Free Rootkit with Every New Intel Machine
Hal Finney
hal at finney.org
Wed Jun 27 11:28:51 EDT 2007
Peter Gutmann writes:
> BitLocker just uses the TPM as a glorified USB key (sealing a key in a TPM is
> functionally equivalent to encrypting it on a USB key). Since BitLocker isn't
> tied to a TPM in any way (I'm sure Microsoft's managers could see which way
> the wind was blowing when they designed it), it's not going to be TPM's killer
> app.
Actually BitLocker can use the TPM's measured boot capability for
additional security. This requires a TPM-aware BIOS, which hashes
the disk's Master Boot Record into the TPM Platform Configuration
Registers before executing it, as well as measuring other system software
components.
The disk encryption key is sealed to the TPM PCR values and the chip
won't release it if the boot sequence is different. This means that
if you want to attack by, for example, booting from a Linux Live CD or
an external USB drive, the chip won't relase the encryption key even if
you guess the PIN right.
(Some) details at the BitLocker Drive Encryption Technical Overview page:
http://technet2.microsoft.com/WindowsVista/en/library/ba1a3800-ce29-4f09-89ef-65bce923cdb51033.mspx?mfr=true
Hal Finney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list