Print
Discuss
Send to friend
RSS feeds
Until now, it has been all too easy to hack into Windows-based systems.
Anyone who starts the PC using boot media such as a Linux live CD can just prise protective mechanisms such as the NTFS-based EFS (Encrypting File System) out of the way, as EFS doesn’t encrypt all the data saved on the hard disk. Numerous pre-boot and system files, as well as temporary data, remain accessible this way.
In many cases, valuable data on lost or stolen notebooks has not even been protected using EFS. A Windows password isn’t enough to prevent data theft using, for example, a live Linux or XP CD.
Total encryption
This is where
Vista’s
Bitlocker, also known as Full Volume Encryption (FVE), comes in.
This new feature encrypts the operating system drive (Volume) completely on a sector basis rather than by files, so it protects all data, including that in the Paging File, Hibernation File and all system files. If applications from third-party manufacturers are installed on the encrypted disk, then Bitlocker protects their data, too.
However, if you activate the Bitlocker Drive Encryption then you must bear in mind that it does not protect the entire hard disk. Bitlocker only encrypts the partition on which Windows Vista is installed. If data-only partitions exist, they will remain unprotected.
Microsoft makes the assumption that if you have such partitions you will secure them using EFS, which is protected by Bitlocker indirectly, as the encryption keys are located on the OS partition.
Windows Vista Enterprise and Ultimate editions install Bitlocker automatically, but do require that the hard disk is partitioned. It also has to be activated manually. Other versions of Vista do not support Bitlocker at all.
If you want to use the drive encryption under Longhorn Server, you have to first add the Bitlocker files from the DVD, check the Bios and TPM for compatibility, and add the Trusted Platform Module (TPM) drivers.
In order to use all of Bitlocker’s security functions, your PC must have the following components available: TPM 1.2 chip; Trusted Computing Group (TCG) 1.2-compliant Bios; a Bios which supports USB in the pre-boot phase; a Windows boot partition; an unencrypted system partition larger than 50MB for hardware-specific data which the Bios requires after the system has booted to load Windows; and a USB stick to store the Recovery Key on.
Depending on your PC’s configuration and your security requirements, Bitlocker provides five start options:
1 PC without a TPM chip: Even if you don’t have a TPM chip in your PC, you can still use Bitlocker. To do this, the Startup Key required to decrypt the data is stored on a USB stick. The stick must be attached to the PC in order for Bitlocker to allow it to boot.
2 PC with a TPM chip: Data decryption is bound to a checksum for recognised system components, which is stored in the TPM chip. As in the first option, the PC can only be accessed once the data has been decrypted.
3 TPM and Pin: As an additional authentication measure, every time you start the system, you have to enter a Pin between four and 20 digits in length.
4 TPM and Startup Key: Instead of entering a Pin you connect a USB stick from which the required Startup Key is read. Without it, Bitlocker won’t boot the system.
5 Recovery Key: In order to access the data after a checksum error has occurred – for example, after an attack by a hacker or if the hard disk has been installed in another PC – Bitlocker will also decrypt using the Recovery Key. You can type it in as a Recovery Pin using the function keys, or it can be read from a network drive or USB stick.
After selecting the security options that you want when activating Bitlocker, a reboot is required before the Vista partition is encrypted. During this process Bitlocker also detects the fingerprint of previous boot components. These checksum hash values are meant to ensure that the system has not been tampered with.
Bitlocker will only commence the decryption routine and allow the boot process to start if the fingerprint stored by default in the TPM is unaltered. This is meant to protect PCs better from boot sector viruses and rootkit attacks.
So, if an attacker alters the boot sector, or if you mount the encrypted hard disk in another PC or swap the motherboard, the hash value will change and Bitlocker will block access to data.
Bitlocker will only instruct the TPM to decrypt the remaining data if the integrity of the monitored boot components has been verified. After that, the responsibility for system protection is handed to the OS.
The following items are included in the integrity check: the Bios, Master Boot Record, Boot Manager, NTFS Boot Sector, NTFS Boot Block and the Core Root of Trust of Measurement (CRTM).
See pdf download user and kernel mode for diagram of Bitlocker architecture.
All PC Operating Systems Tags: Security, Security
del.icio.us
Digg this
reddit!
