Windows Vistan bittilukitsin BitLockertm pintaa syvemmlt

1
(No Transcript)
2
Windows Vistan bittilukitsin BitLockertm pintaa
syvemmältä

• Kimmo Bergius
• Chief Security Advisor
• Microsoft Oy
• kimmo.bergius_at_microsoft.com

3
Agenda

• BitLocker Drive Encryption (BDE) - mikä?
• BitLocker - vaatimukset ja käyttöönotto
• BitLocker - hallinta ja palautus
• Lisätietoja ja QA

4

• A large multi-national company, who wishes to
  remain anonymous, loses an average of one
  corporate laptop per business day in the taxicabs
  of just one US city

5
Information Leakage Is Top-Of-Mind With Business
Decision Makers
Virus infection
Unintended forwarding of emails
Loss of mobile devices
Password compromise
Email piracy
Loss of digital assets, restored
0
10
20
30
40
50
60
70
After virus infections, businesses report
unintended forwarding of e-mails and loss of
mobile devices more frequently than they do any
other security breach Jupiter Research Report,
2004
6
Information Protection Threats
Internal threats are just as prevalent as
external threats
Intentional
Accidental
Targeted

• Careless forwarding of documents and Emails
• Machine disposal or repurposing without data wipe
  
• Data lost in transit
• Confidential data copied via USB and other mobile
  devices

• Untrusted network administrator accesses
  unauthorized data
• Offline attack on lost/stolen laptop
• Forwarding of internal-only Email and documents
  to external parties

• Branch office server containing directory or
  database
• CxO or government official laptop or mobile
  device
• Thief plugs external storage device into machine
  to copy data

7
Information Protection Scenarios
8
BitLocker Design Goals

• BitLocker Drive Encryption gives you improved
  data protection on your Windows Vista and Windows
  Server codenamed Longhorn systems
• Notebooks Often stolen, easily lost in transit
• Desktops Often stolen, difficult to safely
  decommission
• Servers High value targets, often kept in
  insecure locations
• All three can contain very sensitive IP and
  customer data
• Designed to provide a transparent user experience
  that requires little to no interaction on a
  protected system
• Prevents thieves from using another OS or
  software hacking tool to break OS file and system
  protections
• Prevents offline viewing of user data and OS
  files
• Provides enhanced data protection and boot
  validation through use of a Trusted Platform
  Module (TPM) v1.2

9
BitLocker Design Solution

• Need a solution which
• Sits underneath Windows
• Has keys available at boot
• Cannot require user login in order to run
• Secures System Data
• Secures User Data
• Secures Registry
• Works seamlessly with platform (e.g., Code
  Integrity)
• Secures root secrets
• Protects against offline attacks
• Is super-easy to use

• Solution
• Encrypt (nearly) the entire disk
• Protect the encryption key by sealing with a
  Trusted Platform Module (TPM) to the authorized
  loader
• Plus other options
• Authorized loaders boot the OS properly

10
BitLocker Features Overview

• BitLocker Drive Encryption (BDE)
• Prevents bypass of Windows boot process
• TPM Base Services (TBS)
• Windows and third party SW access to TPM
• Pre-OS multi-factor authentication
• Dongle, BIOS, and TPM-backed SW Identity

• Force Recovery
• Sys-admin ONLY tool to securely speed-up PC
  re-deployment
• Single Microsoft TPM driver
• Improved stability and security
• Scenarios
• Lost or stolen laptop
• Branch-office Server

11
What Does BitLocker Protect You From?

• Levels of protection
• Security isnt absolute
• BDE scales
• From default everyone should just do it
• Non-targeted laptop
• to super paranoid good enough for the NSA
• Targeted laptop
• BDE protects against offline SW attacks
• BDE protects against HW attacks
• How protected depends on how you set it up
• Higher security HW will be available
• E.g., FIPS rated TPMs

• Configuration options
• Level of protection depends on setup choices
• Dongle only (TPM-less) incremental protection
  but risk of Pre-OS attacks and dongle loss
• TPM only improved protection, maximum ease of
  use
• Add a PIN addresses significant HW attacks
  user has to remember and enter PIN at boot
• Add a Dongle addresses all HW attacks user has
  to keep track of dongle and insert at boot
• Configuration can be mixed within an enterprise

12
BitLocker and TPM Features

• BitLocker Drive Encryption
• Encrypts entire volume
• Uses Trusted Platform Module (TPM) v1.2 to
  validate pre-OS components
• Customizable protection and authentication
  methods
• Pre-OS Protection
• USB startup key, PIN, and TPM-backed
  authentication
• Single Microsoft TPM Driver
• Improved stability and security

• TPM Base Services (TBS)
• Enables third party applications
• Active Directory Backup
• Automated key backupto AD server
• Group Policy support
• Scriptable Interfaces
• TPM management
• BitLocker management
• Command-line tool
• Secure Decommissioning
• Wipe keys and repurpose

13
What Is A Trusted Platform Module (TPM)?

• Smartcard-like module
• on the motherboard that
• Performs cryptographic functions
• RSA, SHA-1, RNG
• Meets encryption export requirements
• Can create, store and manage keys
• Provides a unique Endorsement Key (EK)
• Provides a unique Storage Root Key (SRK)
• Performs digital signature operations
• Holds Platform Measurements (hashes)
• Anchors chain of trust for keys and credentials
• Protects itself against attacks

TPM 1.2 spec www.trustedcomputinggroup.org
14
Why Use A TPM?

• Trusted Platforms use Roots-of-Trust
• A TPM is an implementation of a Root-of-Trust
• A hardware Root-of-Trust has distinct advantages
• Software can be hacked by Software
• Difficult to root trust in software that has to
  validate itself
• Hardware can be made to be robust against attacks
• Certified to be tamper resistant
• Hardware and software combined can protect root
  secretsbetter than software alone
• A TPM can ensure that keys and secrets are only
  available for use when the environment is
  appropriate
• Security can be tied to specific hardware and
  software configurations

15
Spectrum Of Protection
BDE offers a spectrum of protection allowing
customers to balance ease-of-use against the
threats they are most concerned with.
16
BitLocker Hardware Requirements

• Hardware requirements to support BDE
• Trusted Platform Module (TPM) v1.2
• Provides platform integrity measurement and
  reporting
• Requires platform support for TPM Interface (TIS)
• Firmware (Conventional or EFI BIOS) TCG
  compliant
• Establishes chain of trust for pre-OS boot
• Must support TCG specified Static Root Trust
  Measurement (SRTM)
• Additional functionality enabled by USB dongle
• Disk must have at least 2 partitions. Partitions
  should be NTFS

17
Disk Layout Key Storage

• Windows Partition Contains
• Encrypted OS
• Encrypted Page File
• Encrypted Temp Files
• Encrypted Data
• Encrypted Hibernation File

• Wheres the Encryption Key?
• SRK (Storage Root Key) contained in TPM
• SRK encrypts VEK (Volume Encryption Key)
  protected by TPM/PIN/Dongle
• VEK stored (encrypted by SRK) on hard drive in
  Boot Partition

SRK
2
1
Windows
Boot
3
Boot Partition Contains MBR, Loader, Boot
Utilities (Unencrypted, small)
18
BitLocker ArchitectureStatic Root of Trust
Measurement of early boot components
19
Key Architecture
20
BitLocker TPM Administration Storyboard New
Machine
4
1
1
2
3
Note Steps 1-3 can be pre-configed (OEM, SP)

• Basic TPM Administration/Deployment
• Machine arrives at enterprise in un-initialized
  state.
• Turn TPM On
• Check for physical presence by rebooting the
  machine and prompting user at BIOS screen for key
  press.
• Log back into Windows Vista
• Take Ownership of TPM
• Check for existence of Endorsement Key (Provided
  by OEM)
• Create TPM Administration Password.
• Commit changes to TPM and initialize.
• Publish TPM Administration Password to AD/File
• TPM Initialization Complete

9
10
5
6
7
8
21
BitLocker Single Machine Deployment with TPM
Windows Vista Install
3
1
2

• Windows Vista Install
• BDE requires a partition separate from the
  Windows Vista OS partition with a min free space
  of 350Mb
• During installation the system is checked for
  correct version of TPM (v 1.2) and BIOS via Plug
  and Play
• TPM BDE drivers are installed

4
5
6

• BDE Installation
• Start installation through the BDE control panel
  applet
• Installation checks for required disk partition
  layout. This partition needs to be formatted NTFS
  and contain a Windows Vista installation
• Installation enables BDE for Windows Volume
• Installation verifies that the TPM has
  initialized
• User selects Recovery Key Backup method, and
  installation continues with volume encryption
• Installation displays background encryption
  progress bar and tray icon, then notifies user
  when BDE is complete

22
(No Transcript)
23
BitLocker Enterprise Machine Deployment with TPM
Windows Vista Install
Active Directory is prepared for BDE Keys

• BDE installation
• Active Directory prepared for BDE keys
• Windows Vista Install
• BDE requires a partition separate from the
  Windows Vista OS partition with 1,5GB free space
• During installation the system is checked for
  correct version of TPM (v 1.2) and BIOS via Plug
  and Play
• TPM BDE drivers are installed
• BDE Initialization
• Scripted initialization of TPM
• TPM Ownership password saved to Active Directory
• Remote executed Script BDE
• Policy saves recovery key to AD
• System encrypted
• Inspect audit logs for successful end to
  encryption

2
Store TPM Ownership Password
1
TPM Script Initialization
2
Store BDE recovery key
3
BDE script setup
4
5
24
Upgrading BitLocker Hardware

• Upgrading computers with BDE
• Disable BitLocker
• Upgrade system
• Updated BIOS
• -- or --
• Install Service Pack
• Turn On BitLocker no encryption required

1
2
3
25
Recovery Scenarios

• Broken Hardware Recovery Scenario
• Hard drive moves to new system
• Upgrade to Core Files
• Planned migration to core files
• Attack Detected Recovery Scenario
• Modified or Missing Boot Loader Files
• Also known as an Unplanned Migration

26
BitLocker Recovery Options

• BDE setup will automatically escrow keys and
  passwords into AD
• Centralized storage/management keys (EA SKU)
• Setup may also try (based on policy) to backup
  keys and passwords onto a USB dongle or to a file
  location
• Default for non-domain-joined users
• Working with third parties for web service-based
  key escrow
• Recovery password known by the user/administrator
• Recovery can occur in the field
• Windows operation can continue as normal

27
BitLocker Recovery Storyboard Broken Hardware
2
1
4
5
6

• Example Recovery Scenario
• Feature turned on.
• AD access via network.
• Recovery key escrowed to AD and/or USB dongle.
• User drops laptop and breaks motherboard.
• HD from old broken machine put into new laptop
  with BDE enabled.
• BDE cant access HD because the TPM key in new
  laptop is different.
• User launches BDE recovery
• User uses USB dongle to recover the drive.
• -or-
• User calls admin and Administrator authenticates
  user.
• Admin gets correct recovery key from AD.
• Admin reads key to user over the phone.
• User types in recovery key.
• Recovery key is used to recover the drive

7a
3
3
7b
8
8
7e
7D
7C
7c
7d
28
Decommissioning
Normal
Force Recovery
versus
Nothing
Delete keys
Reformat drive
Admin wipes drive
29
Lisää infoa

• http//www.microsoft.com/whdc/system/platform/hwse
  curity/default.mspx
• http//blogs.msdn.com/si_team/default.aspx

30
QA
31
Kiitos!
32
(No Transcript)
33
BitLocker Drive Appears In Vista
34
BitLocker Drive Appears In XP
35
BitLocker Drive Appears In Linux

• Linux Bitlocker volume errors
• Fdisk reads partition table... thinks fve
  partition is ntfs
• wrong fs type, bad option, bad superblock on
  /dev/sda2, missing codepage or other error
• Primary boot sector is invalid, Not an NTFS
  volumn