Abstract
The protection of a business’s data is a primary concern and in many cases this is done with Microsoft BitLocker*. Unfortunately, there are a wide variety of physical attacks that could be performed to potentially leak the BitLocker* keys or allow exfiltration of the data. Two examples are:
- TPM Bus Snooping where they keys are read as they are transferred across the bus
- “Cold-Boot” attacks where a memory freezing technique is used to access the contents of DRAM (including but not limited to BitLocker* decryption key and other potentially sensitive data on the PC)
The standard mitigation for these types of attacks include:
- BitLocker* should be configured to require a Personal Identification Number (a.k.a., PIN) before the BitLocker* Volume Master Key (VMK) can be decrypted
- the system should be configured to block booting without authentication
While effective, these mitigations have a negative impact on the user experience and users will take steps to simplify their life. This might mean using easy to remember PINs (e.g., their phone extension at work or the year they were born) or weak passwords (e.g., passw0rd) to minimize the change that they are locked out of their system. The result is a much less positive, if not negative, impact on the security bar than desired. This prompted investigations into other solutions that maintain the security but are easier to use.
The mechanism described here works to raise the security bar while simplifying the users life by leveraging a pre-boot authentication mechanism to authenticate the user during pre-boot and then carrying that authentication forward to automatically provide a strong random PIN to Microsoft BitLocker* code when booting.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 4.0 License.
Recommended Citation
INC, HP, "A Single Sign-On Mechanism for Pre-Boot Authentication Integrated with BitLocker* Pre-Boot PIN Feature", Technical Disclosure Commons, (July 14, 2024)
https://www.tdcommons.org/dpubs_series/7182