Disk encryption: Balancing security, usability and risk assessment

Hi: Russ Humphries here.  There’s been a lot of attention this week paid to memory attacks against disk encryption technologies and I wanted to provide some commentary and thoughts. The focus of these conversations is centering on investigating the contents of a computer’s memory – if it’s running or shortly after it has been recently powered down; where ‘recently’ could be seconds to perhaps minutes. The concept that memory retains a ‘ghost image’ of what was last stored on it has been well documented and is an industry-wide issue.

However, the current debate has an interesting angle to it – specifically a method has been detailed in which an application might be able to reconstruct an encryption key, which might have been used for almost any security purpose, from these ghost images.

Since disk encryption is a topic that gains headlines perhaps it was inevitable that the practical demonstration of this key-reconstruction would be to investigate a computer’s memory to ‘break disk encryption products’ and potentially access data stored on the hard drive.

The thing to keep in mind here is the old adage of balancing security, usability and risk.  For example BitLocker provides several options that allow for a user (or more likely Administrator) to increase their security protections but at the cost of somewhat lowering ease-of-use.  BitLocker supports options that will not allow a machine to boot – or resume from hibernate – until the user can:

·         Enter a PIN

·         Insert a USB stick that contains a secret Key

·         … and as of Windows Vista SP1 both enter a PIN and insert the USB stick!

We provide best practice guidance in the Data Encryption Toolkit (http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/analysis/4e6ce820-fcac-495a-9f23-73d65d846638.mspx ) that describes the various manners in which the above choices can be made and also provides advice to help improve security, such as disabling ‘sleep mode’ – forcing a user to hibernate and thus allowing memory to lose the ghost images discussed. These power management settings can all be configured centrally using Group Policy Objects.

Now with the above context in mind, I’d like to take a step back and, from a BitLocker perspective, detail some of the assumptions that have to be made for this attack to be successful:

·         Physical access to the machine

·         The user’s laptop would likely have to be in sleep mode, rather than hibernate mode or powered off

·         The user would have chosen not to implement multi-factor pre-boot authentication

·         The person who finds/steals the laptop must be knowledgeable and interested enough to execute this attack on the laptop they just stole

I would posit that the opportunistic laptop thief is somewhat unlikely to carry a separate laptop on which they will have installed tools that allow them to reconstruct cryptographic keys – or for that matter have a can of compressed air handy. 

Targeted theft is, of course, an entirely different threat model!

Let me also point out that BitLocker allows an administrator to, quite easily, change the protection method for a laptop, even remotely [but assuming some form of connectivity], by having a script execute.  Thanks to BitLocker’s design, which implements key abstraction, a script can be executed that adds pre-boot protection mechanisms without requiring the re-encryption of the hard disk. This script can therefore execute very quickly.

Let me close by clearly stating that quality security research helps our customers and the industry in general raise the security bar, and I applaud it; but let’s also keep in mind that technologies like BitLocker provide a very valuable service to users and helps them protect data on their PCs. BitLocker’s range of deployment options, ranging from single-factor authentication with sleep mode to TPM+PIN+USB with hibernation only, allow customers to find the right balance of security and convenience for their data; the documentation of one attack method, that can be mitigated through these policy choices, does not equate to a class of data protection products being rendered ‘useless’ as has been reported in some circles.


Comments (17)

  1. Thanks Russ, just one question that would help put into context the assertions in this article: what set of configuration choices do you use on your corporate laptop(s)?

  2. @Mike: We are using multi-factor authentication. My laptop is configured to use TPM+PIN and is restricted to boot from the harddisk only.


  3. Doug says:

    We just had two laptops stolen.  Both were powered on and would be prime candidates for ‘memory’ based attacks.  So this is not as improbable as you make it sound.

    Bottom line is this, my impression thus far has been that hardware based disk encryption was basically fool-proof, except for a brute force attack.  Now, it appears that we need some type of motherboard device that will overwrite memory on power down, sleep, or hibernate.   Or, we need to store keys somewhere beside memory.

  4. Michael Swift says:

    I certainly understand the advisability of multi-factor identification and a preboot password.

    However, in a coorporate environment where the fleet of machines must be patched as soon as effectively possible, and that the patches may require mutliple reboots, the additional security of preboot password has a significant impact on productivity.

    It would be of more use if the memory could be cleared as part of the hibernate process – we’re looking at a wake-on-lan implementation that should reduce this risk.

    Laptops that are targetted thefts while travelling would seem to be the biggest risk

  5. Hi. My name is Douglas MacIver and I specialize in security assurance at Microsoft as a member of the

  6. Tim R says:

    While Bitlocker appears to be a fine solution and I use it with the USB required from hibernate, Russ’s comments are from a sales prospective and do not address or mitigate the risk.  I agree that this memory freeze finding is of little consequence for most but the risk and probablity of attack is not the same for all.  E.g. computer systems used by military members on the battlefield or where systems are running, can be attained and where talent and money is present, this finding must be addressed.

  7. Garrett G. says:

    I very much agree that the hardware+software attack on BitLocker’s keys via RAM is not "Microsoft’s fault" or due to an intrinsic BitLocker weakness. Hence, Microsoft could justifiably do nothing about the threat. However, are there plans by Microsoft to pressure hardware manufacturers to incorporate security into their RAM chips? Or is some other solution in the works that anyone knows of?

  8. Jasvir C. says:

    We would need a hardware solution, like a VRAM chip on the motherboard (where the keys can be stored) that gets overwritten securely during power loss. Also, if the VRAM chip is tampered with , it should break the system and make it inoperable.

  9. Mark Sowul says:

    Well, now I have to ask about the Firewire thing.  Is this the kind of thing ASLR could help mitigate?  Why not disable unused Firewire ports when locking the PC?  Etc.  

    I know the adage that once you have physical access you’re owned, but really, this doesn’t even require rebooting the machine, much less having to rip the PC apart to clear the CMOS or remove the hard drive.  I pity IT guys that must manage Firewire-capable machines.

    What are your thoughts on this issue?

  10. Google virus caused my Compaq Presario SR1504X to crash repeatedly ;& as I was rebooting a Chinese script of idiograms apprear right to left. It has been 10 days of wrestleling with the google viruis as it continualy rapeates and eats up the progrming ??????!!!!!!?????? Help?                 yours truely DGM 03/25/2008    09:57pM or 2157hrs Dgm1492@yahoo.com / Dgm1496@hotmail.com

  11. Hans says:

    CAn you told me somethink abot the difference bitlocker and a hardisk encryption based on silocn on the harddisk like from seagate.

    What abouut enterprise management and perfromance

  12. James says:

    I think what most people are missing about the Cold Boot attack is that with it an attacker is capable of removing the RAM to another computer to access it. The Cold Boot attack is reliant on only two of the four conditions stated by Mr. Humphries: knowledge and physical access. In the case of a stolen laptop, which is the largest reason for Full Disk Encryption, physical access is a given. The knowledge is now easily attainable with a quick search on Google.

    Given the stolen laptop is still on, the attacker may remove both RAM and HDD and connect them to another laptop. Since the USB and PIN are measures taken on the OS level and are not actually part of the FDE, the attacker doesn’t need them. They have the decryption key and the drive, which is now slaved to their own computer. Microsoft’s BitLocker offers no protection to this.

    The Cold Boot method is all about targeted theft!

    This is the model that Microsoft, nor any other currently available product, can currently protect you from.

  13. Pierce says:

    Awesome post! I am definitely going to try this one, it sounds complicated, and I am sure it will take me a couple days… but it will most likely eventually be worth it!

  14. Kim Pollard says:

    Russell, is that THE Russell Humphries from HT days in Crawley?  Email me on kj@pinewoods.freeserve.co.uk!

    Kim (Trevett then!)

  15. joel says:

    inrersante pero no comprendo nada

  16. Russ says:

    " Since the USB and PIN are measures taken on the OS level and are not actually part of the FDE, the attacker doesn’t need them."

    Actually this is incorrect – the PIN and becomes part of the access key that is required to unlock the volume. Since the TPM must actually return the unlocked access key the TPM’s anti-hammering technologies help augment the security value of short PINs – I normally recommend 6 digit PIN as a compromise between security and ability for a user to remember the key (TCO in other words).

    With respect to the USB key – entropy us again stored o nthe USB key and extracted and integrated into the access key.

    All of the above key combinations occur pre-boot.

  17. Ivan says:


    I have implemented Bitlocker with a TPM+PIN for my organisation following the publication of the Cold Boot Attack.  However the PIN is proving to be very, very unpopular with the user community, as well as making remote management more difficult, so my management has asked me to do everything possible within reason to remove it.

    I’ve come across a document that implies that the TPM specification might have been updated to set a "dirty" bit that causes memory to be overwritten at startup if the OS is not shutdown cleanly (https://www.trustedcomputinggroup.org/specs/PCClient/TCG_PlatformResetAttackMitigationSpecification_1.00_0340308-1.pdf)

    However I cannot find any mention of this feature in the TPM specification, no information that Windows Vista supports it, and lastly, my laptop hardware vendor (Lenovo) has not been able to confirm the existence of this feature at hardware or firmware level either.

    Does this mitigation exist, and if so, how would I know if I have all the requirements in place?