SEC316: BitLocker™ Drive Encryption 17/04/2017 SEC316: BitLocker™ Drive Encryption Russell Humphries Senior Product Manager – Window Vista Security SEC316 1

17/04/2017 Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial release of the software described herein. The information contained in this presentation represents the current view of Microsoft Corporation on the issues discussed as of the date of the presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of the presentation. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this presentation. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this information does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2006 Microsoft Corporation. All rights reserved. SEC316

17/04/2017 “BitLocker Drive Encryption provides stronger protection for data stored on your Windows Vista ™ systems – even when the system is in unauthorized hands or is running a different or attacking OS. BitLocker does this by utilizing full volume encryption; this prevents a thief who boots another OS or runs a software disk inspection tool from breaking Vista file and system protections or even the offline viewing of data files.” SEC316 3

BitLocker Drive Encryption 17/04/2017 BitLocker Drive Encryption BitLocker Drive Encryption fully encrypts the entire Windows Vista volume. Designed specifically to prevent the unauthorized disclosure of data when it is at rest. Provides data protection on your Windows client systems, even when the system is in unauthorized hands. Designed to utilize a v1.2 Trusted Platform Module (TPM) for secure key storage and boot environment authentication BitLocker SEC316 4

What is a Trusted Platform Module? 17/04/2017 What is a Trusted Platform Module? It’s a Smartcard-like module on the motherboard Protects secrets Performs cryptographic functions RSA, SHA-1, RNG Meets encryption export requirements Can create, store and manage keys Provides a unique Endorsement Key (EK) Provides a unique Storage Root Key (SRK) Performs digital signature operations Holds Platform Measurements (hashes) Anchors chain of trust for keys and credentials Protects itself against attacks TPM 1.2 spec: www.trustedcomputinggroup.org SEC316 5

17/04/2017 Why use a TPM 1.2 chip? The TPM solves the ‘where do we put the encryption key?’ problem Hardware can be made to be robust against attacks Certified to be tamper resistant Provides anti-hammering capabilities A TPM is an implementation of a Root-of-Trust Enables implementation of the Static Root of Trust Measurement Hardware based solution more secure than software one Difficult to root trust in software that has to validate itself SEC316 6

Static Root of Trust Measurement 17/04/2017 Static Root of Trust Measurement SEC316 7

17/04/2017 BitLocker disk layout SEC316 8

Spectrum of Protection 17/04/2017 Spectrum of Protection BitLocker offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with. SEC316 9

An integrated solution 17/04/2017 An integrated solution BitLocker is integrated in WMI and Group Policy Enables customizable, automated deployment BitLocker automatically escrow keys and passwords into AD Centralized storage/management keys Recovery console built into the new Vista boot architecture Recovery can occur “in the field” Windows operation can continue as normal after a recovery SEC316 10

Further information? Web Resources: 17/04/2017 Further information? Web Resources: Specs & Whitepapers: www.microsoft.com/technet/windowsvista/security/bitlockr.mspx TCG: www.trustedcomputinggroup.org BitLocker™ Questions or Ideas: BDEInfo@microsoft.com SEC316

17/04/2017 SEC316 12

17/04/2017 SEC316 13

Ask The Experts Get Your Questions Answered 17/04/2017 Ask The Experts Get Your Questions Answered You can find me at the Microsoft Ask the Experts area, located in the Exhibition Hall: Wednesday 15 November Lunch Thursday 16 November 14.45 – 15.45 SEC316

17/04/2017 SEC316

17/04/2017 SEC316

17/04/2017 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. SEC316 17