Bypassing Local Windows Authentication to Defeat Full Disk Encryption Ian Haken ([email protected]) November 12, 2015 Full disk encryption is a defensive measure in which all data stored on a physical disk or volume is encrypted, therefore protecting any data stored on a device such as saved passwords, emails, session tokens, and intellectual property. Full disk encryption protects data at rest, assuring confidentiality even when an attacker has physical access such as when a device is lost or stolen. BitLocker is Microsoft's full disk encryption solution included with certain versions of Windows, first introduced in 2007. This paper describes an attack which is able to bypass Windows authentication, even in the presence of BitLocker full disk encryption, and thus allows an attacker to access a user's data or install software. On systems effected this attack therefore bypasses all of the protections offered by BitLocker. 1 Introduction even though the disk is fully encrypted. Unlike other attacks that have been considered against In 2007, starting with Windows Vista, Microsoft full disk encryption generally or BitLocker specifi- began including a full disk encryption feature cally, this attack is completely reliable on systems named BitLocker with professional and enterprise effected, is a software-only attack, is fast (there is versions of Windows. Full disk encryption helps no brute-forcing of keys and only takes seconds to protect users from threats with physical access to execute), and does not require a sophisticated at- the device or disk. This can, for example, pre- tacker (only requiring standard open source tools vent the exposure of proprietary information and and a few commands). saved account credentials if a laptop is lost, stolen, or even left temporarily accessible to an attacker This paper describes details of BitLocker's op- (such when left unattended). eration and Windows authentication in order to illuminate both the countermeasures in place and Under the hood, BitLocker's preferred method how the attack described is able to operate de- of operation utilizes a system's Trusted Platform spite them. Notwithstanding the level of detail Module (TPM) to store the secret key used for discussed in the first few sections, the attack in sec- full disk encryption, and is able to use the fea- tion 5 is fairly straightforward and non-technical, tures of the TPM to safely provide transparent, so eager readers are encouraged to skip straight to passwordless decryption of the disk on boot. Be- that section, referring back to the earlier sections cause BitLocker can work in a way that's com- if greater insight is desired. pletely transparent|without any extra passwords or prompts on boot|many corporate settings have In section 2 the motivation and goals of full disk opted to enable this form of full disk encryption as encryption schemes are described. The next sec- a part of their data loss prevention strategy. tion then discusses the relevant functionality of the However, this paper presents an attack which Trusted Platform Module, specifically how it is uti- takes advantage of physical access to bypass lo- lized by Microsoft BitLocker to provide transpar- cal Windows authentication. When BitLocker is ent full disk encryption. Section 4 describes as- enabled without any form of pre-boot authentica- pects of Windows domain authentication and rele- tion by using the TPM (which is Microsoft's rec- vant parts of the Kerberos protocol. The final two ommended deployment strategy for BitLocker [1]), sections then describe the attack itself and the im- this would allow an attacker to access a user's data pact and mitigation of this attack. 1 2 Full Disk Encryption droid introduced full encryption of the data parti- tion starting with its 3.0 release in 2011. Full Disk Encryption (FDE) is a technique of se- As with any form of encryption, FDE uses a curing data at rest by encrypting all data before secret key to encrypt the data. Since the en- it is written to a disk (or, depending on the imple- crypted volume usually includes the operating sys- mentation, a particular volume/partition). FDE tem, most FDE implementations prompt the user avoids the problem of needing to selectively spec- for a password early in the boot process (before the ify what data should be considered sensitive by full operating system can be read from the disk) protecting all data on the system. This avoids ac- in order to derive this secret key. We will refer to cidental leakage of data, such as leaving an unen- this step as pre-boot authentication. BitLocker, crypted working copy in a temporary directory, a however, has been developed to take advantage of swap partition, or a page file. the Trusted Platform Module (TPM) available on FDE is intended to mitigate the impact of a ma- many platforms. A TPM is a hardware chip capa- licious actor who has physical access to the de- ble of performing a number of cryptographic oper- vice containing the data. FDE will generally offer ations and storing secrets. The next section details no defense against a remote attack since a sys- how BitLocker uses the TPM in order to safely tem that is fully operational and allowing remote store its secret key for FDE, thereby enabling Bit- access should already be transparently decrypting Locker to transparently decrypt the operating sys- any data from the disk. Therefore, FDE should tem volume on boot without requiring pre-boot be viewed as a mitigation against attacks which authentication. include physical access, such as when a device is Even when a TPM is available, BitLocker has lost, stolen, or left unattended. In is therefore in the option to enable pre-boot authentication, re- the context of physical access that we entertain the quiring the user to supply a PIN or insert a USB attack in section 5. key containing a saved secret. However, this comes Depending on the implementation FDE can, be- with disadvantages as described by Microsoft [4]: sides offering confidentiality of data at rest, also offer an assurance of system integrity when the \Pre-boot authentication provides excel- operating system and applications are encrypted. lent startup security, but it inconve- Although an attacker may write arbitrary cipher- niences users and increases IT manage- text to an encrypted disk, they would generally ment costs. Every time the PC is unat- be unable to determine where on the disk target tended, the device must be set to hiber- files are located, much less be able to write cipher- nate (in other words, shut down and pow- text that has meaningful plaintext once decrypted ered off); when the computer restarts, by the victim. This means an attacker would face users must authenticate before the en- significant difficulty attempting to plant malicious crypted volumes are unlocked. This re- software on the device, despite having physical ac- quirement increases restart times and cess. BitLocker also specifically protects the pre- prevents users from accessing remote PCs boot process from modification using the Trusted until they can physically access the com- Platform Module, as detailed in the next section. puter to authenticate, making pre-boot Disk encryption is not a new technology. File- authentication unacceptable in the mod- Vault, Apple's FDE implementation for OS X, has ern IT world, where users expect their been available since 2003. The Linux module dm- devices to turn on instantly and IT re- crypt, which is usually used for disk encryption in quires PCs to be constantly connected to Linux distributions, has been available since 2005. the network. FreeBSD has two disk encryption modules, GBDE If users lose their USB key or forget their and GELI, originally released in 2002 and 2005 PIN, they cant access their PC without a respectively. BitLocker, Microsoft's FDE imple- recovery key. With a properly configured mentation, was first included with Windows Vista infrastructure, the organizations support in 2007. Disk encryption is also included in many will be able to provide the recovery key, smartphone operating systems; for example, An- but doing so increases support costs, and 2 users might lose hours of productive work execute on the device (e.g. the BIOS or EFI) is time." assumed to be trusted. It hashes its own code and configuration and puts the result into the PCRs. Microsoft therefore explicitly recommends not It then hashes the next stage of the boot process using pre-boot authentication when possible [1]. (usually the master boot record and bootloader) as The attack described will take advantage of this well as its configuration (such as the boot drive's configuration. partition table), puts that result in the PCRs, and then hands off control to the next boot stage. That 3 Trusted Platform Modules next boot stage is then responsible for hashing the next stage of the boot process (such as the Win- The Trusted Platform Module (TPM) is a stan- dows boot manager), putting that value in the dard for a hardware device capable of various PCRs, and then handing off control. In this fash- cryptographic operations, such as secure key gen- ion, each part of the boot sequence is responsible eration and random number generation. It also for fingerprinting the next and putting that result has capabilities for performing remote attestation into a PCR before passing on control. This way (that is, providing assurance to a remote third- any change to the boot sequence (such as using party that particular software is being run on a an attacker-controlled boot drive) will result in a device) and securely storing secrets. It is this last different set of values in the PCRs. feature that is used by BitLocker to store a disk's When the TPM seals a secret value, it uses any decryption key, which this section will detail.