Endpoint Encryption - Is BitLocker Enough?
In Europe the amount of data loss is astounding; many organizations worldwide are facing the question of endpoint encryption and what product to use to secure their data. With the limited adoption of Vista, BitLocker has become an option for some. Questions like, what are the pit falls and can we rely on what already exists. Is BitLocker enough? This article will focus on the strengths and weaknesses of BitLocker and how seriously organizations need to take encryption.
It is simple enough to take a hard disk out of a computer and slave it into another computer to get access to the files. To put the hard drive in a usb/firewire cradle and browse the contents, or boot up with repair tools or alternate operating systems using bootable media in order to recover data. These and many more techniques are known by attackers and data thieves. Mitigation techniques like full disk encryption is necessary to provide the confidentially that has now become a necessity.
In our lab we tested 32 encryption products, and helped formulate reports for well known analyst companies together with reports that would form the basis of tender questioners specifically focusing around full disk and file and folder encryption. 100s of hours worth of testing and careful evaluation has resulted in a clear winner, or group of top players. The criteria for this evaluation was based on security best practices.
With the release of Windows 7 and with it, BitLocker and BitLocker to go, many questions need to be answered.
Facts about BitLocker
The default encryption cipher is AES128bit in CBC mode - AES is stronger in 256 bit mode and this should be the default.
BitLocker can now encrypt entire volumes.
Three implementation of BitLocker two require TPM chip [Trusted Platform Module (version 1.2 or later) and a compatible BIOS].
Is available on the Ultimate and Enterprise version of Windows 7.
Transparent operation mode: This used the TPM 1.2 ship to manifest a transparent user experience-the user logs onto the Windows operating system as normal without any change to the user experience. The key to unlock the disk encryption is stored encrypted in the TPM chip and is released to the OS loader code if the primary boot files appear to be untouched.
More info about Transparent operation mode: BitLocker does this by implementing a Static Root of Trust, because the key is sent to the OS, it's placed in memory and thus vulnerable to a cold boot attack, this is when the RAM is frozen with compressed air then unplugged from the BitLocker machine and put into another computer and a RAM debug program is run to dump the RAM contents. The contents are then checked for the key and the key is dumped to a file. This key can then be used to decrypt the hard drive. Source code is available on the internet (although this mode is convenient to the user it is vulnerable to a known vulnerability).
User authentication mode: The user must provide credentials to the basic pre-boot environment in order to boot the Windows OS. The user needs to supply a PIN or a credential stored on a USB key.
Without the TPM chip requirement: USB thumb drive Mode: A USB device containing the startup key is introduced to the computer to enable it to boot. The BIOS must support reading from the USB drive at pre-boot.
The fact that BitLocker uses the windows platform as part of its authentication mechanism makes it insecure as many known vulnerabilities are discovered periodically that require patching and change of infrastructure. Recently vulnerability was discovered in Windows Vista and in Windows 7 that allows for an attacker to connect a computer to a network and infect it with the target machine with a worm that will escalate privilege and allow remote access to the machine. Using transparent operation mode this will render BitLocker useless to an attacker with this knowledge. This does mean that the machine has not been patched against this threat but a good argument for vendors that want to sell more robust technologies.
Based on the above the first pass conclusion: it seems like BitLocker is the perfect Encryption companion for the Windows operating system. It's "free" with some versions of Windows, seamless and integrated, but because of the weakness in windows and the overall exposure potential, it is not the best option when taking drive encryption seriously. In time we are sure that Microsoft will improve this technology.
Things to consider when BitLocker is installed
- Changing the motherboard: remember if using BitLocker in mode 1, the key is stored in the TPM. Make sure you have made a backup. Test this before disposing of the old mother board.
- Updating the BIOS: this may affect how TPM is functioning.
- Partition: dual booting and boot sequence changes.
- Locking out the TPM chip by too many incorrect key attempts in mode 2.
- Damaged USB thumb drive that contains the key. I do not recommend that you make too many copies of the key, but ensure you have a copy and keep it safe (for serious security environments this is a weak security practice).
- In place upgrades are challenging so make a backup before doing the upgrade.
- Updating the Master Boot Record can be problematic so make a backup before modifying the MBR.
- On the fly partition changes cause a challenge so make backup of the data.
- Disk imaging is a challenge.
- A hidden BitLocker partition is created for work factor and booting when BitLocker full disk encryption is enabled this is 1.5 GB in size.
According to Microsoft's website only the Ultimate and Enterprise version of Windows Vista and Windows 7 has BitLocker.
Because BitLocker leverages Windows and the windows authentication system, in the modes without pre-boot authentication, my team did not feel comfortable that BitLocker is a secure solution for environments that need to protect confidential documents. There are websites with attack source code that have been tested in our lab that proves the vulnerability. This is outside the scope of this article. Additionally the fact that the keys are so loosely managed and that they are static and can be printed and effectively copied around on all sorts of unsecure media does not inspire confidence in the security thought process. Two factor token based access control is highly recommended. Soon API will be available to vendors to develop into this space I am sure. The fact that administrators have such control over the BitLocker solution also makes me wonder about segregation of duties. Moreover BitLocker does not support heterogeneous environments like Linux and Macintosh and these are becoming more prolific. We have customers with 40 000 Macs and this solution would just not work for them.
On a positive note, innovations like BitLocker to go make it a compelling solution for encryption of removable media. This solution does not require full disk encryption or the usage of a TPM chip.
BitLocker is a limited product that is in its evolutionary phase. For some organizations it's enough to deter the opportunist. For organizations that take security more seriously this technology still needs to mature substantially before being able to be used with confidence. Microsoft is working hard to make this a reality and expect major upgrades and changes to this product in the next 24 months. BitLocker is not free, you pay for it in the Enterprise/Ultimate license, and this was decided during the marketing phase of the product. As with everything integrated into an operating system most of the functionally is basic and if you want more advanced functionality with additional feature sets and extended support use a third party solution.