bit-locker drive encryption
TRANSCRIPT
-
7/29/2019 Bit-Locker Drive Encryption
1/11
Bit-Locker Drive Encryption
On windows 7 & server 2008
ByM.HARRY JOSEPH
http://en.wikipedia.org/wiki/File:BitLocker_icon.png -
7/29/2019 Bit-Locker Drive Encryption
2/11
Bit-Locker Drive Encryption
Developer(s) :Microsoft
Operating system :
Windows Vista,
Windows Server 2008,
Windows 7
Type : Disk encryption software
License : Included with Windows Server 2008 and selected
editions of Windows Vista and Windows 7
http://en.wikipedia.org/wiki/File:BitLocker_icon.png -
7/29/2019 Bit-Locker Drive Encryption
3/11
What is BitLocker Drive Encryption?
is a full disk encryption feature included with theUltimate and Enterprise editions of Microsoft'sWindows Vista and Windows 7 desktop operatingsystems, as well as the Windows Server 2008 and
Windows Server 2008 R2 server platforms. It is designed to protect data by providing
encryption for entire volumes.
By default it uses the AES encryption algorithm inCBC mode with a 128 bit key, combined with theElephantdiffuser for additional disk encryptionspecific security not provided by AES.]
-
7/29/2019 Bit-Locker Drive Encryption
4/11
BitLocker
is available only in the Enterprise and Ultimate editions of WindowsVista and Windows 7.
Users of other versions of Windows that don't include BitLockercould use a 3rd party encryption program to satisfy the need for fulldrive encryption .
In the RTM release of Windows Vista, only the operating systemvolume could be encrypted using the GUI and encrypting othervolumes required using WMI-based scripts included in WindowsVista in the %Windir%\System32 folder.
With Windows Vista Service Pack 1 and Windows Server 2008,volumes other than the operating system volume can be BitLocker-protected using the graphical Control Panel applet as well.
The latest version of Bitlocker, included in Windows 7 and WindowsServer 2008 R2, adds the ability to encrypt removable drives.
-
7/29/2019 Bit-Locker Drive Encryption
5/11
-
7/29/2019 Bit-Locker Drive Encryption
6/11
http://upload.wikimedia.org/wikipedia/commons/6/64/TPM_Asus.jpg -
7/29/2019 Bit-Locker Drive Encryption
7/11
Internal components of a Trusted
Platform Module
http://upload.wikimedia.org/wikipedia/commons/0/0b/TPM_english.svg -
7/29/2019 Bit-Locker Drive Encryption
8/11
Three authentication mechanisms :
Transparent operation mode: This mode exploits thecapabilities of Trusted Platform Module (TPM) 1.2hardware to provide for a transparent user experiencethe user powers up and logs onto Windows as normal.
The key used for the disk encryption is sealed (encrypted)
by the TPM chip and will only be released to the OS loadercode if the early boot files appear to be unmodified.
The pre-OS components of BitLocker achieve this byimplementing a Static Root of Trust Measurementamethodology specified by the Trusted Computing Group.
This mode is vulnerable to a cold boot attack, as it allows apowered-down machine to be booted by an attacker.
-
7/29/2019 Bit-Locker Drive Encryption
9/11
User authentication mode: This mode requires that the userprovide some authentication to the pre-boot environment in theform of a pre-boot PIN. This mode is vulnerable to a bootkit attack.
USB Key Mode: The user must insert a USB device that contains astartup key into the computer to be able to boot the protected OS.
Note that this mode requires that the BIOS on the protectedmachine supports the reading of USB devices in the pre-OSenvironment. This mode is also vulnerable to a bootkit attack.
Recovery password: A numerical key protector for recoverypurposes.
Recovery key: An external key for recovery purposes.
Certificate: Adds a certificate-based public key protector forrecovery purposes.
Password: Adds a password key protector for a data volume.
http://en.wikipedia.org/wiki/Personal_identification_numberhttp://en.wikipedia.org/wiki/Bootkithttp://en.wikipedia.org/wiki/Personal_identification_numberhttp://en.wikipedia.org/wiki/Bootkithttp://en.wikipedia.org/wiki/Bootkithttp://en.wikipedia.org/wiki/Personal_identification_number -
7/29/2019 Bit-Locker Drive Encryption
10/11
The following permutations of the above
authentication mechanisms are supported, all with an
optional escrow (also known as a fair cryptosystem)
recovery key:
TPM only
TPM + PINTPM + PIN + USB Key
TPM + USB Key
USB Key
-
7/29/2019 Bit-Locker Drive Encryption
11/11
Operation
BitLocker Drive Encryption is a logical volumeencryption system.
A volume may or may not be an entire drive,
and can span one or more physical drives.Also, when enabled TPM/Bitlocker can ensure
the integrity of the trusted boot path (e.g.
BIOS, boot sector, etc.), in order to preventmost offline physical attacks, boot sectormalware, etc.