logging in or signing up 1330 S KimmoB Mahugani Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 386 Category: Education License: All Rights Reserved Like it (1) Dislike it (0) Added: June 16, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: Harman (58 month(s) ago) Wow, this looks like someone from MS posted it....nice looking presentation! Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Slide1: Windows Vistan bittilukitsin – BitLockertm pintaa syvemmältä: Windows Vistan bittilukitsin – BitLockertm pintaa syvemmältä Kimmo Bergius Chief Security Advisor Microsoft Oy kimmo.bergius@microsoft.com Agenda: 3 Agenda BitLocker™ Drive Encryption (BDE) - mikä? BitLocker™ - vaatimukset ja käyttöönotto BitLocker™ - hallinta ja palautus Lisätietoja ja Qandamp;A Slide4: 4 A large multi-national company, who wishes to remain anonymous, loses an average of one corporate laptop per business day in the taxicabs of just one US city… Information Leakage Is Top-Of-Mind With Business Decision Makers: 5 Information Leakage Is Top-Of-Mind With Business Decision Makers 'After virus infections, businesses report unintended forwarding of e-mails and loss of mobile devices more frequently than they do any other security breach' Jupiter Research Report, 2004 0% 10% 20% 30% 40% 50% 60% 70% Loss of digital assets, restored Email piracy Password compromise Loss of mobile devices Unintended forwarding of emails Virus infection Information Protection Threats: 6 Internal threats are just as prevalent as external threats Intentional Accidental Targeted Careless forwarding of documents and Emails Machine disposal or repurposing without data wipe Data lost in transit Confidential data copied via USB and other mobile devices Untrusted network administrator accesses unauthorized data Offline attack on lost/stolen laptop Forwarding of internal-only Email and documents to external parties Branch office server containing directory or database CxO or government official laptop or mobile device Thief plugs external storage device into machine to copy data Information Protection Threats Slide7: 7 Information Protection Scenarios BitLocker™ Design Goals: BitLocker™ Design Goals BitLocker™ Drive Encryption gives you improved data protection on your Windows Vista and Windows Server codenamed 'Longhorn' systems Notebooks – Often stolen, easily lost in transit Desktops – Often stolen, difficult to safely decommission Servers – High value targets, often kept in insecure locations All three can contain very sensitive IP and customer data Designed to provide a transparent user experience that requires little to no interaction on a protected system Prevents thieves from using another OS or software hacking tool to break OS file and system protections Prevents offline viewing of user data and OS files Provides enhanced data protection and boot validation through use of a Trusted Platform Module (TPM) v1.2 BitLocker™ Design Solution: 9 BitLocker™ Design Solution Need a solution which Sits underneath Windows Has keys available at boot Cannot require user login in order to run Secures System Data Secures User Data Secures Registry Works seamlessly with platform (e.g., Code Integrity) Secures root secrets Protects against offline attacks Is super-easy to use Solution Encrypt (nearly) the entire disk Protect the encryption key by 'sealing' with a Trusted Platform Module (TPM) to the authorized loader Plus other options Authorized loaders boot the OS properly BitLocker™ Features Overview: 10 BitLocker™ Features Overview BitLocker Drive Encryption (BDE) Prevents bypass of Window’s boot process TPM Base Services (TBS) Windows and third party SW access to TPM Pre-OS multi-factor authentication Dongle, BIOS, and TPM-backed SW Identity 'Force Recovery' Sys-admin ONLY tool to securely speed-up PC re-deployment Single Microsoft TPM driver Improved stability and security Scenarios Lost or stolen laptop Branch-office Server What Does BitLocker™ Protect You From?: 11 What Does BitLocker™ Protect You From? Levels of protection Security isn’t absolute BDE scales From default 'everyone should just do it'… Non-targeted laptop …to super paranoid: 'good enough for the NSA…' Targeted laptop BDE protects against offline SW attacks BDE protects against HW attacks How protected depends on how you set it up Higher security HW will be available E.g., FIPS rated TPMs Configuration options Level of protection depends on setup choices Dongle only (TPM-less) – incremental protection but risk of Pre-OS attacks and dongle loss TPM only – improved protection, maximum ease of use Add a PIN – addresses significant HW attacks; user has to remember and enter PIN at boot Add a Dongle – addresses all HW attacks; user has to keep track of dongle and insert at boot Configuration can be mixed within an enterprise BitLocker™ and TPM Features: BitLocker™ and TPM Features BitLocker™ Drive Encryption Encrypts entire volume Uses Trusted Platform Module (TPM) v1.2 to validate pre-OS components Customizable protection and authentication methods Pre-OS Protection USB startup key, PIN, and TPM-backed authentication Single Microsoft TPM Driver Improved stability and security TPM Base Services (TBS) Enables third party applications Active Directory Backup Automated key backup to AD server Group Policy support Scriptable Interfaces TPM management BitLocker™ management Command-line tool Secure Decommissioning Wipe keys and repurpose What Is A Trusted Platform Module (TPM)?: What Is A Trusted Platform Module (TPM)? Smartcard-like module on the motherboard that: Performs cryptographic functions RSA, SHA-1, RNG Meets encryption export requirements Can create, store and manage keys Provides a unique Endorsement Key (EK) Provides a unique Storage Root Key (SRK) Performs digital signature operations Holds Platform Measurements (hashes) Anchors chain of trust for keys and credentials Protects itself against attacks TPM 1.2 spec: www.trustedcomputinggroup.org Why Use A TPM?: Why Use A TPM? Trusted Platforms use Roots-of-Trust A TPM is an implementation of a Root-of-Trust A hardware Root-of-Trust has distinct advantages Software can be hacked by Software Difficult to root trust in software that has to validate itself Hardware can be made to be robust against attacks Certified to be tamper resistant Hardware and software combined can protect root secrets better than software alone A TPM can ensure that keys and secrets are only available for use when the environment is appropriate Security can be tied to specific hardware and software configurations Spectrum Of Protection: 15 BDE offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with. Spectrum Of Protection BitLocker™ Hardware Requirements: 16 BitLocker™ Hardware Requirements Hardware requirements to support BDE Trusted Platform Module (TPM) v1.2 Provides platform integrity measurement and reporting Requires platform support for TPM Interface (TIS) Firmware (Conventional or EFI BIOS) – TCG compliant Establishes chain of trust for pre-OS boot Must support TCG specified Static Root Trust Measurement (SRTM) Additional functionality enabled by USB dongle Disk must have at least 2 partitions. Partitions should be NTFS Disk Layout & Key Storage: Boot Windows Partition Contains Encrypted OS Encrypted Page File Encrypted Temp Files Encrypted Data Encrypted Hibernation File Boot Partition Contains: MBR, Loader, Boot Utilities (Unencrypted, small) Where’s the Encryption Key? SRK (Storage Root Key) contained in TPM SRK encrypts VEK (Volume Encryption Key) protected by TPM/PIN/Dongle VEK stored (encrypted by SRK) on hard drive in Boot Partition 2 3 Windows SRK 1 Disk Layout andamp; Key Storage BitLocker™ ArchitectureStatic Root of Trust Measurement of early boot components: BitLocker™ Architecture Static Root of Trust Measurement of early boot components Key Architecture: Key Architecture BitLocker™ TPM Administration Storyboard – New Machine : 20 BitLocker™ TPM Administration Storyboard – New Machine Basic TPM Administration/Deployment Machine arrives at enterprise in un-initialized state. Turn TPM On Check for physical presence by rebooting the machine and prompting user at BIOS screen for key press. Log back into Windows Vista Take Ownership of TPM Check for existence of Endorsement Key (Provided by OEM) Create TPM Administration Password. Commit changes to TPM and initialize. Publish TPM Administration Password to AD/File TPM Initialization Complete Note: Steps 1-3 can be pre-config’ed (OEM, SP) 1 1 2 3 4 5 6 7 8 9 10 BitLocker™ Single Machine Deployment with TPM: 21 Windows Vista Install Windows Vista Install BDE requires a partition separate from the Windows Vista OS partition with a min free space of 350Mb During installation the system is checked for correct version of TPM (v 1.2) and BIOS via Plug and Play TPM andamp; BDE drivers are installed BitLocker™ Single Machine Deployment with TPM BDE Installation Start installation through the BDE control panel applet Installation checks for required disk partition layout. This partition needs to be formatted NTFS and contain a Windows Vista installation Installation enables BDE for Windows Volume Installation verifies that the TPM has initialized User selects Recovery Key Backup method, and installation continues with volume encryption Installation displays background encryption progress bar and tray icon, then notifies user when BDE is complete 3 1 2 4 5 6 Slide22: BitLocker™ Enterprise Machine Deployment with TPM: 23 BDE installation Active Directory prepared for BDE keys Windows Vista Install BDE requires a partition separate from the Windows Vista OS partition with 1,5GB free space During installation the system is checked for correct version of TPM (v 1.2) and BIOS via Plug and Play TPM andamp; BDE drivers are installed BDE Initialization Scripted initialization of TPM TPM Ownership password saved to Active Directory Remote executed Script BDE Policy saves recovery key to AD System encrypted Inspect audit logs for successful end to encryption BitLocker™ Enterprise Machine Deployment with TPM Windows Vista Install TPM Script Initialization 2 BDE script setup Active Directory is prepared for BDE Keys Store BDE recovery key Store TPM Ownership Password 1 2 3 4 5 Upgrading BitLocker™ Hardware : 24 Upgrading computers with BDE Disable BitLocker Upgrade system Updated BIOS -- or -- Install Service Pack Turn On BitLocker – no encryption required Upgrading BitLocker™ Hardware 1 2 3 Recovery Scenarios: 25 Recovery Scenarios Broken Hardware Recovery Scenario Hard drive moves to new system Upgrade to Core Files Planned migration to core files Attack Detected Recovery Scenario Modified or Missing Boot Loader Files Also known as an 'Unplanned Migration' BitLocker™ Recovery Options: 26 BitLocker™ Recovery Options BDE setup will automatically escrow keys and passwords into AD Centralized storage/management keys (EA SKU) Setup may also try (based on policy) to backup keys and passwords onto a USB dongle or to a file location Default for non-domain-joined users Working with third parties for web service-based key escrow Recovery password known by the user/administrator Recovery can occur 'in the field' Windows operation can continue as normal BitLocker™ Recovery Storyboard – Broken Hardware: 27 BitLocker™ Recovery Storyboard – Broken Hardware Example Recovery Scenario Feature turned on. AD access via network. Recovery key escrowed to AD and/or USB dongle. User drops laptop and breaks motherboard. HD from old broken machine put into new laptop with BDE enabled. BDE can’t access HD because the TPM key in new laptop is different. User launches BDE recovery: User uses USB dongle to recover the drive. -or- User calls admin and Administrator authenticates user. Admin gets correct recovery key from AD. Admin reads key to user over the phone. User types in recovery key. Recovery key is used to recover the drive 8 3 7C 7D 1 2 3 4 5 6 7a 7b 7c 7d 7e 8 Decommissioning: 28 Decommissioning Nothing Reformat drive Admin wipes drive Delete keys Normal 'Force Recovery' versus Lisää infoa: 29 Lisää infoa http://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspx http://blogs.msdn.com/si_team/default.aspx Slide30: Slide31: Slide32: BitLocker™ Drive Appears In Vista : 33 BitLocker™ Drive Appears In Vista BitLocker™ Drive Appears In XP: 34 BitLocker™ Drive Appears In XP BitLocker™ Drive Appears In Linux : 35 BitLocker™ Drive Appears In Linux Linux Bitlocker volume errors Fdisk reads partition table... thinks fve partition is ntfs wrong fs type, bad option, bad superblock on /dev/sda2, missing codepage or other error Primary boot sector is invalid, Not an NTFS volumn You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
1330 S KimmoB Mahugani Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 386 Category: Education License: All Rights Reserved Like it (1) Dislike it (0) Added: June 16, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: Harman (58 month(s) ago) Wow, this looks like someone from MS posted it....nice looking presentation! Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Slide1: Windows Vistan bittilukitsin – BitLockertm pintaa syvemmältä: Windows Vistan bittilukitsin – BitLockertm pintaa syvemmältä Kimmo Bergius Chief Security Advisor Microsoft Oy kimmo.bergius@microsoft.com Agenda: 3 Agenda BitLocker™ Drive Encryption (BDE) - mikä? BitLocker™ - vaatimukset ja käyttöönotto BitLocker™ - hallinta ja palautus Lisätietoja ja Qandamp;A Slide4: 4 A large multi-national company, who wishes to remain anonymous, loses an average of one corporate laptop per business day in the taxicabs of just one US city… Information Leakage Is Top-Of-Mind With Business Decision Makers: 5 Information Leakage Is Top-Of-Mind With Business Decision Makers 'After virus infections, businesses report unintended forwarding of e-mails and loss of mobile devices more frequently than they do any other security breach' Jupiter Research Report, 2004 0% 10% 20% 30% 40% 50% 60% 70% Loss of digital assets, restored Email piracy Password compromise Loss of mobile devices Unintended forwarding of emails Virus infection Information Protection Threats: 6 Internal threats are just as prevalent as external threats Intentional Accidental Targeted Careless forwarding of documents and Emails Machine disposal or repurposing without data wipe Data lost in transit Confidential data copied via USB and other mobile devices Untrusted network administrator accesses unauthorized data Offline attack on lost/stolen laptop Forwarding of internal-only Email and documents to external parties Branch office server containing directory or database CxO or government official laptop or mobile device Thief plugs external storage device into machine to copy data Information Protection Threats Slide7: 7 Information Protection Scenarios BitLocker™ Design Goals: BitLocker™ Design Goals BitLocker™ Drive Encryption gives you improved data protection on your Windows Vista and Windows Server codenamed 'Longhorn' systems Notebooks – Often stolen, easily lost in transit Desktops – Often stolen, difficult to safely decommission Servers – High value targets, often kept in insecure locations All three can contain very sensitive IP and customer data Designed to provide a transparent user experience that requires little to no interaction on a protected system Prevents thieves from using another OS or software hacking tool to break OS file and system protections Prevents offline viewing of user data and OS files Provides enhanced data protection and boot validation through use of a Trusted Platform Module (TPM) v1.2 BitLocker™ Design Solution: 9 BitLocker™ Design Solution Need a solution which Sits underneath Windows Has keys available at boot Cannot require user login in order to run Secures System Data Secures User Data Secures Registry Works seamlessly with platform (e.g., Code Integrity) Secures root secrets Protects against offline attacks Is super-easy to use Solution Encrypt (nearly) the entire disk Protect the encryption key by 'sealing' with a Trusted Platform Module (TPM) to the authorized loader Plus other options Authorized loaders boot the OS properly BitLocker™ Features Overview: 10 BitLocker™ Features Overview BitLocker Drive Encryption (BDE) Prevents bypass of Window’s boot process TPM Base Services (TBS) Windows and third party SW access to TPM Pre-OS multi-factor authentication Dongle, BIOS, and TPM-backed SW Identity 'Force Recovery' Sys-admin ONLY tool to securely speed-up PC re-deployment Single Microsoft TPM driver Improved stability and security Scenarios Lost or stolen laptop Branch-office Server What Does BitLocker™ Protect You From?: 11 What Does BitLocker™ Protect You From? Levels of protection Security isn’t absolute BDE scales From default 'everyone should just do it'… Non-targeted laptop …to super paranoid: 'good enough for the NSA…' Targeted laptop BDE protects against offline SW attacks BDE protects against HW attacks How protected depends on how you set it up Higher security HW will be available E.g., FIPS rated TPMs Configuration options Level of protection depends on setup choices Dongle only (TPM-less) – incremental protection but risk of Pre-OS attacks and dongle loss TPM only – improved protection, maximum ease of use Add a PIN – addresses significant HW attacks; user has to remember and enter PIN at boot Add a Dongle – addresses all HW attacks; user has to keep track of dongle and insert at boot Configuration can be mixed within an enterprise BitLocker™ and TPM Features: BitLocker™ and TPM Features BitLocker™ Drive Encryption Encrypts entire volume Uses Trusted Platform Module (TPM) v1.2 to validate pre-OS components Customizable protection and authentication methods Pre-OS Protection USB startup key, PIN, and TPM-backed authentication Single Microsoft TPM Driver Improved stability and security TPM Base Services (TBS) Enables third party applications Active Directory Backup Automated key backup to AD server Group Policy support Scriptable Interfaces TPM management BitLocker™ management Command-line tool Secure Decommissioning Wipe keys and repurpose What Is A Trusted Platform Module (TPM)?: What Is A Trusted Platform Module (TPM)? Smartcard-like module on the motherboard that: Performs cryptographic functions RSA, SHA-1, RNG Meets encryption export requirements Can create, store and manage keys Provides a unique Endorsement Key (EK) Provides a unique Storage Root Key (SRK) Performs digital signature operations Holds Platform Measurements (hashes) Anchors chain of trust for keys and credentials Protects itself against attacks TPM 1.2 spec: www.trustedcomputinggroup.org Why Use A TPM?: Why Use A TPM? Trusted Platforms use Roots-of-Trust A TPM is an implementation of a Root-of-Trust A hardware Root-of-Trust has distinct advantages Software can be hacked by Software Difficult to root trust in software that has to validate itself Hardware can be made to be robust against attacks Certified to be tamper resistant Hardware and software combined can protect root secrets better than software alone A TPM can ensure that keys and secrets are only available for use when the environment is appropriate Security can be tied to specific hardware and software configurations Spectrum Of Protection: 15 BDE offers a spectrum of protection allowing customers to balance ease-of-use against the threats they are most concerned with. Spectrum Of Protection BitLocker™ Hardware Requirements: 16 BitLocker™ Hardware Requirements Hardware requirements to support BDE Trusted Platform Module (TPM) v1.2 Provides platform integrity measurement and reporting Requires platform support for TPM Interface (TIS) Firmware (Conventional or EFI BIOS) – TCG compliant Establishes chain of trust for pre-OS boot Must support TCG specified Static Root Trust Measurement (SRTM) Additional functionality enabled by USB dongle Disk must have at least 2 partitions. Partitions should be NTFS Disk Layout & Key Storage: Boot Windows Partition Contains Encrypted OS Encrypted Page File Encrypted Temp Files Encrypted Data Encrypted Hibernation File Boot Partition Contains: MBR, Loader, Boot Utilities (Unencrypted, small) Where’s the Encryption Key? SRK (Storage Root Key) contained in TPM SRK encrypts VEK (Volume Encryption Key) protected by TPM/PIN/Dongle VEK stored (encrypted by SRK) on hard drive in Boot Partition 2 3 Windows SRK 1 Disk Layout andamp; Key Storage BitLocker™ ArchitectureStatic Root of Trust Measurement of early boot components: BitLocker™ Architecture Static Root of Trust Measurement of early boot components Key Architecture: Key Architecture BitLocker™ TPM Administration Storyboard – New Machine : 20 BitLocker™ TPM Administration Storyboard – New Machine Basic TPM Administration/Deployment Machine arrives at enterprise in un-initialized state. Turn TPM On Check for physical presence by rebooting the machine and prompting user at BIOS screen for key press. Log back into Windows Vista Take Ownership of TPM Check for existence of Endorsement Key (Provided by OEM) Create TPM Administration Password. Commit changes to TPM and initialize. Publish TPM Administration Password to AD/File TPM Initialization Complete Note: Steps 1-3 can be pre-config’ed (OEM, SP) 1 1 2 3 4 5 6 7 8 9 10 BitLocker™ Single Machine Deployment with TPM: 21 Windows Vista Install Windows Vista Install BDE requires a partition separate from the Windows Vista OS partition with a min free space of 350Mb During installation the system is checked for correct version of TPM (v 1.2) and BIOS via Plug and Play TPM andamp; BDE drivers are installed BitLocker™ Single Machine Deployment with TPM BDE Installation Start installation through the BDE control panel applet Installation checks for required disk partition layout. This partition needs to be formatted NTFS and contain a Windows Vista installation Installation enables BDE for Windows Volume Installation verifies that the TPM has initialized User selects Recovery Key Backup method, and installation continues with volume encryption Installation displays background encryption progress bar and tray icon, then notifies user when BDE is complete 3 1 2 4 5 6 Slide22: BitLocker™ Enterprise Machine Deployment with TPM: 23 BDE installation Active Directory prepared for BDE keys Windows Vista Install BDE requires a partition separate from the Windows Vista OS partition with 1,5GB free space During installation the system is checked for correct version of TPM (v 1.2) and BIOS via Plug and Play TPM andamp; BDE drivers are installed BDE Initialization Scripted initialization of TPM TPM Ownership password saved to Active Directory Remote executed Script BDE Policy saves recovery key to AD System encrypted Inspect audit logs for successful end to encryption BitLocker™ Enterprise Machine Deployment with TPM Windows Vista Install TPM Script Initialization 2 BDE script setup Active Directory is prepared for BDE Keys Store BDE recovery key Store TPM Ownership Password 1 2 3 4 5 Upgrading BitLocker™ Hardware : 24 Upgrading computers with BDE Disable BitLocker Upgrade system Updated BIOS -- or -- Install Service Pack Turn On BitLocker – no encryption required Upgrading BitLocker™ Hardware 1 2 3 Recovery Scenarios: 25 Recovery Scenarios Broken Hardware Recovery Scenario Hard drive moves to new system Upgrade to Core Files Planned migration to core files Attack Detected Recovery Scenario Modified or Missing Boot Loader Files Also known as an 'Unplanned Migration' BitLocker™ Recovery Options: 26 BitLocker™ Recovery Options BDE setup will automatically escrow keys and passwords into AD Centralized storage/management keys (EA SKU) Setup may also try (based on policy) to backup keys and passwords onto a USB dongle or to a file location Default for non-domain-joined users Working with third parties for web service-based key escrow Recovery password known by the user/administrator Recovery can occur 'in the field' Windows operation can continue as normal BitLocker™ Recovery Storyboard – Broken Hardware: 27 BitLocker™ Recovery Storyboard – Broken Hardware Example Recovery Scenario Feature turned on. AD access via network. Recovery key escrowed to AD and/or USB dongle. User drops laptop and breaks motherboard. HD from old broken machine put into new laptop with BDE enabled. BDE can’t access HD because the TPM key in new laptop is different. User launches BDE recovery: User uses USB dongle to recover the drive. -or- User calls admin and Administrator authenticates user. Admin gets correct recovery key from AD. Admin reads key to user over the phone. User types in recovery key. Recovery key is used to recover the drive 8 3 7C 7D 1 2 3 4 5 6 7a 7b 7c 7d 7e 8 Decommissioning: 28 Decommissioning Nothing Reformat drive Admin wipes drive Delete keys Normal 'Force Recovery' versus Lisää infoa: 29 Lisää infoa http://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspx http://blogs.msdn.com/si_team/default.aspx Slide30: Slide31: Slide32: BitLocker™ Drive Appears In Vista : 33 BitLocker™ Drive Appears In Vista BitLocker™ Drive Appears In XP: 34 BitLocker™ Drive Appears In XP BitLocker™ Drive Appears In Linux : 35 BitLocker™ Drive Appears In Linux Linux Bitlocker volume errors Fdisk reads partition table... thinks fve partition is ntfs wrong fs type, bad option, bad superblock on /dev/sda2, missing codepage or other error Primary boot sector is invalid, Not an NTFS volumn