On February 21st, the security world got a cold splash of water on the face. That was the day that Edward Felton published a research paper, and a video was posted, titled Cold Boot Attacks on Disk Encryption. The basic premise is this:
- When a laptop that uses disk encryption is running, even in sleep mode and sometimes even in hibernate mode, the decryption keys are loaded in memory.
- Memory is not truly volatile, in that it can take up to 30 seconds for the memory to lose significant data, and much longer if the memory is chilled.
- It would be possible to bootup a laptop with a small program that can dump the contents of the not-yet-empty memory onto an external drive.
- An attacker can look through the memory dump for the decryption keys, and if those keys are found, they can decrypt the drive of the laptop.
The paper, and the video, takes a few swings at BitLocker, even calling it BitUnLocker. Many have responded to this, including Roger Kay, who derided the entire paper in his article Popsicle Hack Tries to Chill Zeal for Hardware Security. Microsoft released an official response, which can be found at TechNet, in which they simply say that BitLocker should be configured using their “best practice guidance in the Data Encryption Toolkit,” which is here. I will be looking at TPM, what the paper was saying, and responding to these responses in this post.
How TPM Works with BitLocker, and what it should do
The Trusted Platform Module (TPM) is a cryptographic module that stores a master key, or Storage Root Key (SRK), for a given computer, usually a laptop. When the laptop is powered up, the TPM checks various components, which can include the MBR and BootLoader of the hard drive, to verify that nothing has changed and then provides the SRK to the system. This can then be used to decrypt the Volume Master Key (VMK) which is stored on an unencrypted partition. Once this VMK is decrypted, it is then used to decrypt the File Volume Encryption Key (FVEK), which is then used to decrypt the data on the encrypted drive.
Do you follow this? It is a bit confusing, so here is a quick run through.
- TPM verifies that the machine has not been changed and then provides the SRK
- SRK is used to descrypt the VMK
- VMK is used to decrypt the FVEK
- FVEK is used to decrypt the data on the drive
The problem here is that this scenario requires no interaction from the user. That means from power up to decryption of the data on the drive, proceeds automatically, and this loads the decryption keys into memory. Now, there are ways to put barriers into this system. These include either a PIN number, or a USB key, which is used by the TPM to verify that you are the user, before proceeding with the first step. However, this is limited in that it is either a numeric only PIN, or a USB flash drive.
This is a failure because by not using a password or passphrase, the system forces users to remember a series of numbers, which are not as easy to remember as a word or phrase. Numeric PINs often end up being MMDDYY birthdays or anniversaries. This provides a far simpler PIN, since MM will be between 00 and 12, DD between 01 and 31, and YY most likely between 40 and 99 or 00 and 08. A USB based dongle, which is only a USB flash device, is most likely to be left in the USB port, or in the vicinity of the laptop all of the time.
Roger Kay has problems seeing the forest for all of the damn popsicle sticks on the floor.
Roger Kay’s response was typical of someone who doesn’t understand the problem. First, he tries to move the issue from BitLocker to the Trusted Platform Module (TPM) and then proceeds to say the paper was wrong, even where it was right.
Kay’s first flaw is that the paper did not attack the TPM itself, but rather how drive encryption technologies have serious problems, first with vulnerabilities introduced by user action (leaving the laptop on) and with how BitLocker uses TPM itself. Kay goes as far as to say that TPM is “unfairly smeared,” while the paper only mentions TPM a few times, and at no point indicates that TPM is causing the problem. Therefore, there is no smearing of TPM in and of itself.
Kay then responds to the statement that BitLocker can “sometimes makes it less secure, allowing an attacker to gain access to the data even if the machine is stolen while it is completely powered off,” by proclaiming that the sometimes really means never. He then proclaims that the attack mentioned only work for sleep mode, and not when a laptop is in hibernate mode, or is powered off. Following up to this, Kay proclaims that the scenario is someone attaching a USB or Firewire device which would then try to sniff out the encryption keys in memory.
Mostly, Kay tries to belittle the paper with comments such as “popsicle hack,” referring to the memory removal as “taking out memory sticks and popping them in the freezer,” and by proclaiming the paper did a “real disservice to the industry and PC customers.”
The actual attack, for those not willing to even watch the 5 minute video
The attacks work on the fact that a drive’s decryption keys are stored in main memory when the laptop is running. When power is lost to that memory, it will retain the data in it up to 5 seconds with little loss, and nearly 30 seconds with only some loss. When cooled, by using something like canned air, the memory can retain data for much longer, with some keeping data over 10 minutes with little loss.
It is not necessary to remove the memory and put it into another machine for data retrieval, since many laptops are configured to boot from either USB or optical discs. This would allow an attacker to cool the memory, force the machine to power off (holding down power key or pulling the battery) and the booting up to a removable drive which would then copy memory to an external drive. The boot program would then search the memory dump for the decryption key, and then access the drive using the key. At that time, the contents of the hard drive can simply be copied over to the removable drive, the laptop shutdown and the attacker leave without the laptop owner being any wiser.
BitLocker, Best Practices, and Not Secure by Default
The paper’s problem with BitLocker, and not the other 3 encryption systems, was that BitLocker, by default, automatically loads the decryption key into memory without any user intervention. So if a laptop with a BitLocker encrypted drive is stolen, then simply turning on the laptop loads the key into memory, which can then be attacked using the above method. The difference here is, if the first attack fails, the attack can be repeated over and over until it is successful.
Microsoft’s response mentions their published best practice guidelines. I looked at the article it pointed to, and found only a single reference to best practices in:
If some parts of your organization have data on mobile computers that is considered extremely sensitive, consider the best practice of deploying BitLocker with multifactor authentication on those computers. Requiring users to enter a PIN or insert a USB startup key significantly reduces the ease of attack on sensitive data.
This sounds less like a guideline, and more like a “if you really really want to, then do this.” What this says, is that you should use either a PIN or a USB based key, to prove to TPM that you are the user of the machine, and that it should go ahead and load the decryption keys into memory. The problem in this is two fold: First, a PIN is extremely weak when compared to a password or passphrase, while a USB key can be left with the laptop. Second, setting BitLocker to use either method is difficult, and is definitely not the default.
I was able to find the information on Microsoft’s site to setup BitLocker to use either PIN or USB key, those instructions are in their step by step guide. Although the guide mentions several scenarios, this seem to be a misnomer, since many of these are steps that have to be done in order of each other. To setup PIN or USB key, go to Scenario 3, and about halfway down it switches from BitLocker on a machine without TPM, to BitLocker on a machine with TPM plus a PIN or startup key on USB flash drive.
These steps require administrator access, since you have to modify the Group Policy for the machine to enable Advanced Startup Options. Then you have to force the Group Policy to reload. Finally, you can open BitLocker Drive Encryption and have the option to use a PIN or USB key drive. There are certain caveats you must remember; the PIN and USB key option is one or the other, not either one at boot time, also, the USB key can not be duplicated, making a new key disables the old one. So if a USB key becomes lost or corrupted, then the recovery password will need to be used to access the drive, and a new USB key can then be created.
Therefore, to get the “best practices” options for BitLocker, you have to edit the Group Policy for the machine, which may sound simple, but is definitely outside the realm of the regular user, and gets into the sysadmin area. The default setting is the most likely to be used, since most users will not be able to find out, or actually enable, the advanced settings. Therefore. while best practices are advised, they are not available to the vast majority of users, leaving BitLocker in a Not Secure by Default setting.
Filed under: Tech |