Analyst: BitLocker Not a Silver Bullet

News Analysis: Windows Vista's full-disk encryption solution is attracting much customer attention, but deployment isn't foolproof, advises a Gartner analyst.

WASHINGTON—When the phone rings in the office of Gartner analyst Neil MacDonald, chances are good that if its a client calling with a question about Windows Vista security, it will be about BitLocker.

BitLocker is an implementation of full-disk encryption designed to protect system files and data, and its easy to see why businesses are clamoring for encryption, given the stream of organizations that have had the dubious pleasure of appearing in headlines such as "Lost Laptop" and "Confidential Data Missing" over the past few years. Notable examples include the theft of a Veterans Affairs laptop in May 2006 and the Transportation Security Administrations loss of a hard drive carrying 100,000 employee records in May 2007.

On the plus side, BitLocker delivers on a handful of points when it comes to encryption, MacDonald said in a presentation called "Planning and Deploying the Security Features of Windows Vista" at the Gartner IT Security Summit here June 4.

First, for users who subscribe to Microsofts Software Assurance program, its free. It also features tight integration with Microsofts GPOs (Group Policy Objects), a collection of settings that define what a system will look like and how it will behave for a defined group of users, and with its Active Directory, MacDonald said.

Another positive is that BitLocker has a TPM-based (Trusted Platform Module-based) feature called a "Static Root of Trust" to prevent tampering. The TPM, itself an implementation of a Root of Trust, is a hardware/software chip or function built into a laptop or desktop. All commercial-grade machines shipping now include this chip, often built into the chip set on the motherboard.

The advantage of the TPM is that it gives a hardware alternative to rooting trust in software that can be hacked by other software. It is, after all, difficult to root trust in software that has to validate itself, whereas hardware can be made robust against attacks. A TPM, which is certified to be tamper-resistant, can "ensure that keys and secrets are only available for use when the environment is appropriate," according to Microsoft, based in Redmond, Wash.

BitLockers encryption also has an optional diffuser algorithm that can make the encrypted data more resilient to attacks. (Wikipedia defines the cryptographic term diffusion as being associated with "dependency of bits of the output on bits of the input. In a cipher with good diffusion, flipping an input bit should change each output bit with a probability of one half.")

The BitLocker encryption technology also entails little overhead and little user involvement, MacDonald said.

/zimages/5/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

However, there are also things to watch out for about BitLocker. License restrictions forbid the use of BitLocker where operating system virtualization is installed; it supports only single volumes; and it requires a healthy bite of partition at 1.5GB, MacDonald said. BitLocker also lacks support for both USB drives and CryptoAPI (a set of dynamically linked libraries that isolates programmers from data encryption code).

One of the more important negatives to note is the fact that BitLocker can only be acquired by subscribing to Software Assurance or by buying the Ultimate version of Vista, MacDonald said, given Gartners estimate that two-thirds of Windows users dont subscribe to SA. "To date it hasnt really paid off," MacDonald said. Indeed, back when many of the service plans were coming up for renewal in 2004, Microsoft faced objections from many SA customers about the programs perceived lack of value.

Vistas lack of support for multiple drives is another big negative, MacDonald said. "If youre like Gartner or many companies, you carve your system into multiple drives," MacDonald said, and not being able to do that is "a big limitation."

Microsoft is aware of the limitation and offers code to address it: The manage-bde.wsf tool, a command-line tool in Vista Enterprise and Ultimate, can be used to configure BitLocker. Microsoft notes, however, that using manage-bde to configure a data volume is not supported. Instead, Microsoft recommends using EFS (Encrypting File System) to encrypt data volumes. For more on BitLockers encryption of more than the operating system volume, check out Microsofts FAQ.

BitLockers lack of support for USB drives is an issue for organizations concerned about code being transported off the premises on thumb drives. "If you want to expand your encryption policy [to encrypt USB devices], BitLocker wont do it," MacDonald said.

Regarding how to best deploy BitLocker, Gartners advice is to start out with TPM-based protection of the decryption key, given that its protection is "very strong," MacDonald said.

Alternatively, you can have users store insert a USB stick to unlock their hard drives, with a code stored on the USB. But if organizations rely solely on users having their passwords stored on memory sticks, MacDonald asked, where will people keep those sticks? The likely answer is that users will keep the USB drives, if not in the computers themselves, then in their bags or purses nearby, making theft a possible scenario.

Given that possibility, "the TPM key is the best way to implement" BitLocker, he said.

MacDonald also advised that when deploying BitLocker, enterprises should clarify how OEMs implement anti-hammering on TPM access attempts. Anti-hammering technology typically involves geometrically increasing the time between PIN guesses so that the amount of time required for a brute-force attack becomes unreasonable.

Other tips from MacDonald on deploying BitLocker:

  • Use 128-bit encryption in conjunction with the diffuser algorithm; where required by regulation or policy, use 256-bit encryption with the diffuser algorithm.
  • For extremely security-sensitive notebooks, require hibernation rather than sleep.
  • Integrate key recovery capabilities into AD and set appropriate access controls.
  • Use GPOs to ensure that BitLocker is deployed according to policy.
  • Supplement BitLocker with EFS (a file system with encryption, available in Windows 2000 and later operating systems). This technology allows for transparent file storage on NTFS (NT File System, the standard file system of Windows NT and later operating systems) systems to protect confidential data from attackers with physical access to the computer, when data is located on separate partitions or when multiple users share the same machine.
  • Preconfigure images with 1.5GB partitions now, rather than repartition later.
  • BitLocker should be applied as soon as the OS is installed and activated via script or GPO.
  • If not subscribing to SA, consider third-party [encryption] alternatives.

    Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.