It can be difficult to investigate a BitLocker-encrypted hard drive if the encryption keys are protected by the TPM, the computer’s hardware protection. This article will discuss the protection that TPM chips offer BitLocker volumes, as well as the vulnerabilities found in modern TPM modules.
How does Bitlocker Works With TPM
In this article, we’ll first talk about what TPM stands for and then move on to how bitlocker works with TPM.
What does TPM stand for?
The Trusted Platform Module (TPM) is a standard for a secure cryptoprocessor, a microcontroller designed to secure hardware through the use of integrated cryptographic keys. On a physical level, the TPM can be built as an integrated chip, an extra module that fits into a slot on the desktop motherboard, or a virtual emulator, like the Intel PTT technology.
The platform is comprised of a secure cryptoprocessor and minimal onboard memory. TPM’s primary functions are the generation, storage, and secure management of cryptographic keys, specifically BitLocker keys. Developers need APIs from the operating system to access the TPM, which is used to manage encryption keys.
I will discuss the role of TPM in BitLocker encryption in this article.
When making the Windows disc encryption system, the developers tried to protect against the following threats:
- Without valid authentication credentials, logging in to the user’s account
- transferring the hard drive to another system for analysis.
- Modifying the computer’s configuration to gain data access
- Utilizing a different operating system to gain access to the data
- Priority number one was to ensure that the protection was as transparent and unobtrusive as possible for the user. Idealistically, the user should be oblivious to the encryption; this objective has been met. The developers permitted specifying a pre-boot PIN code or adding other types of protectors for those who require additional protection against additional threats (e.g. a physical smartcard or USB drive).
How BitLocker works
BitLocker encrypts data using symmetric encryption. By default, data is encrypted using AES-128 in either XTS (new) or CBC (legacy) mode. The data is encrypted with VMK, which stands for “Volume Master Key.” You can get VMK in any of the following ways:
If this protector is turned on for a volume, the user’s encryption password is used to decrypt the data.
It was deciphered using a Recovery Key. The Recovery Key is automatically generated the first time encryption is enabled. The key is then saved in a file, uploaded to the user’s Microsoft Account, or stored in Active Directory.
Bitlocker communicates with TPM as follows:
TPM’s fundamental concept is very similar to blockchain’s. The system stores the chain of trust in the PCR (Platform Configuration Register) registers when it boots up.
The following occurs when a computer boots:
Power on. The first trusted module loaded is SRTM (Static Root of Trust for Measures). This module is stored in the ROM of the computer and cannot be modified. The developers of the checkm8 exploit for iOS devices demonstrated conclusively that a vulnerability in this module compromises the entire protection system. SRTM inserts the initial record into the chain of trust by calculating the BIOS hash value. In a PCR register, the hash is stored.
The UEFI BIOS boots. The BIOS analyses the configuration of the computer, including the partitioning of the hard drive, the MBR (Master Boot Record), the bootloader, and numerous other parameters, such as firmware checksums for certain components (e.g., fingerprint readers or smartcard readers). Notably, the value of the previous PCR register is used to calculate new hash values, meaning that any change to a single PCR register breaks the chain.
After populating various PCR registers, the BIOS loads the bootloader from the MBR. The bootloader adds additional records.
Finally, the OS kernel begins to run. The kernel continues to extend the chain of trust.
Clearly, once the operating system has been loaded, the PCR registers contain the entire chain of trust. Note that the TPM module does not permit the modification of PCR registers; only new records can be added.
Windows generates a random volume master key (VMK) and a recovery key once the user enables BitLocker on a disc volume. The master key is then encrypted and stored in the TPM module using the recovery key. The VMK is then encrypted and saved in the disk’s header. Following a computer restart, the following occurs:
All PCR registers are zeroed out.
The system follows the previously described steps 1 through 4.
The kernel of the operating system attempts to decrypt the encrypted volume and requests the VMK from the TPM module. The TPM module then analyses the trust chain by examining PCR registers. If the chain of trust is compromised, the VMK will not be released, and the OS kernel will prompt the user to unlock the volume using a Recovery Key.
Clearly, the only way to obtain the VMK if the computer is powered off is to launch the original OS in its original configuration. Changing a single component will prompt for the Recovery Key.
A little tweak that will increase your security by 500%
Bitlocker encrypts the drive with simple 128-bit encryption (like our WI-FI is now encrypted) 128 bits is not the strongest encryption but it will still take years to decrypt the password if it`s at least 20 characters best letters, digits and special characters. But there is an option to change settings in (run) gpedit then we go to Administrative Templates then Windows Component and BitLocker Drive Encryption. And then we pick Choose drive encryption method and cipher strenght (version 1511) and than we pick the strongest encryption XTS-AES 256-bit encryption. Which is 256-bit encryption with two ciphers. Decryption counted in mln years. But you have to rememeber to go to OPERATING SYSTEM DRIVES and pick ALLOW ENHANCED PINs for startup – it will let you enter 20 digit, charackter or special charachters instead of standard 4 digit PIN. Also very important if you have TPM chip 1.2 or 2.0 go to Require additional at startup and untick the first box to allow Bitlocker without TPM . Do not allow the rest just change Require startup PIN with TPM.
And from now on there is no institution that can break your password. Just remember 20 characters, letters, capital and small letters, numbers and special characters.
The majority of the time, you are analysing a “cold” system. If this is the case, ensure that the disc image is captured before anything else. This is possible with Elcomsoft System Recovery. You will be able to view the list of disc partitions and their encryption settings prior to capturing the image. If the tool says that the disc is encrypted with BitLocker but that the password hash cannot be extracted, you must either use the Recovery Key or try to get the VMK from the TPM.
Extraction of the RAM Volume Master Key
If you can log in to the computer, you may attempt to capture an image of its memory. It may be possible to discover the master key and decrypt the volume without resorting to additional attacks by analysing the RAM image with Elcomsoft Forensic Disk Decryptor.However, if the user has specified a pre-boot protector, such as an additional PIN code (TPM+PIN), this is not possible.If you try to guess the PIN, the TPM will panic and lock you out of the encryption key, either temporarily or for good.
Even though you might like live system analysis better than capturing the encryption key and decrypting the disc image, offline analysis is much better from a forensics point of view, even though it is more work.
Cold boot and FireWire/Thunderbolt attacks
The fact that TPM releases the VMK at an early stage enables a unique attack commonly known as the “cold boot attack.” This attack is based on the fact that memory chips retain their data for several seconds after the computer has been powered off. However, if the modules are cooled to sub-zero temperatures, the data will be retained significantly longer. During a cold boot attack, you would start up your computer and wait for the system to load. By the time the login prompt is displayed, the BitLocker volume would already be mounted, and the VMK would have been decrypted and stored in RAM. After cooling the RAM modules with a commercially available refrigerant spray, you would immediately remove the modules, install them onto the test computer, and boot Linux with the LiME kernel extension. Elcomsoft Forensic Disk Decryptor for BitLocker encryption keys can then be used to dump the memory image and look at it.
For older Windows 7 and Windows 8 systems equipped with a FireWire or Thunderbolt port or PC Card slot, a similar attack is possible. In this case, you can attempt to capture the memory dump with the infamous Inception Python tool (yes, “that Python tool”). Memory dumps generated by Inception can be loaded into Elcomsoft Forensic Disk Decryptor and analysed for the master key. The VMK can then be used to either completely decrypt the disc image or mount it for a more expedient analysis.
Unfortunately, this method is only compatible with older Windows 7 and Windows 8 systems. Windows 8.1 already fixes this problem by turning off DMA over Thunderbolt when the computer is locked or sleeping.
The Sleep Mode attack.
National Security Research Institute researchers Seunghun Han, Wook Shin, Jun-Hyeok Park, and HyoungChun Kim published a paper titled “A Bad Dream: Subverting Trusted Platforms in 2018.
Module While You Are Sleeping (PDF). When the computer enters energy-saving sleep mode, the TPM stores its PCR registers in NVRAM and restores them when the computer awakens. The researchers discovered that, for a brief moment, the PCR registers are susceptible to manipulation, making it possible to read the chain of trust or modify its content. The researchers informed major motherboard manufacturers, including Intel, Lenovo, Gigabyte, Dell, and hp, who patched the vulnerability in BIOS updates. However, because few users install their BIOS, many computers remain vulnerable to this exploit.
Han launched two applications: Napper for TPM and Bitleaker. The first tool can be used to check a computer’s TPM chip for the “Bad Dream” flaw, while the second tool is the actual exploit that can be run if the TPM module has the flaw that hasn’t been fixed.
The second tool requires manually creating an Ubuntu Live CD, compiling and installing Bitleaker in accordance with the manual. To run the tool, Secure Boot must be disabled. Alternately, you could sign the modified bootloader and kernel with your signature and add the public key to the BIOS. However, this defeats the purpose because it modifies the PCR register content.
Intercepting TPM signals
The Low Pin Count (LPC) bus is used to connect TPM modules to the computer. This bus carries data between “slow” devices, such as serial ports. It operates at a 33 MHz frequency. Operating system drives that are protected by Microsoft BitLocker can be accessed by sniffing the LPC bus, getting the volume master key when it is returned by the TPM, and then decrypting the protected drive with the VMK.
He utilised the DSLogic Plus logic analyzer with USB interface for TPM 1.2. However, he discovered that it was not ideal for sniffing TPM traffic, as he had to resolve synchronisation issues and patch the firmware. Nevertheless, he was able to extract the VMK from the TPM module.
With a cheap FPGA Lattice ICEStick and TPM-specific firmware, it was much easier to sniff TPM 2.0 modules.
He only needed to solder the pins, activate the sniffer, and obtain the master key. Denis elaborates in his original article. Notably, desktop motherboards with add-on TPM chips are even easier to sniff without the need for soldering.
This method operates in the default BitLocker configuration. If the user enables pre-boot authentication with a PIN, the PIN will be required to release the VMK from the TPM. As there is no physical access to the module’s interface, this method will not work with Intel PTT.
How does Bitlocker Protection Work With TPM: Conclusion
BitLocker provides secure protection against unauthorised access when combined with TPM. Accessing the encryption key is not simple, despite the fact that the TPM chip itself does not perform encryption. I detailed a variety of techniques for extracting the encryption keys from the TPM module. Even if you never use any of them, they are nonetheless valuable additions to your arsenal.