Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Bitlocker passphrase only

microsoft.public.windows.vista.security






Speedup My PC
Reply
  #1 (permalink)  
Old 12-11-2006
=?Utf-8?B?bHZqb2JodW50?=
 

Posts: n/a
Bitlocker passphrase only
I am confused about bitlocker. Can I install bitlocker on a computer that
has NO TPM chip and just use a passphrase only with no usb key?

If I have to use a USB key can anyone who has that USB key break my bitlocker?

Can I buy a TPM PCI card?
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 12-12-2006
niknik
 

Posts: n/a
Re: Bitlocker passphrase only

>Can I install bitlocker on a computer that has NO TPM chip and just use

a passphrase only with no usb key?

That would be using only the recovery password. it is possible from the
infrastructure, but I'm not sure how you'd set this.

>If I have to use a USB key can anyone who has that USB key break my

bitlocker?

They would not "BREAK" it. they would access it normally, since
possesion of the usb - stored key would enable access.

Nik


--
niknik
------------------------------------------------------------------------
niknik's Profile: http://vista64.net/forums/member.php?userid=637
View this thread: http://vista64.net/forums/showthread.php?t=29092

Reply With Quote
  #3 (permalink)  
Old 12-12-2006
Jamie Hunter [MS]
 

Posts: n/a
Re: Bitlocker passphrase only
This is specifically not allowed, because it is a very weak solution subject
to dictionary and brute-force attacks.
The recovery password is 128 bits of random entropy, with salt and
stretching (giving an effective cryptographic strength of 160 bits if I
recall).
The TPM+PIN solution uses hardware to insert a non-resettable delay to the
extent that a 4 digit pin would take an entire year to crack. To understand
the power of the hardware, without hardware, a 4 digit purely random pin
would be cracked in a fraction of a day even with good key stretching
algorithms.

The 128 bit recovery key (which is generated using the cryptographic random
number generator) would take 10^31 years (or thereabouts) to crack on
current processor architectures (due to the salt and stretching algorithm).

See http://en.wikipedia.org/wiki/Password_strength for an analysis on strong
passwords.

-
Jamie Hunter [MS]

"lvjobhunt" <lvjobhunt@discussions.microsoft.com> wrote in message
news:F76A6648-4EAD-4C1B-916F-2CAB7D96EDDB@microsoft.com...
>I am confused about bitlocker. Can I install bitlocker on a computer that
> has NO TPM chip and just use a passphrase only with no usb key?
>
> If I have to use a USB key can anyone who has that USB key break my
> bitlocker?
>
> Can I buy a TPM PCI card?


Reply With Quote
  #4 (permalink)  
Old 12-12-2006
=?Utf-8?B?bHZqb2JodW50?=
 

Posts: n/a
Re: Bitlocker passphrase only
So Basically if I am like 90% of people and am Lazy and leave the USB key in
the computer anyone can just turn it on and access everything ??

"niknik" wrote:

>
> >Can I install bitlocker on a computer that has NO TPM chip and just use

> a passphrase only with no usb key?
>
> That would be using only the recovery password. it is possible from the
> infrastructure, but I'm not sure how you'd set this.
>
> >If I have to use a USB key can anyone who has that USB key break my

> bitlocker?
>
> They would not "BREAK" it. they would access it normally, since
> possesion of the usb - stored key would enable access.
>
> Nik
>
>
> --
> niknik
> ------------------------------------------------------------------------
> niknik's Profile: http://vista64.net/forums/member.php?userid=637
> View this thread: http://vista64.net/forums/showthread.php?t=29092
>
>

Reply With Quote
  #5 (permalink)  
Old 12-12-2006
niknik
 

Posts: n/a
Re: Bitlocker passphrase only

>I am Lazy and leave the USB key ... anyone can just turn it on


Yes. This applies to TPM w/o pin as well.

If you leave the keys in your car anybody who is there can drive it.

That's why you either: take the USB key with you or use TPM+pin.

TPM + pin is VERY secure. And other avenues of attack are very very
hard.
(brute forcing AES 128/256 bit.....)

It is a smart thing to do to not allow people to put in passwords!


--
niknik
------------------------------------------------------------------------
niknik's Profile: http://vista64.net/forums/member.php?userid=637
View this thread: http://vista64.net/forums/showthread.php?t=29092

Reply With Quote
  #6 (permalink)  
Old 12-12-2006
Jamie Hunter [MS]
 

Posts: n/a
Re: Bitlocker passphrase only
If you use USB by itself (no TPM), then yes that is correct. This is why
USB+TPM is much preferred over USB only. However if you don't have a TPM
chip, your options are limited. Changing habbits (such as, attaching the usb
to your keys) can help improve things.

USB+PIN would be useless, as a PIN would be cracked within hours. This is
why it's not an option.
-
Jamie Hunter [MS]

"lvjobhunt" <lvjobhunt@discussions.microsoft.com> wrote in message
news:070915DE-9AB6-4B57-A667-E2ACAE18BC67@microsoft.com...
> So Basically if I am like 90% of people and am Lazy and leave the USB key
> in
> the computer anyone can just turn it on and access everything ??
>
> "niknik" wrote:
>
>>
>> >Can I install bitlocker on a computer that has NO TPM chip and just use

>> a passphrase only with no usb key?
>>
>> That would be using only the recovery password. it is possible from the
>> infrastructure, but I'm not sure how you'd set this.
>>
>> >If I have to use a USB key can anyone who has that USB key break my

>> bitlocker?
>>
>> They would not "BREAK" it. they would access it normally, since
>> possesion of the usb - stored key would enable access.
>>
>> Nik
>>
>>
>> --
>> niknik
>> ------------------------------------------------------------------------
>> niknik's Profile: http://vista64.net/forums/member.php?userid=637
>> View this thread: http://vista64.net/forums/showthread.php?t=29092
>>
>>


Reply With Quote
  #7 (permalink)  
Old 12-16-2006
niknik
 

Posts: n/a
Re: Bitlocker passphrase only

'Jamie Hunter [MS Wrote:
> ']The recovery password is 128 bits of random entropy, with salt and
> stretching (giving an effective cryptographic strength of 160 bits if I
> recall).


Ah yes - the chained sha 256 hashing. One million iterations. Really
impedes brute-forcing. Neat.
Would make passwords a bit safer to use, like the master keys. But then
starting with 128 bit of random data would likely hold even if sha256
would be broken.


--
niknik
------------------------------------------------------------------------
niknik's Profile: http://vista64.net/forums/member.php?userid=637
View this thread: http://vista64.net/forums/showthread.php?t=29092

Reply With Quote
  #8 (permalink)  
Old 12-21-2006
Tech_vs_Life
 

Posts: n/a
Re: Bitlocker passphrase only
But if the hard drive is moved from the computer with the TPM, to one
without the TPM, what does the security come down to? A system generated
recovery key? With the TPM out of the way, can the user theoretically then
interpose fraudulent or hacked boot code to allow automated entry of a
password generator, or even bypass the recovery key prompt?
Or does moving the drive in this scenario mean that the system will not
decrypt (at least, will not accept any password or recovery key)?

Finally, there appears to be an option to prevent the creation of a recovery
key. Would that be more secure in this scenario?

Thanks for clearing this up.


"Jamie Hunter [MS]" <jamiehun@nospam.microsoft.com> wrote in message
news:07810704-F55A-4479-9409-87E66E2F4291@microsoft.com...
> This is specifically not allowed, because it is a very weak solution
> subject to dictionary and brute-force attacks.
> The recovery password is 128 bits of random entropy, with salt and
> stretching (giving an effective cryptographic strength of 160 bits if I
> recall).
> The TPM+PIN solution uses hardware to insert a non-resettable delay to the
> extent that a 4 digit pin would take an entire year to crack. To
> understand the power of the hardware, without hardware, a 4 digit purely
> random pin would be cracked in a fraction of a day even with good key
> stretching algorithms.
>
> The 128 bit recovery key (which is generated using the cryptographic
> random number generator) would take 10^31 years (or thereabouts) to crack
> on current processor architectures (due to the salt and stretching
> algorithm).
>
> See http://en.wikipedia.org/wiki/Password_strength for an analysis on
> strong passwords.
>
> -
> Jamie Hunter [MS]
>
> "lvjobhunt" <lvjobhunt@discussions.microsoft.com> wrote in message
> news:F76A6648-4EAD-4C1B-916F-2CAB7D96EDDB@microsoft.com...
>>I am confused about bitlocker. Can I install bitlocker on a computer that
>> has NO TPM chip and just use a passphrase only with no usb key?
>>
>> If I have to use a USB key can anyone who has that USB key break my
>> bitlocker?
>>
>> Can I buy a TPM PCI card?

>


Reply With Quote
  #9 (permalink)  
Old 12-26-2006
niknik
 

Posts: n/a
Re: Bitlocker passphrase only

Tech_vs_Life Wrote:
> But if the hard drive is moved from the computer with the TPM, to one
> without the TPM, what does the security come down to? A system
> generated
> recovery key? With the TPM out of the way, can the user theoretically
> then
> interpose fraudulent or hacked boot code to allow automated entry of a
> password generator, or even bypass the recovery key prompt?
>


Yes they can - but then they would not have the FVEK ( the decryption
key needed for the sectors). You could not boot into Vista.

Tech_vs_Life Wrote:
>
> Finally, there appears to be an option to prevent the creation of a
> recovery
> key. Would that be more secure in this scenario?
>


You can't prevent the recovery key from being created. You could wipe
it later off the USB flash drive. But if the hardware changes (
motherboard failure ) then BitLocker goes into "recovery mode" where
you will need the recovery key or password to boot / gain access to the
data.


Nik


--
niknik
------------------------------------------------------------------------
niknik's Profile: http://vista64.net/forums/member.php?userid=637
View this thread: http://vista64.net/forums/showthread.php?t=29092

Reply With Quote
  #10 (permalink)  
Old 12-27-2006
Tech_vs_Life
 

Posts: n/a
Re: Bitlocker passphrase only
> You can't prevent the recovery key from being created.

Okay, I see you can disable the 48-digit recovery password, but not the
256-bit recovery key (unless you turn on Active Directory backup, which I
assume also creates a recovery password and/or key). It would be good to
allow the user to select his own recovery key file rather than rely on a
system-generated key, but there is no such option.

> Yes they can - but then they would not have the FVEK ( the decryption
> key needed for the sectors). You could not boot into Vista.


Well, as I understand it, the FVEK is available on the drive, but it's been
encrypted by the VMK. Is the VMK a combination of a key stored in the TPM
and an optional PIN or USB key? In any case, does the recovery key function
as another, second VMK? In that case, if the hard drive is moved to another
computer without the TPM or PIN, then all you need is the 256-bit recovery
key to decrypt the FVEK (and theoretically could use hacked boot code to
repeatedly generate recovery keys). Otherwise, what is use of the recovery
key? Or is it the case that, if the key was originally stored in the TPM,
then the data cannot be decrypted without the TPM, even if you have the
recovery key? (but that makes the recovery key seem useless.) There's
probably a simple answer that I didn't come across.

Thanks.






"niknik" <niknik.2jfv9a@no-mx.vista64.net> wrote in message
news:niknik.2jfv9a@no-mx.vista64.net...
>
> Tech_vs_Life Wrote:
>> But if the hard drive is moved from the computer with the TPM, to one
>> without the TPM, what does the security come down to? A system
>> generated
>> recovery key? With the TPM out of the way, can the user theoretically
>> then
>> interpose fraudulent or hacked boot code to allow automated entry of a
>> password generator, or even bypass the recovery key prompt?
>>

>
> Yes they can - but then they would not have the FVEK ( the decryption
> key needed for the sectors). You could not boot into Vista.
>
> Tech_vs_Life Wrote:
>>
>> Finally, there appears to be an option to prevent the creation of a
>> recovery
>> key. Would that be more secure in this scenario?
>>

>
> You can't prevent the recovery key from being created. You could wipe
> it later off the USB flash drive. But if the hardware changes (
> motherboard failure ) then BitLocker goes into "recovery mode" where
> you will need the recovery key or password to boot / gain access to the
> data.
>
>
> Nik
>
>
> --
> niknik
> ------------------------------------------------------------------------
> niknik's Profile: http://vista64.net/forums/member.php?userid=637
> View this thread: http://vista64.net/forums/showthread.php?t=29092
>


Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Backups and partitions =?Utf-8?B?TGluZGEgQ3VzdGVy?= microsoft.public.windows.vista.performance maintenance 2 02-11-2007 22:19
Re: BitLocker Post OS-Install - Boot & Partition Considerations Jamie Hunter [MS] microsoft.public.windows.vista.security 0 12-06-2006 22:01




All times are GMT +1. The time now is 03:25.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120