7 June 2015

MICROSOFT GIVES DETAILS ABOUT ITS CONTROVERSIAL DISK ENCRYPTION


https://firstlook.org/theintercept/2015/06/04/microsoft-disk-encryption/ 

Recently, I wrote a guide explaining how to encrypt your laptop’s hard drive and why you should do so. For the benefit of Windows users, I gave instructions for turning on BitLocker, Microsoft’s disk encryption technology.

This advice generated an immediate backlash in the comments section underneath the post, where readers correctly pointed out that BitLocker has been criticized by security experts for a number of real and potential shortcomings. For example, BitLocker’s source code is not available for inspection, which makes it particularly vulnerable to “backdoors,” security holes intentionally placed to provide access to the government or others. In addition, BitLocker’s host operating system, Microsoft Windows, provides an algorithm for generating random numbers, including encryption keys, that is known to have been backdoored by government spies, and which the company’s own engineers flagged as potentially compromised nearly eight years ago. BitLocker also lost a key component for hardening its encryption, known as the “Elephant diffuser,” in the latest major version of Windows. And Microsoft has reportedly worked hand-in-glove with the government to provide early access to bugs in Windows and to customer data in its Skype and Outlook.com products.

Even having known about these issues, I still believed BitLocker was the best of several bad options for Windows users; I’ll explain my reasoning on this later.

But in the meantime, something interesting has happened: Microsoft, after considerable prodding, provided me with answers to some longstanding questions about BitLocker’s security. The company told me which random number generator BitLocker uses to generate encryption keys, alleviating concerns about a government backdoor in that subsystem; it explained why it removed the Elephant diffuser, citing worries over performance and compatibility that will appease some, but certainly not all, concerned parties; and it said that the government-compromised algorithm it bundles with Windows to generate encryption keys is, by default, not used at all.

Significant questions remain about BitLocker, to be sure, and because the source code for it is not available, those questions will likely remain unanswered. As prominent cryptographer Bruce Schneier has written, “In the cryptography world, we consider open source necessary for good security; we have for decades.” Despite all of this, BitLocker still might be the best option for Windows users who want to encrypt their disks.

Today I’m going to dive deep into the concerns about BitLocker and into Microsoft’s new responses. I’m also going to explain why more open alternatives like TrueCrypt don’t resolve these concerns, and take a brief look at proprietary products like BestCrypt, which Schneier recommends.

This is going to be a fairly technical post. But it’s important to explore the current state of BitLocker because Windows remains the most popular operating system for personal computers and because interest in BitLocker has only grown in the wake of documents from NSA whistleblower Edward Snowden showing widespread U.S. government surveillance. At the same time, fears about BitLocker have also been stoked by the Snowden cache, which exposed a carefully orchestrated and apparently successful attemptby the National Security Agency to compromise international encryption-related standards, including one that’s part of Windows to this day.
Why people worry about BitLocker

If you can trust Microsoft, BitLocker has always been awesome. For example, Microsoft is well ahead of competitors like Apple in making BitLocker verify that an attacker hasn’t modified the software used to boot the computer. Without such protection, hackers can rewrite the boot-up code, impersonate the operating system, and trick people into unlocking the disk so malware can be installed, a technique known as an “evil maid” attack. Mac OS X and Linux’s disk encryption systems are entirely vulnerable to this attack, but Windows, when running BitLocker, is not.

Of course, a great many people, particularly in information security circles, do not trust Microsoft; these people worry that BitLocker’s advanced technology is meant to distract people from the company’s cozy relationship with the government, and that any data “secured” using BitLocker could be handed over to spy agencies or law enforcement.

Here are three more specific concerns those people have about BitLocker — concerns I have shared. With each, I’ve included Microsoft’s response. It should be noted that the company was not initially forthcoming with this information; a spokesperson responded to a set of questions based on these worries by saying the company had no comment. To Microsoft’s credit, the company later reversed this position.
They fear BitLocker’s encryption keys are compromised by default. They’re not.

Encryption relies on random numbers. For example, when you enable BitLocker for the first time, you need to create an encryption key, which is just a random number within a specific range. You can think of a 128-bit key, the kind used by BitLocker by default, as a random number between 0 and 2128 (it would take 39 digits to write out that full number). The security of a 128-bit encryption key comes from the fact that there are just too many possible numbers in that range for an attacker to ever try them all.

When BitLocker generates a key, it asks your computer for a random number within that range. But where does this number come from? This is an enormous problem in the fields of cryptography and computer science because computers are, by their very nature, deterministic, not random: programs act the exact same way every time you run them because they’re executing the exact same set of instructions. But getting real random numbers is critically important. If an attacker can predict which random number your computer chooses, then that attacker can break the encryption that relied on that number. So when you ask your computer for a random number, it uses a cryptographically secure pseudorandom number generator (CSPRNG, or just PRNG) to generate one for you.

One such PRNG is not actually cryptographically secure and is almost certainly compromised by the NSA: Dual_EC_DRBG, or Dual Elliptic Curve Deterministic Random Bit Generator, an algorithm blessed by the National Institute of Standards and Technology in 2006 — and it’s built intoWindows. If an encryption key for a system like BitLocker is generated by a compromised PRNG, the owner of the backdoor could figure out the key through sheer repetitive guessing, a so-called “brute force” attack, in a much shorter amount of time: minutes, hours or days rather than the billions of years required to figure out a key generated by a secure PRNG.

In 2007, Niels Ferguson, a Microsoft cryptographer who worked on BitLocker, along with Dan Shumow, another Microsoft engineer, gave apresentation pointing out that Dual_EC_DRBG might have a backdoor. In 2013, the the New York Times, Pro Publica, and The Guardian, drawing on documents provided by Snowden, reported that the algorithm did indeed contain an NSA backdoor. In the documents, the NSA wrote about the “challenge and finesse” involved in pushing a system it had engineered onto standards groups and bragged that it became “the sole editor” of the standard that eventually emerged.

Microsoft told me that while the backdoored algorithm is included with Windows, it is not used by BitLocker, nor is it used by other parts of the Windows operating system by default. According to Microsoft, the default PRNG for Windows is an algorithm known as CTR_DRBG, not Dual_EC_DRBG, and when BitLocker generates a new key it uses the Windows default.

“It has never been the default, and it requires an administrator action to turn it on,” a Microsoft spokesperson told me.

So BitLocker keys appear to be generated in an entirely secure way.
They fear the Elephant diffuser was removed to make BitLocker weak. Microsoft says it’s because Elephant is slow. BitLocker remains weakened.

While Microsoft has now reassured users that the random numbers used to secure BitLocker are secure, it is still worrisome that the company removed an important security component from BitLocker’s architecture.

When BitLocker was first rolled out in late 2006 and early 2007 as a feature of Windows Vista, it used a well-known cipher, or encoding engine, called AES-CBC, along with something called the Elephant diffuser. Fergusonpublished a paper explaining that without the diffuser, AES-CBC is “not suitable” because “it should be relatively easy to mount an attack.”

The Elephant diffuser plays an important role in protecting an encrypted disk against modification by an attacker. Allow me to explain: An encrypted disk is full of scrambled bits (zeroes and ones), but once the disk is unlocked, those bits get unscrambled to make up meaningful files, including the programs that constitute Windows. Without the Elephant diffuser, an attacker with physical access to the encrypted disk and with knowledge of exactly where on the disk target files are located could modify specific scrambled bits, which will in turn modify the targeted files in an exact way when the disk is later unlocked. For example, they could modify one of the programs that runs while Windows is booting up to be malicious, so that the next time the user unlocks the disk and boots Windows, malware automatically gets installed. The Elephant diffuser prevents this attack from working. With the diffuser, an attacker can still modify scrambled bits, but doing so will prevent them from having fine-grained control over exactly what changes they make when the disk is unlocked. Rather than being able to make specific programs malicious, they are more likely to scramble large chunks of programs and simply cause the computer to crash instead of getting hacked.

But in October 2014, cryptographer Justin Troutman noticed that the version of BitLocker in Windows 8 silently removed the Elephant diffusereven though it still uses AES-CBC. Microsoft’s technical overview of BitLocker lists the Elephant diffuser as “removed or deprecated,” with no further explanation.


No comments: