Ok, I’ve been trying to keep my cool on this whole thing but enough is enough. A few days ago ars technica ran a hype-story called “First commercial tool to crack BitLocker arrives” (no, I’m not going to link to it because they don’t deserve the traffic IMHO) The claim is that Passware has created a commercial tool that cracks BitLocker encryption. This is misleading garbage. Sorry, there is no other way to put it well there is, but I edited that one out. First, the encryption hasn’t been cracked, second it still requires access to a live machine (sleep is still live).
What Passware actually does, is take an image of the RAM / Swap file and hunt for the decryption key in it. This is nothing new, and nothing that can’t be done with any full volume encryption system, yes including PGP and TrueCrypt. It’s the same thing as the frozen RAM trick and every other Administrator enabled Direct Memory access trick. Passware requires administrative access to a machine that is in a ‘non-off’ state in order to get a snap-shot of the memory and then troll through it to find the key. If your machine is turned off, non of these so-called encryption cracking techniques work, NONE of them.
ALL full volume encyrption systems must have the decryption key available in memory. And no you cannot protect it completely like some people claim PGP does, PGP is just as susceptible, if not more so, to this kind of thing commercial tools like McAfee Endpoint Encryption (formerly Safeboot) and BitLocker.
Now pay attention, Neither BitLocker nor any other drive encryption system is designed to protect data on a drive when the machine is booted, and someone with administrator privileges has access to the machine. People keep conveniently glossing over this fact. BitLocker is designed to prevent off-line attacks such as the ‘stolen/lost laptop’ scenario. If you login to your computer, then hand it to someone, nothing in the world will protect your data.
All of this sensationalist drivel would like you to believe that if you can get at the data which is protected by a disc encryption system from a logged in machine as an administrator that there is some huge security vulnerability. There isn’t. If you have that kind of access to the machine why not just turn off the encryption and save yourself the trouble.
If you don’t have the key in memory when a decryption operation is required, the decryption does not happen. Simple as that. Finding this key in a snap-shot of the computer memory is not rocket science nor is it cracking anything. It is using that key to decrypt the drive. Cracking would be breaking the encryption without the key, which is still not possible in any reasonable amount of time on modern computers.
Now, if someone can do this on a BitLockered machine, that is turned off (not sleep, but cold off) and configured for TPM+PIN+USB key (the recommended secure configuration), then I’ll be impressed. Oh one other thing, you have to be able to get to the data in my lifetime, brute forcing the encryption after about 40 Billion years doesn’t count.
If I locked a door, then hid the key under the mat and told you where the key was, is the door or lock cracked because you were able to unlock it and open the door? No, of course not. This kind of crap about saying BitLocker is cracked because someone had access to the key is garbage. It’s like saying notepad is broken because it saves files in plain text. Then again now that I’ve said that, some of these sensationalists are probably going to start writing headlines like Notepad File Format Cracked!
Ok all of you wanna-be journalists out there (you know who you are), start doing a bit of homework before you drivel onto your keyboard. Try being responsible for just a tiny little bit instead of wondering how many hits you can get on your page by spouting some sensationalist garbage.
Funny, but after being called to task on their sensationalist crap, the ‘writer’ (doesn’t deserve to be called a journalist) updated the post to say “this isn’t exactly a "crack" for BitLocker” and “If a forensics analyst or thief has physical access to a running system, it is possible to take advantage of the fact that the contents are in the computer’s memory. Other drive encryption programs have similar issues.”
Gee, you probably should have thought that out before you published the drivel.
There are a lot of journalists I respect out there and no they are not all pro-Microsoft. But they do their homework and they write thoughtful, insightful, and factual articles. Be a journalist, not a sensationalist.