Vista's BitLocker Encryption: All It's Cracked Up to Be?

Microsoft is unambiguous in denying this rumor. Niels Ferguson, one of the key Microsoft engineers who developed BitLocker, made the company's position clear in his blog: "Over my dead body. ... The official line from high up is that we do not create back doors." Ferguson went on to insist that if any such thing existed, Microsoft would be required by law -- not just U.S. law, but the laws of every country in which it does business -- to mention it or to withdraw BitLocker entirely.

Garter's MacDonald likewise dismisses the specter of a BitLocker back door. "Microsoft's entire source-code base is available for limited public review, primarily to governments and universities," he points out, "and there are many governments in the world, including U.S. allies, that want to ensure that BitLocker has no such back door."

If such a thing did exist, it stands to reason that news of it would surface very quickly.

2. Can criminals exploit known weaknesses in the way Windows -- or BitLocker itself -- works? At the Black Hat conference in Amsterdam in March, security experts from India demonstrated that it was possible to subvert Vista's boot process to introduce a rootkit that could run whether or not BitLocker was present. Once a system is subverted in this fashion, it becomes much easier for attackers to do anything they choose, from stealing data to trashing the system.

This particular crack was not so much a subversion of BitLocker, but a way to insert unsigned code into the Vista x64 kernel regardless of whether BitLocker was securing the boot volume in question, as security researcher Joanna Rutkowska explains it.

So it is theoretically possible to engineer an end run around BitLocker without having to deal directly with BitLocker's encryption, although there is no evidence that anyone has actually gone so far as to create a proof-of-concept version of just such a crack (yet). Also, since this crack requires the cracker to access the machine directly -- it can't really be deployed remotely -- it's that much harder to pull off.

We can also include in this category any other as-yet-undisclosed attacks against Vista itself that could in theory be used to subvert BitLocker, either directly or indirectly, since BitLocker is not designed to secure the Vista kernel per se.

3. Are there any server-level vulnerabilities that could leave BitLocker-protected systems vulnerable? As Gartner's MacDonald points out, even if you follow proper procedure and back up BitLocker keys into Active Directory, you need to also make sure the AD repository itself (e.g., Windows Server 2003) is properly secured, lest an attacker break into that and steal the keys.

Conclusions

Encryption is difficult to implement properly, no matter what the product, and Microsoft deserves kudos for making it possible to do this in such a tightly integrated way in Windows Vista.

There's no question that when properly implemented and deployed, BitLocker can add a considerable layer of security to a computer. Just be aware that this security comes at a cost -- including the price of an edition of Windows Vista that supports BitLocker, the proper hardware to fully implement it, and, most important, the effort on the part of both IT and the end user to ensure that it has all been implemented correctly.

Serdar Yegulalp writes about Windows and related technologies for a number of publications, including his own Windows Insight blog.

		The End User Is the Weakest Link The single biggest weakness in BitLocker is the biggest weakness of any encryption system: the end user. A user password is no good if the computer in question is never locked, and BitLocker affords no protection if someone simply sits down at a system where the user is already logged in and everything is decrypted. Consequently, whenever BitLocker is implemented on a given system, it has to be accompanied with a proper system setup and good user habits. The former is a technical solution; the latter may be a lot harder to implement without creating a training or education program of some kind. Here's a short list of steps to make BitLocker as effective as possible: Any BitLocker-enabled system should be set to automatically lock after only a very short period of inactivity. This reduces the possibility that a user might walk away or turn his back on his system, allowing someone to intercept data while the user is still logged in and active. A BitLocker-enabled notebook should reliably suspend, hibernate or at least lock whenever the lid is closed or the power button is pressed. This way, the only way to get back into the system is either to supply the user's password or to reboot (which in turn will require the hardware key, the PIN or both). Administrators should enforce strong and regularly rotated user passwords throughout the enterprise. This is not simply for the sake of protecting the end user, but also for protecting the AD repository. Give users hands-on education in how to handle BitLocker-protected hardware, and take the time to explain why the system needs to lock automatically. The more users understand, the more likely they are to comply -- or at least that's the hope.