Windows — or BitLocker itself — works? At the Black Hat conference in Amsterdam in March, security experts from India demonstrated that it was possible to subvert Vista’s boot process to introduce a rootkit that could run whether or not BitLocker was present. Once a system is subverted in this fashion, it becomes much easier for attackers to do anything they choose, from stealing data to trashing the system.

This particular crack was not so much a subversion of BitLocker, but a way to insert unsigned code into the Vista x64 kernel regardless of whether BitLocker was securing the boot volume in question, as security researcher Joanna Rutkowska explains it.

So it is theoretically possible to engineer an end run around BitLocker without having to deal directly with BitLocker’s encryption, although there is no evidence that anyone has actually gone so far as to create a proof-of-concept version of just such a crack (yet). Also, since this crack requires the cracker to access the machine directly — it can’t really be deployed remotely — it’s that much harder to pull off.

We can also include in this category any other as-yet-undisclosed attacks against Vista itself that could in theory be used to subvert BitLocker, either directly or indirectly, since BitLocker is not designed to secure the Vista kernel per se.

3. Are there any server-level vulnerabilities that could leave BitLocker-protected systems vulnerable? As Gartner’s MacDonald points out, even if you follow proper procedure and back up BitLocker keys into Active Directory, you need to also make sure the AD repository itself (e.g., Windows Server 2003) is properly secured, lest an attacker break into that and steal the keys.

Conclusions

Encryption is difficult to implement properly, no matter what the product, and Microsoft deserves kudos for making it possible to do this in such a tightly integrated way in Windows Vista.

There’s no question that when properly implemented and deployed, BitLocker can add a considerable layer of security to a computer. Just be aware that this security comes at a cost — including the price of an edition of Windows Vista that supports BitLocker, the proper hardware to fully implement it, and, most important, the effort on the part of both IT and the end user to ensure that it has all been implemented correctly.

Serdar Yegulalp writes about Windows and related technologies for a number of publications, including his own Windows Insight blog.