Presentation is loading. Please wait.

Presentation is loading. Please wait.

BitLocker™ Drive Encryption Hardware Enhanced Data Protection

Similar presentations

Presentation on theme: "BitLocker™ Drive Encryption Hardware Enhanced Data Protection"— Presentation transcript:

1 BitLocker™ Drive Encryption Hardware Enhanced Data Protection
Shon Eizenhoefer, Program Manager Microsoft Corporation 1


3 Agenda Security Background BitLocker™ Drive Encryption TPM Overview
Building a BitLocker™ Capable System Additional Resources

4 BitLocker™ Drive Encryption
BitLocker™ Drive Encryption gives you improved data protection on your Windows Vista and Windows Server codenamed “Longhorn” systems Notebooks – Often stolen, easily lost in transit Desktops – Often stolen, difficult to safely decommission Servers – High value targets, often kept in insecure locations All three can contain very sensitive IP and customer data Designed to provide a transparent user experience that requires little to no interaction on a protected system Prevents thieves from using another OS or software hacking tool to break OS file and system protections Prevents offline viewing of user data and OS files Provides enhanced data protection and boot validation through use of a Trusted Platform Module (TPM) v1.2

5 BitLocker™ And TPM Features
BitLocker™ Drive Encryption Encrypts entire volume Uses Trusted Platform Module (TPM) v1.2 to validate pre-OS components Customizable protection and authentication methods Pre-OS Protection USB startup key, PIN, and TPM-backed authentication Single Microsoft TPM Driver Improved stability and security TPM Base Services (TBS) Enables third party applications Active Directory Backup Automated key backup to AD server Group Policy support Scriptable Interfaces TPM management BitLocker™ management Command-line tool

6 TPM Services Architecture (Simplified)
Feature Map BitLocker™ TPM Admin Tools Third Party Applications Windows Vista Enterprise Ultimate TPM WMI Provider TSS* Windows Vista All SKUs TPM Base Services TPM Driver Trusted Platform Module (TPM) *TCG Software Stack

7 What Is A Trusted Platform Module (TPM)?
Smartcard-like module on the motherboard Protects secrets Performs cryptographic functions RSA, SHA-1, RNG Meets encryption export requirements Can create, store and manage keys Provides a unique Endorsement Key (EK) Provides a unique Storage Root Key (SRK) Performs digital signature operations Holds Platform Measurements (hashes) Anchors chain of trust for keys and credentials Protects itself against attacks TPM 1.2 spec:

8 Why Use A TPM? Trusted Platforms use Roots-of-Trust
A TPM is an implementation of a Root-of-Trust A hardware Root-of-Trust has distinct advantages Software can be hacked by Software Difficult to root trust in software that has to validate itself Hardware can be made to be robust against attacks Certified to be tamper resistant Hardware and software combined can protect root secrets better than software alone A TPM can ensure that keys and secrets are only available for use when the environment is appropriate Many specific hardware and software configurations

9 BitLocker™ Drive Encryption Architecture Static Root of Trust Measurement of boot components

10 Disk Layout And Key Storage
OS Volume Contains Encrypted OS Encrypted Page File Encrypted Temp Files Encrypted Data Encrypted Hibernation File Where’s the Encryption Key? SRK (Storage Root Key) contained in TPM SRK encrypts FVEK (Full Volume Encryption Key) protected by TPM/PIN/USB Storage Device FVEK stored (encrypted by SRK) on hard drive in the OS Volume 3 OS Volume FVEK SRK 2 1 System System Volume Contains: MBR, Boot manager, Boot Utilities (Unencrypted, small)

11 Information Protection Threats
Internal threats are just as prevalent as external threats Accidental Intentional Targeted Loss due to carelessness Data intentionally compromised Thief steals asset based on value of data System disposal or repurposing without data wipe System physically lost in transit Insider access to unauthorized data Offline attack on lost/stolen laptop Theft of branch office server (high value and volume of data) Theft of executive or government laptop Direct attacks with specialized hardware

12 Spectrum of Protection
Ease of Deployment / Maintenance BitLocker™ offers a spectrum of protection, allowing an organization to customize according to its own needs TPM Only “What it is” Protects Against: Most SW attacks Vulnerable To: Hardware attacks User Must: N/A No user impact TPM + PIN “What it is + what you know” Protects Against: Many HW attacks Vulnerable To: Hardware attacks User Must: Enter PIN to boot TPM + USB “What it is + what you have” Protects Against: HW attacks Vulnerable To: Stolen USB key User Must: Protect USB key USB Only “What you have” Protects Against: HW attacks Vulnerable To: Stolen USB key No boot validation User Must: Protect USB key

13 BitLocker™ Interface Microsoft System Integrity Team

14 BitLocker™ Recovery Scenarios
Lost/Forgotten Authentication Methods Lost USB key, user forgets PIN Upgrade to Core Files Unanticipated change to pre-OS files (BIOS upgrade, etc…) Broken Hardware Hard drive moved to a new system Deliberate Attack Modified or missing pre-OS files (Hacked BIOS, MBR, etc…)

15 BitLocker™ Recovery Methods
Recommended method for domain-joined machines Automate key backups through BitLocker™ Setup Configure group policy to store keys in Active Directory Provides centralized storage and management of keys Recommended methods for non domain-joined machines Back up to a USB flash device Back up to a web-based key storage service “Windows Ultimate Extras” – Provides a free key storage service for home users or unmanaged environments Potential OEM or 3rd-party service for key storage Back up to a file Print or record to physical media

16 Platform Threats And Mitigations
BIOS Modification THREAT – Lost Core Root of Trust for Measurement MITIGATION – Secure CRTM Update MITIGATION – Provide extra protection with PIN or USB Physical Memory THREAT – Key exposure in physical memory MITIGATION – Memory Overwrite on Reset Dictionary Attack Against PIN THREAT – Key exposure MITIGATION – Anti-hammering countermeasures End Users THREAT – Unsafe practices (PIN nearby, USB in laptop case) MITIGATION – User education, corporate security policy

17 Building BitLocker™ Systems
Windows Vista Logo Program Performance, quality, and feature metrics that help consumers understand and seek out the best computing experience that Windows Vista has to offer Trusted Platform Module – SYSFUND-0030 TPM Main Specification, Version 1.2 (or later) Memory Mapped I/O, Locality 0 TPM PC Client Interface Specification, Version 1.2 (or later) BIOS – SYSFUND-0031 TCG BIOS Specification Physical Presence Interface Specification Memory Overwrite on Reset Specification Immutable CRTM or Secure Update

18 Building BitLocker™ Systems
Hard Disk – SYSFUND-0032 BitLocker™ requires at least two partitions System partition (“Active”, NTFS, minimum 1.5GB) OS must be installed on separate partition OS and other partition(s) can be of any size for more information USB – SYSFUND System boot from USB 1.x and 2.x USB USB read/write in pre-OS environment FAT16, FAT32, or NTFS file system for BitLocker™ and TPM Admin BIOS and Platform Requirements

19 Enterprise Customer Needs
Remote Deployment Considerations Think through large-scale deployment of BitLocker™ Provide solutions for remote initialization of TPMs Provide a secure BIOS update mechanism Support Encrypted Volumes in Recovery Environment Include WinRE scripting components Ship Systems with an Endorsement Key (EK) EK generation in the field is time consuming Industry security best practice TCG Guidelines

20 Call To Action Build BitLocker™-ready Systems
TPM v1.2 – Consider the deployment experience, make it easy BIOS – Don’t ship systems without secure CRTM/BIOS update! Hard Disk – Ship your platforms with two or more partitions USB – Verify read/write/boot from USB in pre-OS environment Consider Enterprise Customer Needs Provide ability to initialize TPM remotely Ship with Endorsement Key (EK) Test Your Platforms! Test with latest Windows Vista releases WDK test suite Work with us to get your reference platforms tested! for more information

21 Additional Resources Web Resources Related Sessions
Specs and Whitepapers Windows Logo Program Testing TCG Related Sessions Enterprise and Server Use of Microsoft BitLocker™ Drive Encryption (CPA027) Windows Vista and Windows Server Longhorn Security Platform Enhancements (CPA127) BitLocker™ Questions or Ideas BitLocker™ Blog

22 Questions?

23 © 2006 Microsoft Corporation. All rights reserved
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "BitLocker™ Drive Encryption Hardware Enhanced Data Protection"

Similar presentations

Ads by Google