Stories
Slash Boxes
Comments

SoylentNews is people

Microsoft Tries to Defend BitLocker Disk Encryption

posted by janrinok on Saturday June 06 2015, @06:34AM   Printer-friendly
from the in-ms-we-trust dept.

takyon writes:

The Intercept's Micah Lee wrote a guide explaining how to encrypt a hard drive but was criticized for recommending Microsoft's BitLocker disk encryption utility for Windows users. Microsoft has responded to some of the criticisms by providing more details about how BitLocker works:

The company told me which random number generator BitLocker uses to generate encryption keys, alleviating concerns about a government backdoor in that subsystem; it explained why it removed the Elephant diffuser, citing worries over performance and compatibility that will appease some, but certainly not all, concerned parties; and it said that the government-compromised algorithm it bundles with Windows to generate encryption keys is, by default, not used at all.

Significant questions remain about BitLocker, to be sure, and because the source code for it is not available, those questions will likely remain unanswered. As prominent cryptographer Bruce Schneier has written, "In the cryptography world, we consider open source necessary for good security; we have for decades." Despite all of this, BitLocker still might be the best option for Windows users who want to encrypt their disks.

Microsoft cryptographer Niels Ferguson gave a presentation in 2007 suggesting that Dual_EC_DRBG might have a backdoor. These suspicions were confirmed by the Snowden documents. Microsoft says that the default pseudorandom number generator for Windows is CTR_DRBG, and that BitLocker uses it when it generates a new key.

BitLocker uses an encoding engine, AES-CBC, and originally used the "Elephant diffuser" to protect encrypted files from being modified to become malicious by an attacker with physical access. Microsoft removed the Elephant diffuser because it hurt performance and is not compliant with Federal Information Processing Standards. Linux systems using LUKS disk encryption are vulnerable to the same kind of attack.

Microsoft says that it does not build backdoors into its products, but that it doesn't consider building methods to bypass their security in order to comply with legitimate legal requests "backdoors." It also shares its source code with governments so that they can check for backdoors... or for vulnerabilities which they could use as backdoors. A Microsoft spokesperson would not answer whether Microsoft could comply with a lawful request to unlock a BitLocker-encrypted disk.

TrueCrypt and its VeraCrypt and CipherShed forks do not play well with post-Windows 8 UEFI and GPT partition tables. Bruce Schneier recommends the proprietary BestCrypt full-disk encryption for Windows users. How does he reconcile this recommendation with what he wrote in 1999? "I do recommend BestCrypt because I have met people at the company and I have a good feeling about them. Of course I don't know for sure; this business is all about trust. But right now, given what I know, I trust them."

Original Submission

 
This discussion has been archived. No new comments can be posted.
Microsoft Tries to Defend BitLocker Disk Encryption | Log In/Create an Account | Top | 16 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by gidds on Monday June 08 2015, @01:21PM

    by gidds (589) on Monday June 08 2015, @01:21PM (#193628)

    I wonder if, given their track record, Microsoft could ever release a product people would actually trust, no matter how rigorous the code actually is?

    I think the bigger problem is not whether we can trust a Microsoft product; it's that people aren't asking that question — either because they don't know enough to ask it, or because they don't think the answer could ever affect them personally.

    It's true that Microsoft has a bad reputation, but for most people, that's solely based on their annoyances with the Windows interface, with the cost of MS Office, or (slightly more relevantly) hassle and damage caused by Windows viruses.  The possibility of 'authorities' gaining access to their data simply isn't on their radar.  And for many people, there's an implicit assumption that, even if that happens, they'll be OK as they're not a terrorist or hacker.

    That assumption is the next major barrier.

    First, it was "The technology doesn't exist to access my private data/communications."  That's been known to be false for a good while now.

    Then, it was "The Powers That Be don't have that sort of technology."  Recent revelations have shown that to be false.

    Then, it was "If TPTB have that technology, they only spy on eeevil terrrrists/hackers/furriners."  We now know that to be false too.

    We're now at "TPTB may have all this data from spying, but they only use it against eeevil terrrrists/hackers/furrniers."

    We'll need to demonstrate that to be false, too — giving people a personal stake in the matter — for them to care.

    --
    [sig redacted]
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3