Complexity of bitlocker and trust

Complexity of bitlocker and trust

Justin Troutman

Windows Vista. I have never mentioned these two words in my previous articles, so I am a little confused when I write this column. This product has many functions worth talking about, many things worth exploring, and there are also many feasible ways to discuss.

Some time ago, when I visited the blog of security expert Bruce Schneier, I happened to read an article about bitlocker. At that time, I was not familiar with bitlocker. I quickly searched and learned that bitlocker was originally created on Windows Vista.^{I was surprised immediately when I provided the encryption function. "Oh, no, Windows Vista provides the encryption function? This certainly has no benefit. Even if its encryption function is really good, there will be a backdoor ."}

Why are people hard to trust windows?^{The reason for the built-in security function of is always controversial, regardless of whether the viewpoint is true or not. However, this is not why I wrote this column. In fact, I want to build a case to illustrate in detail why I think there are good reasons to support bitlocker. I would also like to take a moment to discuss the basic principles for ensuring the vitality of the encryption software and hardware.}

But do not make a mistake: I do not advocate bitlocker as a panacea for security issues-bitlocker is only one of the many security measures. It aims to provide restoration functions for some threat models.

In particular, bitlocker looks at lost (or stolen) portable computers. Mobile staff often move around with a variety of confidential information-trains and planes, restaurants and hotels, corporate offices and subsidiaries. They store the information in portable computers and other mobile devices, which usually lack real security, resulting in poor security of data stored on these devices. What if a user leaves a portable computer somewhere?

It is inevitable that people will be careless. Fortunately, you can control what may happen next. For companies, compared to the cost of dealing with confidential data leaks, the cost of replacing a portable computer is negligible, and this is where bitlocker is committed to providing security.

Trust journey

In this article, I will discuss bitlocker from an interesting perspective. In fact, I have never tried bitlocker. I know that you may think: I have never used it before. What else do you think of bitlocker? Let alone some useful comments! Please be careful. I really want to discuss more advanced encryption technologies and design concepts that are critical to a successful solution.

Let's start with what I saw in Bruce Schneier's blog. Suppose you want to watch a new movie. You may have some ideas about the movie based on the trailer and main cast. Indeed, a strong cast of actors cannot be guaranteed to be good movies. However, you can reveal a lot of film-related information from the cast, and you may look forward to the film accordingly. Is it starring Chris Rock and Ben Stiller? Or is it starring Kate Winslet and Johnny Depp?

Similarly, when I saw a world-renowned security expert introduce bitlocker on a blog, I also made some assumptions. First of all, I think this new technology is not very good to everyone, it is very bad, and I have to come up with it to let everyone know. To my surprise, Bruce Schneier's final conclusion is yes.

In his comments, one sentence was particularly conspicuous: "no backdoors were left for the control personnel ." This sentence is quite powerful. Bruce Schneier was very confident when he said this sentence, and included^{Links to the system integrity team blog. Open this link and I see a blog article about Niels Ferguson (a security-oriented developer in Microsoft, he refuted rumors that Microsoft intentionally left a backdoor in bitlocker for legal purposes. Ferguson publicly declares that it cannot accept backdoors, and he has never participated in any project that supports backdoors. (He also explained that even if Microsoft had to leave a backdoor under law, the company would publicly announce the backdoor or completely revoke the function .)}

The author of the blog post is Niels Ferguson, which is enough to make Schneier trust me and create trust for me. Ferguson is very clear about what he is talking about. He has established a tracking record to convince people of what he said. Bruce Schneier and Niels Ferguson collaborated on the compilation of cryptography practices (a book with significant impact on how to easily, correctly, and securely apply secure encryption technologies ), they also collaborated on the design of a block password twofish-a 128-bit feistel network, which is the final choice object in the Advanced Encryption Standard (AES) selection process and becomes the mainstay of the cryptographic analysis field.

Of course, even if experienced encryption personnel participate in the project, the final product cannot be guaranteed to be safe. Even experts of this technology cannot always be foolproof. However, no matter what the bitlocker results will do over time, you can at least determine that a reasonable design policy will play a role in its creation.

When talking about mistakes, this may be due to some serious tests by sincere developers, but these developers lack a basic understanding of encryption; it may also be because some dishonest developers only care about the possibility of launching products. Both cases (regardless of the intention) will lead to a failure in developing a security solution. However, bitlocker does not seem to belong to either of the two scenarios. It is a good omen to have at least one competent encryption person involved in development and backed up by abundant resources.

About trust

Not long ago, Phil Zimmerman (creator of PGP encryption) shared some empirical rules with me. If there is a "Developer's security creed", his suggestions will undoubtedly be placed in chapter 1. Although his views are not specific to bitlocker, the design concepts advocated in these views apply to the vast majority of encryption solutions. You may think these ideas are too simple or too long-winded. However, considering the current security situation, it is necessary to clearly point these points of view.

When designing an encryption infrastructure, developers must strive for simplicity, correctness, and security. Although errors are inevitable, they should not be taken as a matter of course and should not be avoided as much as possible. Developers must be steadfast in advocating perfectionist. As Zimmerman said, "errors should be taken into account during design, which will lead to the cost of life ." Do you think this is an exaggeration? "What I need is the functionality and assurance of security devices," said Brian snow, an NSA encrypts at the 2005 computing security application conference. We will not use customers for testing. If my product fails, someone may pay for it ." Therefore, remember that errors do not only result in the cost of money.

Users should be assured. Obtaining and maintaining user trust is the key. Zimmerman elaborated clearly: "We must gain the trust of users. ." In this way, the company can maintain the trust of users and keep the company's reputation in security. Once lost, these things cannot be recovered.

I want Microsoft to consider these points when designing bitlocker (or any other product in the company-in this regard. That is to say, I want to explain why I believe that Microsoft has actually done this and should take this encryption technology seriously.

Poor and his elephant

In essence, bitlocker is the method used to encrypt all system volume data in Windows Vista (Enterprise and ultimate. It sounds like a very direct application, but let's consider its limitations. Bitlocker encrypts data at the level of each slice, And the ciphertext length cannot exceed the plaintext length, so there is no extra space for other items, for example, Nonce (a number or string used only once during encryption), initialization vector (IV), or message authentication code (MAC ). I think it makes sense for them to impose these strict restrictions and conditions. I also know that I can solve Message Authentication in some way.

Bitlocker relies on what is generally called Identity Authentication for the poor. This compromise verification method is not as conservative as you usually think, because it assumes that operations on ciphertext will not produce meaningful plaintext. In another way, for example, if the ciphertext is operated, it will not allow the enemy to execute certain functions, but will cause the system to crash.

The Microsoft support team of bitlocker knows that it takes more time to analyze the brand new block passwords than people can accept. However, the existing design does not provide sufficient analysis functions, that is, the efficiency is not high enough. Therefore, in terms of encryption, Microsoft chose AES in CBC (Cipher Block Chaining) mode, which I call aes-CBC. This is difficult to differentiate in the chosen plaintext attack mode (IND-CPA), but it cannot maintain integrity. Because there is no space for Mac, and CBC is in confidential mode, there is no integrity persistence at all. This is the signal of elephant's debut.

The new elephant component uses two diffusers, which are built to provide poor identity verification that is better than traditional AES-CBC. (However, I must note that for those who must strictly follow the rules, you can choose to run aes-CBC without using elephant .) Although identity authentication is not always ideal for the poor, it is the most appropriate solution under specific constraints, and elephant aims to make full use of this solution. Then how does it run?

Figure 1 shows the process. When encryption is performed, the plain text is combined by XOR and the sector key. Then, the text flows to two unencrypted diffuser. Here, encrypt text with a AES-CBC. Both the sector key and the AES-CBC require the key material, so the two are encrypted separately. This method simplifies the form of proof to reduce the security of the elephant part of the AES-CBC and AES-CBC. Elephant is a new base, and the new base may encounter some obstacles before strict analysis. Because bitlocker can indicate that using the AES-CBC and elephant together is less vulnerable to attacks than using the AES-CBC alone, this method can be balanced.

Figure 1 identity authentication for the poor and elephant

Both the sector key and the AES-CBC component can receive 256-bit key material to increase the length of the key to 512-bit. However, by default, these components only use 128-bit key material, which means that some key material is not used. The reason is simple. When the key length changes, dropping unnecessary bits is easier than changing the key management infrastructure.

The length of a block is any power of 2, but only between 512 and 8192 bytes. To ensure that any change in the ciphertext will randomly modify the plaintext of all sectors, the block encryption method is designed to implement operations with a variable block size. In addition, if the behavior of the block encryption method and the adjustable block encryption method is similar (as described by liskov, Rivest, and Wagner), the algorithms between the slice are also slightly changed, then, the enemy cannot successfully move the ciphertext of a certain sector to another.

Only time will tell us everything

The consideration of bitlocker's encryption security is missing a very important part. For bitlocker, its responsibility is not only to ensure security. Because bitlocker itself is not a solution-it is only one of the many additional products of Windows Vista. Microsoft said bitlocker is closely integrated with Windows Vista. But if it is closely integrated with the operating system, will the failure of another component lead to bitlocke failure or be affected?

Personally, I believe in modularity and fault isolation. Close integration without modularity will make the situation more complex. Of course, this may not be the case for Windows Vista and bitlocker, but only time (and enough analysis) can tell us if this is the case.

So what do I think of bitlocker? I would like to pay tribute to the Microsoft system integrity team, which relies on real and reliable encryption staff who have fulfilled their responsibilities. Obviously, this function is designed for encryption rather than marketing activities. Therefore, my answer to this question is to take bitlocker seriously. Please note that at this time, we will first put aside whether it has reliable security. Reapply again. Only time and real evaluations will tell us everything. Many encryption elements and protocols have been cracked. However, at least the Microsoft system integrity team gave us the opportunity to learn something and provide us with a platform to build better solutions.

Justin TroutmanHe is an experienced encryption engineer and is currently pursuing a major in mathematics. His main research area is symmetric encryption, and he is also the founder of extorque, a company dedicated to Encryption Research and Consulting.
From October 2007 journal technet magazine.
You are welcome to give your comments. You are welcome to send us feedback.