Where does Bitlocker-to-go store keys for automatic unlock?

Discussion in 'Windows 7' started by swmspam, Jan 23, 2012.

  1. swmspam

    swmspam MDL Novice

    Jan 11, 2012
    17
    2
    0
    I don't know how many cryptographers are lurking about ...

    I have a USB key that is encrypted with bitlocker. When it is plugged into a computer, the unlocking dialog (where the password is entered) offers an option for the drive to be automatically unlocked in the future. This implies the password (or encryption key) is stored locally to be used automatically each time the drive is used. If the key is stored locally, then it is vulnerable to discovery if the computer is attacked.

    Anyone know how the bitlocker key is stored locally for the automatic unlock function?
     
  2. 100

    100 MDL Expert

    May 17, 2011
    1,346
    1,540
    60
    #2 100, Jan 23, 2012
    Last edited by a moderator: Apr 20, 2017
  3. swmspam

    swmspam MDL Novice

    Jan 11, 2012
    17
    2
    0
    #3 swmspam, Jan 24, 2012
    Last edited: Jan 24, 2012
    (OP)
    Thanks for the article. I am also looking at "Windows Internals" by Russinovich for help, but your recommended article appears to clarify things a bit more easily.

    Almost all security can be broken by a determined attacker - or in the case of the Passware "cold boot" (readily available in a commercial package) - it's made easy. Passware made encrypting the OS drive ineffective using the method, so critical data vulnerable to espionage should be placed on an encrypted non-boot drive (i.e. SD card) so that the key won't be discoverable with a cold boot.

    From what I understand, BitLocker encrypting the OS drive with TPM will allow Windows to boot unattended to the login screen. This process requires no user intervention and places the OS drive encryption key in RAM. Therefore, a cold laptop (one that has been powered off for a long time) can simply be booted to the logon screen, forcibly powered off, and immediatly dump RAM contents using Passware, which will find the OS drive encryption key.

    So here's the progression of cracking a system with a secondary encrypted drive:

    1. Passware "cold boot" the OS drive and unencrypt.
    2. Crack the windows logon using a password cracking tool.
    3. Boot the OS and logon to windows.
    4. Allow the non-OS drive to be automatically mounted.
    5. Recover data from secondary drive.
    6. Blackmail or espionage achieved.

    Therefore, I don't see how an automated unlock can be made safe unless a BIOS-level boot password is used to prevent the "cold boot" attack.

    (On soapbox) Many professionals do not realize that their email reveal information about corporations, and in some cases, could be used to manipulate the company, employee, trade secrets, mergers, acquisitions, market position, sales, and/or stock price. Especially with foreign competitors, information stored on laptops (especially outlook PST files) should be critically protected (off soapbox).
     
  4. swmspam

    swmspam MDL Novice

    Jan 11, 2012
    17
    2
    0
    I've found Bitlocker to be very stable and predictable.

    My present configuration has the following steps:


    • BIOS protected with complex password
    • Hard drive enabled as the only boot option (circumvents "cold boot" from USB key)
    • IEEE 1394 disabled (circumvents DMA attack)
    • Bitlocker on OS drive

    At this point, I'm fairly satisfied, although I can envision a possible attack method.

    I often travel internationally for business (including China and Russia). My business hosts regularly encourage me to "stop by the hotel to drop your things off" before dinner. This makes sense from simple hospitality. It is nice to refresh before heading out to a long dinner. However, I am often hesitant to leave my laptop (even at very nice hotels with guards). I hope I am not paranoid, but because most businesses in China are partially owned by the goverment, and business secrets are valuable (especially manufacturing methods or patents), it is not difficult to image coordinated intrusion into my hotel room to access sensitive data when I'm at dinner. I try to remove as much sensitive information as possible prior to travel, but emails and passwords remain. I'm sure the professional crackers hired for this purpose also have (pirated) versions of Passware "cold boot", along with other nifty tools.

    And when you're attending a conference, watch your wifi! I went to a meeting in Japan where it was announced, "Please enable VPN or encyption over our provided wifi, because you may be listened to. You have been warned." I found the access point, followed the wire into another room, where a couple hired hackers were wiresharking the LAN with their panasonic laptops.

    I keep my iTunes on a portable hard drive. It disappeared during one of my trips. I don't know if it was stolen or accidentally left somewhere. It was bitlocked, but it demonstrated to me how easy it is to expose your personal information to the world. Never again will I have a storage medium unencypted or plaintext, even at home!
     
  5. hbhb

    hbhb MDL Expert

    Dec 15, 2010
    1,017
    263
    60
    fellas i havent used bit locker yet, I have True crypt installed just to protect some of my info in a small partition. How stable is bitlocker? chances of getting locked out or malfunction? anyway dude, thanks for the info.
     
  6. swmspam

    swmspam MDL Novice

    Jan 11, 2012
    17
    2
    0
    Bitlocker (on both OS drive and portable drives) has been stable. There are built-in rescue tools. The user provides a password that generates a raw decryption hash. The plaintext hash is provided as as text file at the time of encryption, so you can keep it for later (emergency) use. If the drive catastrophically crashes, residual data can still be extracted and decrypted using the hash. I printout the plaintext hash and keep it somewhere separate from the hardware.