Regarding Windows Vista Disk Encryption Algorithm.
Hello, I ran across this paper titled "AES-CBC + Elephant diffuser A Disk Encryption Algorithm for Windows Vista". Paper downloadable at: http://download.microsoft.com/download/0/2/3/0238acaf-d3bf-4a6d-b3d6-0a0be4b... Cipher200608.pdf or http://blogs.msdn.com/si_team/archive/2006/09/15/756622.aspx There are a few questions I would like to know about. pg 3:[ Bitlocker makes use of a tamper resistant chip security chip mounted on the motherboard. Bitlocker makes use of the TPM security chip that will be incorprated in most PC's.] How do we know if future PC's make use of this chip on their motherboards in future and how can we trust this chip? pg 3.[The seal/unseal functions of the TPM allow selective access to cryptographic keys based on PCR values. The seal function is used to encrypt a key into a string which can only be decrypted by that same TPM. Furthermore, the TPM will decrypt the string if and only if the selected PCRs have the value that was specified during the seal operation. In other words: we can store a key in an encrypted string so that it can only be accessed when selected PCRs have a particular value. During the boot process the PCRs are used to keep track of the code that runs. The key used to encrypt the disk is sealed against a particular set of PCR values. During a normal boot the PCRs reach the same values, and the key can be unsealed by the TPM. If an attacker boots into any other operating system, the machine will be fully functional but the PCR values will be different and the TPM will not unseal the key. Thus, other operating systems cannot read the data on the disk, or find out how to modify the disk to reset the Administrator password.] It prevents the protected operating system from being operational as the key cannot unlocked. The encrypted disk can still be removed from the machine with the security chip and re-inserted elsewhere and its contents dumped for further analysis. Doesn't a data recovery expert usually work under the assumption that the encryption keys are unavailable? Isn't this the case, if we are looking at stolen laptop(S)? If the disk can be removed and dumped, what advantage does the TPM security chip provide over software encryption? pg 6. [BitLocker also allows users to use a PIN that the TPM checks, or a USB key that contains a cryptographic key.Without the right PIN or USB key the laptop doesn't have the right information to even find the disk decryption key, so the information is safe unless the PIN is written on a post-it stuck to the machine, or the USB key is left in the laptop bag. In practice, we expect that many laptops will be used in the TPM-only mode and that scenario is the main driver for the disk cipher design.] But if we work with the assumption that the attacker/ recovery expert will not be able to find the key on the disk ,is there any need to implement the TMP security chip? Is the assumption reasonable? pg 7. [A software implementation of AES runs in around 20-25 cycles per byte on a P4 class CPU.(Synthetic benchmarks can achieve somewhat higher speeds, but they exclude various overheads encountered in real system implementations.) Other overhead adds around 5 cycles per byte for a total of 25-30 cycles per byte. Based on this data, our performance analysis concluded that a single pass of AES, for example using AES in CBC mode, would have acceptable performance. An algorithm twice as slow as AES (45-55 cycles/byte) would be on the edge of being unacceptable, and a high-risk choice given the many uncertainties in the analysis. Anything slower than that would be unacceptable.] 2.6 BitLocker encryption algorithm requirements pg 7 & 8 [We get the following major requirements for our BitLocker encryption algorithm: ... It is fast enough that the slow-down of the laptop is acceptable to most users. Our best estimate is that a speed of 40 cycles/byte or faster will be acceptable.] It looked like that the AES-CBC implementation was part of the hardware security chip to speeden it up.
From the above, judging by the clock speed, it however appears that AES-CBC is software implemented by BitLocker?
pg 9. 3.2 AES-CBC [Any time you want to encrypt data, AES-CBC is a leading candidate. In this case it is not suitable, due to the lack of diffusion in the CBC decryption operation. If the attacker introduces a change 'delta' in ciphertext block i, then plaintext block i is randomized, but plaintext block i + 1 is changed by 'delta'. In other words, the attacker can flip arbitrary bits in one block at the cost of randomizing the previous block. This can be used to attack executables. You can change the instructions at the start of a function at the cost of damaging whatever data is stored just before the function. With thousands of functions in the code, it should be relatively easy to mount an attack.] This appears to be why the diffusers are being used. The overview of the AES-CBC + diffusors if given in Figure 1, pg 13. pg 16. [Our AES implementation uses about 20 cycles/byte for AES-CBC on a a Pentium 4. The diffuser takes about 10 cycles/byte.The overall cipher speed is just over 30 cycles per byte, including various overhead.] Appendix A on pg 18 gives a sketch of a proof on why AES-CBC+Diffusers are atleast as secure as AES-CBC. The diffusers consumes about 1/3 rd of the cycles per byte. Given this overhead is it useful to implement the diffusers unless the implementation can be shown to be more secure than AES-CBC? Thankyou, Sarad. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
----- Original Message ----- From: "Sarad AV" <jtrjtrjtr2001@yahoo.com> Sent: Thursday, October 19, 2006 5:55 AM Subject: Regarding Windows Vista Disk Encryption Algorithm.
How do we know if future PC's make use of this chip on their motherboards in future
The short answer: they do.
and how can we trust this chip?
If you can't trust the hardware vendor there are worse things they can do to you. But in essence you either trust them or you don't.
Doesn't a data recovery expert usually work under the assumption that the encryption keys are unavailable?
This changes the rules some, but generally speaking with modern encryption, if the key is not available you're screwed.
Isn't this the case, if we are looking at stolen laptop(S)? If the disk can be removed and dumped, what advantage does the TPM security chip provide over software encryption?
You missed the part where it can only be done with the administrator password.
But if we work with the assumption that the attacker/ recovery expert will not be able to find the key on the disk ,is there any need to implement the TMP security chip? Is the assumption reasonable?
There is no reason to hide the boot block, but too many uneducated users would go "But they can find the boot block" and complain about how the security MUST be weak, based on a gross misunderstanding of the situation.
From the above, judging by the clock speed, it however appears that AES-CBC is software implemented by BitLocker?
I don't know.
Appendix A on pg 18 gives a sketch of a proof on why AES-CBC+Diffusers are atleast as secure as AES-CBC. The diffusers consumes about 1/3 rd of the cycles per byte. Given this overhead is it useful to implement the diffusers unless the implementation can be shown to be more secure than AES-CBC?
Without the introduction of another key it is impoosible to improve on the security proof of CBC, so what they've done is introduce a method of obfuscation that they hope will not be broken, but breaking it will not affect the security of CBC mode in any way, simply because if it did break AES-CB, an attacker could apply it themself quite cheaply. The proof basically boils down to: it's CBC, attacker loses. Joe
If you want to know more about Vista's use of the TPM, Sarad, I suggest that you subscribe to the "cypherpunks" mailing list. An anoymous message was sent to the list on September 7 which outlined Vista's TPM use and discussed some security implications. Although the list has not been too active, it has the advantage of accepting anonymous postings, which the moderated cryptography mailing list does not. If you would pay attention to the contents of that list, you would have found many of your questions answered even before you asked them. Here is an excerpt from that posting which describes typical attack scenarios and how Vista Bitlocker stops them: "Vista's new disk encryption software, called BitLocker, optionally uses this feature of the TPM to strengthen its encryption. For example, consider various attack models for disk encryption. A laptop is stolen and the attacker now seeks to decrypt the disk and recover the data." "The first step often applied in this situation is to take an image of the disk and run the attacks on that image, from a computer controlled by the attacker. This prevents the laptop OS from performing self-destruct operations or otherwise keeping the attacker from being able to reset the disk to a pristine state. But with BitLocker, the disk decryption key is sealed to a TPM key (a 2048 bit RSA key). No amount of brute force password guessing will work to recover a key from a disk image; the TPM chip itself has to be involved." "An alternative for an attacker, then, might be to use the laptop itself but to boot into another OS, such as via a Linux "Live CD" or external device. It can then mount the partitions with the encrypted data and apply similar attacks. This will give access to the TPM hardware while still preventing the BitLocker software from having control." "Again, the BitLocker design will thwart this attack, because the sealed storage locks the encrypted disk key to the boot configuration. Changing that configuration by booting into another OS will change PCR values and prevent the TPM from unlocking the key, even if the correct password is used." In exchange for providing you with this useful information, Sarad, your assigment is to find a public archive of cypherpunks mailing list postings, so that links to these messages can be provided instead of having to type long segments in verbatim. CP
Hello, --- Joseph Ashwood <ashwood@msn.com> wrote:
Without the introduction of another key it is impoosible to improve on the security proof of CBC, so what they've done is introduce a method of obfuscation that they hope will not be broken, but breaking it will not affect the security of CBC mode in any way, simply because if it did break AES-CB, an attacker could apply it themself quite cheaply. The proof basically boils down to: it's CBC, attacker loses. Joe
Did a search and found this.Bruce Schneier's article suggests that BitLocker be used without the diffusers. As you have mentioned chaining with CBC looks good enough. http://www.schneier.com/blog/archives/2006/05/bitlocker.html Encryption particulars: The default data encryption algorithm is AES-128-CBC with an additional diffuser. The diffuser is designed to protect against ciphertext-manipulation attacks, and is independently keyed from AES-CBC so that it cannot damage the security you get from AES-CBC. Administrators can select the disk encryption algorithm through group policy. Choices are 128-bit AES-CBC plus the diffuser, 256-bit AES-CBC plus the diffuser, 128-bit AES-CBC, and 256-bit AES-CBC. (My advice: stick with the default.) --- cyphrpunk <cyphrpunk@gmail.com> wrote:
An anoymous message was sent to the list on September 7 which outlined Vista's TPM use and discussed some security implications.
http://www.ukhackers.com/story/?id=7616 This must be it :-) Thankyou, Sarad. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
participants (3)
-
cyphrpunk
-
Joseph Ashwood
-
Sarad AV