Microsoft Gives Details About Its Controversial Disk Encryption

Computer security experts worry that BitLocker may be compromised by the government. Microsoft addressed some of those concerns for <em>The Intercept</em> — and left some unanswered.

Recently, I wrote a guide explaining how to encrypt your laptop’s hard drive and why you should do so. For the benefit of Windows users, I gave instructions for turning on BitLocker, Microsoft’s disk encryption technology.

This advice generated an immediate backlash in the comments section underneath the post, where readers correctly pointed out that BitLocker has been criticized by security experts for a number of real and potential shortcomings. For example, BitLocker’s source code is not available for inspection, which makes it particularly vulnerable to “backdoors,” security holes intentionally placed to provide access to the government or others. In addition, BitLocker’s host operating system, Microsoft Windows, provides an algorithm for generating random numbers, including encryption keys, that is known to have been backdoored by government spies, and which the company’s own engineers flagged as potentially compromised nearly eight years ago. BitLocker also lost a key component for hardening its encryption, known as the “Elephant diffuser,” in the latest major version of Windows. And Microsoft has reportedly worked hand-in-glove with the government to provide early access to bugs in Windows and to customer data in its Skype and products.

Even having known about these issues, I still believed BitLocker was the best of several bad options for Windows users; I’ll explain my reasoning on this later.

But in the meantime, something interesting has happened: Microsoft, after considerable prodding, provided me with answers to some longstanding questions about BitLocker’s security. The company told me which random number generator BitLocker uses to generate encryption keys, alleviating concerns about a government backdoor in that subsystem; it explained why it removed the Elephant diffuser, citing worries over performance and compatibility that will appease some, but certainly not all, concerned parties; and it said that the government-compromised algorithm it bundles with Windows to generate encryption keys is, by default, not used at all.

Significant questions remain about BitLocker, to be sure, and because the source code for it is not available, those questions will likely remain unanswered. As prominent cryptographer Bruce Schneier has written, “In the cryptography world, we consider open source necessary for good security; we have for decades.” Despite all of this, BitLocker still might be the best option for Windows users who want to encrypt their disks.

Today I’m going to dive deep into the concerns about BitLocker and into Microsoft’s new responses. I’m also going to explain why more open alternatives like TrueCrypt don’t resolve these concerns, and take a brief look at proprietary products like BestCrypt, which Schneier recommends.

This is going to be a fairly technical post. But it’s important to explore the current state of BitLocker because Windows remains the most popular operating system for personal computers and because interest in BitLocker has only grown in the wake of documents from NSA whistleblower Edward Snowden showing widespread U.S. government surveillance. At the same time, fears about BitLocker have also been stoked by the Snowden cache, which exposed a carefully orchestrated and apparently successful attempt by the National Security Agency to compromise international encryption-related standards, including one that’s part of Windows to this day.

Why people worry about BitLocker

If you can trust Microsoft, BitLocker has always been awesome. For example, Microsoft is well ahead of competitors like Apple in making BitLocker verify that an attacker hasn’t modified the software used to boot the computer. Without such protection, hackers can rewrite the boot-up code, impersonate the operating system, and trick people into unlocking the disk so malware can be installed, a technique known as an “evil maid” attack. Mac OS X and Linux’s disk encryption systems are entirely vulnerable to this attack, but Windows, when running BitLocker, is not.

Of course, a great many people, particularly in information security circles, do not trust Microsoft; these people worry that BitLocker’s advanced technology is meant to distract people from the company’s cozy relationship with the government, and that any data “secured” using BitLocker could be handed over to spy agencies or law enforcement.

Here are three more specific concerns those people have about BitLocker — concerns I have shared. With each, I’ve included Microsoft’s response. It should be noted that the company was not initially forthcoming with this information; a spokesperson responded to a set of questions based on these worries by saying the company had no comment. To Microsoft’s credit, the company later reversed this position.

They fear BitLocker’s encryption keys are compromised by default. They’re not.

Encryption relies on random numbers. For example, when you enable BitLocker for the first time, you need to create an encryption key, which is just a random number within a specific range. You can think of a 128-bit key, the kind used by BitLocker by default, as a random number between 0 and 2128 (it would take 39 digits to write out that full number). The security of a 128-bit encryption key comes from the fact that there are just too many possible numbers in that range for an attacker to ever try them all.

When BitLocker generates a key, it asks your computer for a random number within that range. But where does this number come from? This is an enormous problem in the fields of cryptography and computer science because computers are, by their very nature, deterministic, not random: programs act the exact same way every time you run them because they’re executing the exact same set of instructions. But getting real random numbers is critically important. If an attacker can predict which random number your computer chooses, then that attacker can break the encryption that relied on that number. So when you ask your computer for a random number, it uses a cryptographically secure pseudorandom number generator (CSPRNG, or just PRNG) to generate one for you.

One such PRNG is not actually cryptographically secure and is almost certainly compromised by the NSA: Dual_EC_DRBG, or Dual Elliptic Curve Deterministic Random Bit Generator, an algorithm blessed by the National Institute of Standards and Technology in 2006 — and it’s built into Windows. If an encryption key for a system like BitLocker is generated by a compromised PRNG, the owner of the backdoor could figure out the key through sheer repetitive guessing, a so-called “brute force” attack, in a much shorter amount of time: minutes, hours or days rather than the billions of years required to figure out a key generated by a secure PRNG.

In 2007, Niels Ferguson, a Microsoft cryptographer who worked on BitLocker, along with Dan Shumow, another Microsoft engineer, gave a presentation pointing out that Dual_EC_DRBG might have a backdoor. In 2013, the the New York Times, Pro Publica, and The Guardian, drawing on documents provided by Snowden, reported that the algorithm did indeed contain an NSA backdoor. In the documents, the NSA wrote about the “challenge and finesse” involved in pushing a system it had engineered onto standards groups and bragged that it became “the sole editor” of the standard that eventually emerged.

Microsoft told me that while the backdoored algorithm is included with Windows, it is not used by BitLocker, nor is it used by other parts of the Windows operating system by default.  According to Microsoft, the default PRNG for Windows is an algorithm known as CTR_DRBG, not Dual_EC_DRBG, and when BitLocker generates a new key it uses the Windows default.

“It has never been the default, and it requires an administrator action to turn it on,” a Microsoft spokesperson told me.

So BitLocker keys appear to be generated in an entirely secure way.

They fear the Elephant diffuser was removed to make BitLocker weak. Microsoft says it’s because Elephant is slow. BitLocker remains weakened.

While Microsoft has now reassured users that the random numbers used to secure BitLocker are secure, it is still worrisome that the company removed an important security component from BitLocker’s architecture.

When BitLocker was first rolled out in late 2006 and early 2007 as a feature of Windows Vista, it used a well-known cipher, or encoding engine, called AES-CBC, along with something called the Elephant diffuser. Ferguson published a paper explaining that without the diffuser, AES-CBC is “not suitable” because “it should be relatively easy to mount an attack.”

The Elephant diffuser plays an important role in protecting an encrypted disk against modification by an attacker. Allow me to explain: An encrypted disk is full of scrambled bits (zeroes and ones), but once the disk is unlocked, those bits get unscrambled to make up meaningful files, including the programs that constitute Windows. Without the Elephant diffuser, an attacker with physical access to the encrypted disk and with knowledge of exactly where on the disk target files are located could modify specific scrambled bits, which will in turn modify the targeted files in an exact way when the disk is later unlocked. For example, they could modify one of the programs that runs while Windows is booting up to be malicious, so that the next time the user unlocks the disk and boots Windows, malware automatically gets installed. The Elephant diffuser prevents this attack from working. With the diffuser, an attacker can still modify scrambled bits, but doing so will prevent them from having fine-grained control over exactly what changes they make when the disk is unlocked. Rather than being able to make specific programs malicious, they are more likely to scramble large chunks of programs and simply cause the computer to crash instead of getting hacked.

But in October 2014, cryptographer Justin Troutman noticed that the version of BitLocker in Windows 8 silently removed the Elephant diffuser even though it still uses AES-CBC. Microsoft’s technical overview of BitLocker lists the Elephant diffuser as “removed or deprecated,” with no further explanation.

“When I discovered it was removed, I was a bit perplexed, simply because there was no public announcement that I could find, despite the effort that was put into building it,” Troutman says.

Schneier was also concerned. “It makes no sense,” he told me. “The Elephant diffuser was a good idea.”

Microsoft says the diffuser was too slow and kept BitLocker from being activated by certain users, including government contractors and agencies that must comply with Federal Information Processing Standards, or FIPS. “[The Elephant diffuser is] not FIPS compliant, so certain companies and government clients can’t use it,” a spokesperson says. “It’s not supported by hardware acceleration, thereby impacting performance on low-powered devices.” The company did not provide answers when I asked if Microsoft has plans in the future to add another diffuser to replace the one they removed.

While removing the Elephant diffuser might help make BitLocker faster and more compatible with use within government, it does make BitLocker more vulnerable to attack — according to Microsoft’s own engineers. Again, it was Ferguson, then and currently a Microsoft cryptographer, who in 2007 wrote with another Microsoft engineer that with BitLocker’s cipher, AES-CBC, and without a diffuser, “it should be relatively easy to mount an attack … [AES-CBC in BitLocker] is not suitable, due to the lack of diffusion in the CBC decryption operation.”

Removing the Elephant diffuser doesn’t entirely break BitLocker. If someone steals your laptop, they still won’t be able to unlock your disk and access your files. But they might be able to modify your encrypted disk and give it back to you in order to hack you the next time you boot up.

To be fair, disk encryption technology used in Linux, LUKS, used to be vulnerable to this same type of attack by default. This changed in early 2013 when LUKS switched from using AES in CBC mode (the same as BitLocker today) to AES in XTS mode, which prevents this attack.

They worry Microsoft will betray its users again. Microsoft says it will comply with lawful requests.

While it’s helpful that Microsoft is addressing specific concerns about BitLocker, it’s possible to look at the company’s track record and decide you cannot trust the company in general. In particular, it’s not clear how much users who want to keep their information out of the hands of the government can trust Microsoft, which has a history of working with U.S. law enforcement and spy agencies.

Drawing on Snowden documents, in June 2013 the New York Times disclosed the existence of a secret program called Project Chess, run by “fewer than a dozen” Skype employees after eBay bought their company, but before Microsoft acquired it. Project Chess was designed to “explore the legal and technical issues in making Skype calls readily available to intelligence agencies and law enforcement officials,” the newspaper wrote. The Times pointed out that after Microsoft purchased Skype, Skype denied changing its architecture to make it easier for law enforcement to spy on its users — without disclosing that Skype’s architecture was already designed to do this.

Likewise, in July 2013 The Guardian reported that Microsoft “has collaborated closely with U.S. intelligence services to allow users’ communications to be intercepted, including helping the National Security Agency to circumvent the company’s own encryption.” In this case, Microsoft helped the NSA access web chats and email from the portal.

Microsoft responded to these allegations at the time in a blog post explaining that they don’t give unfettered access of user data to the government, and that they only comply with valid and specific legal requests. Asked about instances in which Microsoft built methods to bypass its security and about backdoors generally, a company spokesperson told me that Microsoft doesn’t consider complying with legitimate legal requests backdoors.

In addition to sometimes sharing user data from Skype and, Microsoft also reportedly shares information on bugs with security implications. Such bugs, before they are fixed, can be used in much the same way as backdoors. In fact, in many situations disguising a backdoor as a security bug is a great way to hide it because it provides plausible deniability. If your backdoor is ever discovered, you can claim that it wasn’t a backdoor at all but rather a bug that you didn’t know about. Bloomberg reported in 2013 that “Microsoft Corp., the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix.” These bugs, if weaponized, could be used to access any computer running vulnerable Microsoft products.

A Microsoft spokesperson said that Bloomberg’s reporting referred to Microsoft’s Government Security Program, in which the company works with national governments to “help them build and deploy more secure IT infrastructure and services that further protect their citizens and national economies.” This program includes access to source code for key Microsoft products — so governments can check it for backdoors, the spokesperson told me — as well as “vulnerability and threat intelligence” from Microsoft. Microsoft says its intention is to be transparent, not to aid spy agencies in making malicious software. But it’s easy to imagine how a national government could repurpose Microsoft’s data in ways Microsoft may not have intended. And it’s worth noting that Microsoft’s transparency is only afforded to powerful national governments rather than to regular users.

I asked Microsoft if the company would be able to comply with unlocking a BitLocker disk, given a legitimate legal request to do so. The spokesperson told me they could not answer that question.

What about TrueCrypt?

For all of the concerns around using BitLocker, there is an extremely popular and apparently cryptographically solid alternative called TrueCrypt. The program has many fans; after I wrote my last column on disk encryption, TrueCrypt advocates inundated me with comments and tweets arguing that I should have recommended it rather than BitLocker because it’s open source, and because they believe BitLocker has a backdoor.

TrueCrypt has been around for more than a decade and its high-profile users include Snowden, who was spotted teaching people how to use it at a CryptoParty in Hawaii before he was widely known as an NSA whistleblower. TrueCrypt works in Windows, Mac OS X and Linux, and it’s able to encrypt USB sticks, hard disk partitions, and to create encrypted containers, which are files that can securely store other files inside of them. You can also download and inspect the source code.

Windows users get one extra feature, arguably TrueCrypt’s most important one, called “system encryption,” which is TrueCrypt’s name for full-disk encryption, disk encryption that’s applied to the hard drive used to start your computer. Before BitLocker existed, TrueCrypt was being used to encrypt Windows XP systems, and even after BitLocker was introduced, TrueCrypt remained popular through the late 2006 and early 2007 release of Windows Vista and the 2009 release of Windows 7 because, unlike BitLocker, it could be used with the cheapest editions of Windows.

What’s more, TrueCrypt’s security has been publicly audited, and there are no signs of backdoors or major security issues.

But there’s a hitch: With the release of Windows 8, TrueCrypt became painful to use for full-disk encryption. If you’ve bought a PC since 2012, when Windows 8 came out, chances are you can’t use TrueCrypt to encrypt your hard disk without jumping through quite a few hoops. You may need to figure out how to open your boot settings and disable security features to get it working, or format your hard disk to use a different, older system for organizing the disk that’s compatible with TrueCrypt. To put it bluntly, TrueCrypt is Windows XP-era software. As modern PCs and the Windows operating system evolved, TrueCrypt stayed in the past.

Part of the problem is that TrueCrypt is locked out by the very boot-up system that helps make BitLocker so secure. When you power on a Windows 8 computer, it runs a chunk of code that interfaces the computer’s hardware and its operating system. This code runs a security check to make sure none of the start-up software has been tampered with by a hacker; Microsoft code passes the check, since it’s been cryptographically marked as “trusted,” but software that isn’t marked this way, like TrueCrypt, fails the check and prevents the computer from starting. In most PCs it’s possible to turn off the security check, but this involves tinkering with hard-to-reach security settings; the instructions for configuring your boot-up code are different on pretty much every computer.

If this weren’t bad enough, TrueCrypt and its derivates only support encrypting disks that use outdated partition tables. A partition table describes the different sections a hard disk has been split into. Older systems used Master Boot Record (MBR) partition tables, but newer computers come formatted with GUID Partition Table (GPT) — a system TrueCrypt does not work with.

There’s little prospect these problems will go away anytime soon. In May 2014, at the same time that Microsoft officially stopped supporting Windows XP, TrueCrypt’s developers publicly abandoned the project and TrueCrypt’s website was replaced with instructions for migrating to BitLocker.

The shutdown erodes more than just TrueCrypt’s compatibility with Windows; security is at stake, too. If someone finds a security bug in TrueCrypt in the future, this bug will never get fixed.

Two new projects have forked off of the TrueCrypt codebase — VeraCrypt and CipherShed. Both are under active development. But both still suffer from all the same Windows full-disk encryption issues that TrueCrypt suffers from (though for cross-platform encrypted USB sticks and file containers, they still work great).

Even if these projects eventually fix these issues and gain support for modern PCs, their development is hampered by TrueCrypt’s licensing terms, which don’t qualify as either “open source” or “free software” under standards laid down within those programming communities. Since VeraCrypt and CipherShed are forks of TrueCrypt, they’re forever locked into this unfortunate license. Because TrueCrypt and its offshoots don’t meet standard definitions of free and open source software, none of the popular distributions of the Linux operating system include them in their software packaging repositories, an omission that makes installation and updating a pain for Linux users. TrueCrypt’s non-standard license and lack of Linux packaging makes free and open source advocates hesitant to throw their weight behind it, which may slow down development of bug fixes and features for all operating systems, including Windows.

“This business is all about trust”

There’s no reason the discussion of Windows encryption should be confined to BitLocker, TrueCrypt and TrueCrypt’s offshoots.

When I began talking to Schneier about full-disk encryption for Windows, he told me about a product called BestCrypt. Like BitLocker, it isn’t open source or available free of charge. Unlike BitLocker, the company that develops it doesn’t have a public history of making its products accessible to law enforcement and spies. And unlike TrueCrypt, VeraCrypt or CipherShed, BestCrypt has great support for modern Windows computers: It supports the newest versions of Windows, Microsoft-sanctioned security checks at boot time, and modern hard-drive formats.

Considering Schneier has been outspoken for decades about the importance of open source cryptography, I asked if he recommends that other people use BestCrypt, even though it’s proprietary. “I do recommend BestCrypt,” Schneier told me, “because I have met people at the company and I have a good feeling about them. Of course I don’t know for sure; this business is all about trust. But right now, given what I know, I trust them.“

There are other full-disk encryption options for Windows as well, such as Symantec Endpoint Encryption (proprietary) and DiskCryptor (open source).

Every single option for disk encryption involves a trade-off between quality and transparency. No product is perfect. For all their transparency, open source projects have recently had some critical security issues surface, and many don’t have the resources to hire a team of security engineers like Microsoft does. Open source projects also tend to be harder to use, and if average users can’t get an encryption product to work, they’re not going to use it. On the flip side, a piece of easy-to-use encryption software can be insecure, especially if complying with law enforcement requests is built in to the design, as in the case of Skype.

Balancing trust, ease of use, transparency, apparent robustness, compatibility and resources for squashing bugs, BitLocker comes out ahead for the average user. BitLocker has the home field advantage over the competition. Microsoft will make sure that BitLocker works great on every Windows device, and already fresh installs of Windows 8.1 turn on BitLocker by default if the computer has the right hardware. If the trend continues, in the future you won’t be able to buy a Windows device that isn’t already encrypted. If we can trust Microsoft to not include backdoors in Windows, this is great news.

Based on what I know about BitLocker, I think it’s perfectly fine for average Windows users to rely on, which is especially convenient considering it comes with many PCs. If it ever turns out that Microsoft is willing to include a backdoor in a major feature of Windows, then we have much bigger problems than the choice of disk encryption software anyway.

Whatever you choose, if trusting a proprietary operating system not to be malicious doesn’t fit your threat model, maybe it’s time to switch to Linux.

Updated to reflect clarifying follow-up comments sent by Microsoft on its definition of “backdoor.” June 4 3:00 pm ET

Correction: This post originally said LUKS encrypted disks are, by default, vulnerable to the same attack as BitLocker without the Elephant diffuser, but this isn’t true anymore. LUKS changed its defaults in early 2013 to be secure against this attack. June 6 2:20 pm ET

Photo: Thomas Trutschel/Photothek/Getty

Join The Conversation