BitLocker Drive Encryption: Glossary



BitLocker Drive Encryption - Glossary

May 16, 2006

Abstract

This paper provides an authoritative definition of the words that are used in the Microsoft® BitLocker™ Drive Encryption documentation. Its primary aim is to standardize the language of BitLocker documents to reduce confusion and offer assistance.

This information applies for the Microsoft Windows Vista™ operating system.

The current version of this paper is maintained on the Web at:



Contents

Glossary 3

A 3

B 3

C 4

D 4

E 5

F 5

G 5

H 6

I 6

K 6

L 6

M 6

O 7

P 7

R 8

S 8

T 9

U 9

V 9

Disclaimer

This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.

© 2006 Microsoft Corporation. All rights reserved.

Microsoft, Windows, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Glossary

A

active partition

See partition, primary.

anti-hammering

Software or hardware methods that increase the difficulty and cost of a brute-force attack on a PIN or password. In BitLocker, the TPM is used to prevent hammering.

authentication method

Identified by a GUID, a combination of one or more of the following elements: PIN, recovery password, recovery key external media key, and TPM. These elements are combined to protect the VMK. The authentication method GUID can be used to retrieve the elements that are used (assuming volume is unlocked because VMK is required), a label for the method (optional), and a date and time that the method was created. The elements inside a method form an AND condition (for example, external media key AND PIN). Multiple authentication methods provide an OR condition (a method for recovery, a method for normal boot).

B

BCD

Boot Configuration Data

binary large object (BLOB)

In BitLocker, any cryptographically-protected piece of data. For example, the VMK is sealed to the TPM but the resulting BLOB that the TPM_Seal operation returns is actually stored on disk. Similarly, the VMK can be encrypted by a clear key, external key, or recovery password and stored on disk as a BLOB. The BLOB is the cryptographic “keyhole” into which the keys fit. It takes both the BLOB and the key to start decryption.

BIOS boot order

A list of all potential bootable devices and a certain ordering in which a boot is attempted on it. If the boot on the first device on the list does not yield a valid boot sector, the BIOS proceeds with the next device in the list. A valid boot sector is structureless, 512 bytes long, and marked with 0x55 0xAA as the last two bytes. After the BIOS has loaded this sector, it starts its execution with the first byte.

For any BitLocker setup that involves the TPM, it is very important that the disk that contains the system volume is the first entry in this list and not the CD-ROM drive or anything else. Any change to the boot sector on a device before the system volume causes BitLocker to enter recovery mode.

BitLocker Drive Encryption

A Windows Vista feature that provides full-volume encryption.

BitLocker disabled

A mode in which the disk volume is encrypted, but the FVEK that is used to encrypt the operating system volume is freely available by using a clear key to access the VMK. Although encryption is involved, security is effectively disabled. This mode is used to upgrade system hardware or perform other actions that could trigger recovery mode.

BitLocker enabled (or on)

A mode in which data on the volume is encrypted as it is written and decrypted as it is read. When the computer starts, one of the following conditions is required to decrypt the VMK and access the volume:

Successful validation of critical early boot components by the TPM.

Successful validation of critical early boot components by the TPM (in conjunction with a startup key or PIN, if configured)

Input of a recovery password

Insertion of a USB flash drive that contains a recovery key.

BitLocker off

A mode in which protection is off on a disk volume, the disk volume is not encrypted, and BitLocker protection is not in effect. This is a disk volume with a standard clear text file format.

BLOB

binary large object

Boot Configuration Data (BCD)

The parameters that affect boot-time operations and contain information on the environment that existed in the system when BitLocker was first turned on. This data is used as a benchmark the next time the system is started.

boot partition

See partition.

boot sector

The first 512 bytes of sector 0 of a partition, disk, or floppy drive. If the sector size of this partition or device is bigger than 512 bytes, the remaining space is unused and is called slack space.

C

clear key

The key that is stored in the clear on the disk volume. This key is used to freely access the VMK, and in turn, the FVEK when BitLocker protection is disabled but the disk volume remains encrypted. See BitLocker disabled.

D

data at rest

Data that is not protected by the operating system. For example, a hibernation file with current user documents might not be directly protected by the operating system.

decrypt

To take encrypted data and make it accessible to anyone. A decrypted volume is not cryptographically secured. This is different from the disabled mode because the data on a decrypted volume is accessible without any keys.

diffusion

The property of a cryptographic algorithm to ensure that a change in a few input bits leads to potential changes in many of the output bits. Diffusion is an option in BitLocker and is on by default.

disabled mode

A mode in which a key is stored in the clear on the disk and is used to encrypt the VMK, which is used to encrypt the FVEK. Although encryption is involved, security is effectively disabled.

drive sanitation

Forced recovery of a BitLocker-protected volume by removing all the key BLOBs that could have decrypted the disk, except the recovery BLOBs. This prevents anyone from accessing the data unless that person has a recovery key or password.

E

EFS

Encrypting File System

encrypt

To cryptographically secure data so that users without a key cannot access it.

Encrypting File System (EFS)

A Windows feature that provides the option to store files or folders in an encrypted form. EFS is typically used for data files, such as Microsoft Word documents or Microsoft Excel spreadsheets.

external key

A file that contains information to access cryptographically locked data, which is stored away from the system, such as on a USB flash drive. Both a startup key and a recovery key can be stored on a USB flash drive. A copy of the external key is stored encrypted on disk by the VMK and can be retrieved by an administrator after Windows has loaded.

external key file

A file that contains the external key and is stored on an external media device. The name and contents of the file are internal to Microsoft and may change from version to version.

F

full-volume encryption (FVE)

A BitLocker-encrypted state of the volume. Also called BDE. These terms are deprecated in the documentation, but may still appear in some interface elements.

full-volume encryption key (FVEK)

The algorithm-specific key that is used to encrypt (and optionally, diffuse) data on disk sectors. Currently this key can be either 128 bits or 256 bits advanced encryption standard (AES). The default encryption algorithm that BitLocker uses is AES 128 bit with diffuser.

FVE

full-volume encryption

FVEK

full-volume encryption key

G

global system key (SYSKEY)

A Windows key that is used to derive other keys to secure global system secrets. The system secrets refer to any user or system data that is private or hidden for security purposes.

globally unique identifier (GUID)

A string that is created by the system and used by BitLocker to uniquely identify system components, including key protectors.

GUID

globally unique identifier

H

hammering

A brute force attack in which an unauthorized user guesses at a PIN or password many times.

hibernate

A power-saving mode that allows a quicker resumption of operation than by fully turning the computer off and then back on. When hibernation mode is activated, all current applications that are running in memory are saved to disk and the computer is turned off. After a user presses a button or clicks the mouse to resume full operation, the applications are read from disk and appear in the same state as before.

hibernation file

A file that stores the current status of each open program and file. BitLocker encrypts the hibernation file and blocks unauthorized access to the contents of the hibernation file.

I

integrity checking

A task that the TPM performs by confirming that the SHA-1 computed hash of each system component that executes during boot matches the values that are stored in PCRs at the time BitLocker was turned on. If the state of early boot components is different from the static root of trust measurement (SRTM), BitLocker boots to recovery mode until the authorized user enters the recovery password.

K

key protector

A method for accessing the VMK. Examples of key protectors are PIN, external key, recovery password, and recovery key.

L

logical drive

A subsection of a hard drive that is defined by software. The boot sector of each logical drive contains only a partition table, no code. Only the first two entries in this partition table are used; the other two are empty. The first entry holds the definitions for the logical drive in the following sectors. The first sector to which this entry points contains the specific boot sector of the file system that was used in this logical drive. The second entry in the logical drive partition table holds the parameters for the subsequent logical drive. Thus, all logical drives in the extended partition are daisy chained together. The second entry of the last logical drive is also empty. Logical drives cannot be used for booting because the boot sectors of logical drives have no code.

M

MAC

Message Authentication Check Code

Master Boot Record (MBR)

A record that may be located in the boot sector of a disk drive. It allows the disk to be partitioned. It contains the partition table and code that parses this table during the boot process. The MBR is also referred to as partition 0 on a disk.

A disk does not need an MBR. The NTFS boot sector, for example, can be written directly into the boot sector of a disk. Such a disk is always handled as a whole and cannot be partitioned.

MBR

Master Boot Record

O

operating system volume

A volume that contains an operating system (for example, Windows Vista) that can be loaded by a boot manager. The operating system volume must be a simple volume and contain all operating system files. A given system can have multiple operating system volumes. The operating system on this volume can be started only if it has an entry in the BCD. The operating system volume may be encrypted with BitLocker.

owner password

A password that is set on the TPM. An owner password is required to change the state of the TPM, for enabling or disabling. For more information on TPM management, see the Windows Vista Beta 2 Trusted Platform Module Services Step by Step Guide.

P

partition

A sequence of contiguous sectors on a physical disk that holds a file system. The start sector and length are specified in a partition table.

partition, extended

A partition that does not directly contain a file system. It allows the definitions of multiple logical drives within the sectors that are assigned to the extended partition. The extended partition does not have a boot sector; instead, sector 0 of an extended partition has the definition of the first logical drive.

partition, primary

A contiguous number of sectors on a disk that are defined in the partition table in the MBR. The system can be booted from this partition. The first sector of this partition contains the specific boot sector of the file system that is used in this partition.

partition table

A table in the MBR that contains up to four start sectors and the length of the primary partitions on this disk. Each of the entries has an active flag that is associated with it. This flag marks the active partition on this disk. Only one of the four flags should be set. The boot sector of the first active primary partition is loaded by the MBR code and continues the boot process.

PCR

platform configuration register

personal identification number (PIN)

A user-specified secret value that must be entered each time the computer starts (or resumes from hibernation). You can choose to add PIN protection to a TPM-based configuration. The PIN can have 4 to 20 digits and internally is stored as a 256-bit hash of the entered Unicode characters. This value never appears back to the user in any form or for any reason. The PIN is used to provide another factor of protection in conjunction with TPM authentication.

PIN

personal identification number

platform configuration register (PCR)

A register of a TPM. This register is sufficiently large to contain a hash (currently only SHA-1). A register can normally only be “extended,” which means that its content is a running hash of all values that are loaded to it. To learn when these registers are reset, refer to the TCG specification document.

R

recovery password

A numerical password that consists of 48 digits divided into 8 groups. Each group of 6 digits is reduced to modulo 11 (a numerical calculation) before being compressed into corresponding 16 bits of passphrase data. A copy of the passphrase data is stored on disk encrypted by the VMK and thus an administrator can retrieve the recovery password after Windows has loaded.

The recovery password must be entered by using the function keys on the keyboard.

recovery password file

A BitLocker file that uses the naming convention: .bek (including the feature unique “.fve” file extension), which contains the recovery key that is required to unseal the volume.

recovery password key

A key that is used for recovering data that is encrypted on a BitLocker volume. This key is cryptographically equivalent to a startup key. If available, the recovery key decrypts the VMK, which in turn decrypts the FVEK.

The recovery key is stored on a USB flash drive. To use the recovery key, a user inserts the USB flash drive and then reboots the computer.

S

seal

A process by which data is encrypted and MAC’d by the TPM and cryptographically paired with a set of PCRs, which creates a cryptographic BLOB.

secure decommissioning

See drive sanitation.

secure mode, recovery mode, locked mode

A mode in which BitLocker has secured the computer, either because the system components have changed or because it needs an authentication key. In this circumstance, the user enters the recovery password and investigates why BitLocker triggered recovery mode.

SHA-1

A cryptographically-strong hash algorithm.

startup key

A key that is stored on a USB flash drive that must be inserted each time the computer starts. The startup key is used to provide another factor of protection in conjunction with TPM authentication. This is stored by the computer as an external key. A startup key is required to use BitLocker on a non-TPM computer.

SYSKEY

global system key

system (active) volume

The first volume that is accessed when a computer starts up. This volume contains the hardware-specific files that are required to load Windows and includes the computer’s boot manager (for loading multiple operating systems). Generally, the system volume can be, but is not required to be, the same volume as the operating system volume. However, for BitLocker to function, the system volume must differ from the operating system volume and also must not be encrypted.

This is the partition that initiates the hardware system startup process. In Windows Vista, this partition contains the active boot manager.

Any given computer should have only one system volume.

T

TCG

Trusted Computing Group

TPM

Trusted Platform Module

Trusted Computing Group (TCG)

The organization that sets standards for TPM use and interface ().

Trusted Platform Module (TPM)

Security hardware that provides a hardware-based root of trust and can be leveraged to provide a variety of cryptographic services, such as early-boot component checking. BitLocker uses a TPM v1.2 with a TCG-compatible BIOS for integrity checking of the early boot components capabilities to validate the integrity of critical early boot components and provide a transparent startup experience.

U

unseal

The process that TPM uses to decrypt data in a sealed BLOB to reveal the original secret. This BLOB can be unsealed only when the PCRs in the TPM are identical to the PCRs in the BLOB. If any of the PCR values are different, the TPM refuses to unseal the data and instead returns an error.

V

validation information (internally)

A list of 256-bit hashes of code modules, encrypted by the VMK and used in conjunction with code-integrity authentication.

VMK

volume master key

volume master key (VMK)

An advanced encryption standard (AES) 256-bit key that is used to encrypt the FVEK. There is only one VMK per disk.

volume

An area of storage on a hard disk. A volume is formatted by using a file system, such as NTFS, and has a drive letter assigned to it.

The volume manager in Windows organizes one or more partitions into a volume. The rest of the system does not deal with partitions directly. The simplest case is where a single partition is mapped to a volume. This is a simple volume. More complex cases are striped or mirrored raid volumes or multiple concatenated partitions that form one volume. A volume may contain partitions from multiple disks on the system. For BitLocker, the system volume and the operating system volume must be simple volumes. Data volumes may be of a more complex type.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download