
Microsoft Gives Details About Its Controversial Disk Encryption - jron
https://firstlook.org/theintercept/2015/06/04/microsoft-disk-encryption/
======
jron
"I asked Microsoft if the company would be able to comply with unlocking a
BitLocker disk, given a legitimate legal request to do so. The spokesperson
told me they could not answer that question."

~~~
wfunction
I was thinking the same thing. Why the hell would they say such a thing if the
answer is no?

~~~
caskance
Because that is the only answer they are allowed to give.

~~~
wfunction
And why would they not be allowed to say no?

~~~
nickpsecurity
As a3n said, there was a NSL, FISA warrant, or other legal threat that says
they can't reveal even the existence of it. Saying yes reveals the existence
in an obvious way. Saying no might get them in trouble if revealed to be lying
later in court or mainstream media. So, like with classified matters, the
safest comment is to not have one. Neutral.

It's proven to work in terms of liability in majority of cases.

~~~
tptacek
Please cite such a case --- meaning, a case in which a software vendor faced
civil or criminal liability for revealing the existence of a backdoor shipped
in its product. Since you used the word "proven", a single example seems like
a very reasonable request.

~~~
nickpsecurity
That's a trap. I just said a situation where'd they might do time for
revealing it. You essentially want me to show where they reveal it. A tall
order but I'll try anyway. Yahoo fought the FISA court, lost, and others were
shown same decision showing resistance would be treated criminally [1].
Lavabit was ordered to give up their key to FBI, not talk about it, and lie to
users about their privacy. (Google court docs if you doubt last part.)
Finally, the ECI-classified leaks have a slide that says the "FBI compels" [2]
the cooperation of U.S. companies with NSA's secret program(s). Compel is
undefined. Yet, FBI is a LEO and involuntary compliance with them usually
follows threats, yes? The same term is also used in this [3] document citing
the specific, federal laws. Both are consistent with Yahoo's claims and
leverage same laws.

So, I believe that the FBI and NSA might have worked together to use legal
threats related to Patriot Act to force companies to comply with SIGINT-
enabling for collection purposes. The other ECI leaks mention U.S. companies
that were cooperative and made their systems "exploitable" for "SIGINT-
enabling." So, they offer money first and call the FBI if that doesn't work.
Almost everyone caved so I'm guessing there's a significant, legal threat
there.

They're not telling you in detail because it's classified: releasing the info
is a felony. Who would after seeing what happened to other whistleblowers...
It's why I recommend privacy-focused companies being located in Iceland or
countries similarly non-cooperative with police state activities. At least one
can legally resist subversion in those countries rather than experience...
whatever FBI does... for not subverting one's products.

[1]
[https://www.techdirt.com/articles/20130614/10341723470/yahoo...](https://www.techdirt.com/articles/20130614/10341723470/yahoo-
fought-back-against-prism-lost-secret-ruling.shtml)

[2]
[https://firstlook.org/theintercept/document/2014/10/10/eci-w...](https://firstlook.org/theintercept/document/2014/10/10/eci-
whipgenie-classification-guide/)

[3]
[https://www.nsa.gov/public_info/_files/speeches_testimonies/...](https://www.nsa.gov/public_info/_files/speeches_testimonies/2013_08_09_the_nsa_story.pdf)

------
alyx
_Considering Schneier has been outspoken for decades about the importance of
open source cryptography, I asked if he recommends that other people use
BestCrypt, even though it’s proprietary. “I do recommend BestCrypt,” Schneier
told me, “because I have met people at the company and I have a good feeling
about them. Of course I don’t know for sure; this business is all about trust.
But right now, given what I know, I trust them.“_

Uhh what?

So following that same logic, if I know people at Microsoft who wrote the code
for BitLocker, and I trust them, I should trust BitLocker.

~~~
derefr
I think the "good feeling" is supposed to be about their _cryptographic
experience and expertise_.

The second point about trust doesn't directly flow from the previous sentence
(which would make it sound like he's saying something like "I trust this
person sight-unseen"); instead, he's just meaning that cryptography (like any
technology) ultimately requires you to trust _someone_ at _some point_ ,
because you can't audit every line of every piece of software and firmware
you're sitting on top of.

And because of that, while there _can_ be a point where you know "enough"
about a particular codebase's architecture and management to have faith in its
stewardship (or enough to _not_ have faith in said stewardship—OpenSSL, for
example), you can't really ever know _everything_ there is to know about a
codebase now-and-forevermore such that you no longer have to trust anyone
about anything.

~~~
jkyle
Somewhat. But that's a pretty thin link of trust. People change jobs and I
doubt the people he knows personally know every line of code either.

In the end, he's trusting MS the company as a whole.

Generally when I 'trust' open source, it's not a specific person I'm trusting.
More so, I "trust" that given the millions of programmers in the world that
will look at this code there will be one with similar interests to me that
will catch any nefarious bits that slip in.

I think these two kinds of trust are categorically different. One providing
much more permanence than the other.

------
AaronFriel
I'm surprised Microsoft hasn't implemented AES-XTS with REFS in Windows 10.
Okay, that was perhaps an acronym too far.

REFS is Microsoft's answer to the new generation of copy-on-write filesystems,
akin to ZFS and BTRFS. It checksums all data on disk to verify integrity.

AES-XTS is a block cipher mode that avoids many of the problems of AES-CBC,
although neither is as bad as EBC. But like all block cipher modes used for
FDE, they're susceptible to malleability attacks. That's because there's just
no room in a sector to store authentication information. Enter: a filesystem
that performs checksumming and performs authentication at a higher level.

It's a little disappointing to me that Bitlocker was weakened and, from the
outside, it appears no significant effort was undertaken to resolve this using
tech Microsoft already has. The weak link may be some NTFS features that REFS
doesn't implement, as currently Microsoft doesn't support using REFS for your
system drive.

------
MichaelGG
Removal of the diffuser is very suspicious, given its importance. Machines
were weaker when Vista shipped, so that's an odd claim, about security. And
since AES-NI is more widespread I'd bet overall the system is even faster!
They should back up such a claim with solid benchmarks (I never had a problem
with it.) Plus they could make it optional, and/or disable it on low power
machines.

MS should have pushed to get the diffuser into whatever "standards" (I'm
guessing OPAL/eDrive) they are worried about. And IIRC, the diffuser is quite
fast, but nothing stops them from implementing an even faster one.

~~~
pbsd
> And IIRC, the diffuser is quite fast

Kinda. When Elephant was designed AES-NI did not exist, and so AES was
expected to work at somewhere between 10-20 cycles per byte. Elephant worked
somewhere between 5-10 cpb, so it was not a lot of overhead. Post-AES-NI,
however, the majority of CPU time is now spent on the diffuser.

Furthermore, SSDs were not popular at the time this was designed. So the
relative low speed of software AES + diffuser was not that big a deal. Now,
with 500 MB/s and higher drives, cipher speed matters. For reference, 10 cpb
translates to ~200 MB/s in your average 2 GHz processor.

This is not to say that removing Elephant was a good idea, but the performance
argument is not entirely unreasonable. It is of course possible to design a
new diffuser that can take better advantage of modern chips; maybe they should
do that.

~~~
nickpsecurity
Curious, wasn't Vista shipping on computers that had to have more processing
power and memory? Do you think that would negate the performance argument a
bit or not be sufficient? It's hard for me to reconcile Microsoft's argument
about security for lower-performance machines when they were forcing upgrades
on customers at same time. Not to mention Vista's efficiency tradeoffs.
(shudders)

~~~
pbsd
Vista did increase hardware requirements across the board. But the change we
are discussing here was made in Windows 8 and later, which is exactly when
Microsoft started caring about getting Windows into tablets and, in
particular, ARM chips.

~~~
nickpsecurity
Oh ok. Thanks for the clarification. It would certainly matter for the ARM
editions.

------
joshstrange
I generally like and agree with FirstLook/Intercept articles but this....

> Microsoft, after considerable prodding, provided me with answers to some
> longstanding questions about BitLocker’s security. The company told me which
> random number generator BitLocker uses to generate encryption keys,
> alleviating concerns about a government backdoor in that subsystem

And then to answer it:

> Microsoft told me that while the backdoored algorithm is included with
> Windows, it is not used by BitLocker, nor is it used by other parts of the
> Windows operating system by default. According to Microsoft, the default
> PRNG for Windows is an algorithm known as CTR_DRBG, not Dual_EC_DRBG, and
> when BitLocker generates a new key it uses the Windows default.

Oh they "told you", great I guess we will just take them at face value and
move on case clo... FUCK NO. Are you fucking kidding me???? MS may be getting
better over all as a company by security/privacy is something I still don't
trust them one bit on. That's not to say I think Apple is some bastion of
privacy but MS has been in bed with the government for a LOT longer and hasn't
been anywhere near as supportive of privacy/security as Apple has been as of
late.

This ENTIRE article is supposed to be take on faith and I'm sorry but that's
not good enough. It's one thing to say "Some encryption is better than none"
or "It will protect your from run-of-the-mill thieves but not the government"
but to eat up everything MS said as fact is insane...

And as one more gem:

> I asked Microsoft if the company would be able to comply with unlocking a
> BitLocker disk, given a legitimate legal request to do so. The spokesperson
> told me they could not answer that question.

MS knows what side their bread is buttered on and let me give you a hint, it's
not the consumer side.

~~~
SomeStupidPoint
> Microsoft told me that while the backdoored algorithm is included with
> Windows, it is not used by BitLocker, nor is it used by other parts of the
> Windows operating system by default. According to Microsoft, the default
> PRNG for Windows is an algorithm known as CTR_DRBG, not Dual_EC_DRBG, and
> when BitLocker generates a new key it uses the Windows default.

This actually sounds a lot like the government mandated a backdoored crypto
algorithm in to a suite of crypto algorithms, and then Microsoft was forced to
implement the backdoored algorithm in order to get certified for the suite,
which is required for government contracts.

> I asked Microsoft if the company would be able to comply with unlocking a
> BitLocker disk, given a legitimate legal request to do so. The spokesperson
> told me they could not answer that question.

There's a ton of perfectly benign reasons that a spokesman would decline to
answer that question, and since we don't have a direct quotation, we don't
even know what the response actually was.

I don't particularly like Microsoft, but I feel like we should blame them for
the things they actually do, not hold them to unreasonable standards.

~~~
MichaelGG
That's exactly why MS shipped the slow, back doored RND. It's part of the NIST
standards and they went along like other vendors, to tick the box.

------
mattjorgs
What's the point of encryption if the government can still force the creators
to decrypt it at the drop of a legal reason, which may or may not be
substantial?

~~~
trentnelson
Same reason you lock your front door despite the landlord having a spare key,
or the lock maker having a master key. You're screwed if the landlord or a
rouge lock maker employee want to get into your place -- but it's good
protection against everything else.

~~~
emn13
Physicals locks are poor analogies for encryption. A physical lock isn't
designed to provide robust security - it's trivially easy to open almost any
lock - it's to make opening it a noisy, slow, dangerous and expensive affair.
And even if you have that magical perfect physical lock, few houses (or other
containers) are impregnable.

A physical lock is more like an effective intrusion detection system - it's
not going to prevent hacks, but it might make those that have something to
lose think twice, and at least you're likely to know if you've been robbed.
Just like intrusion detection, physical locks make it at least somewhat risky
to even try to break in - after all, you might get caught.

------
wumbernang
I use bitlocker on my laptop and my portable backup usb stick. I have no
illusion that it's probably back doored but I continue to use it simply as a
casual insurance policy against doing something stupid like leaving the
storage device on a train.

It's most likely beyond the average man to decrypt my data and that's good
enough for me.

Applying the grey man principle, hiding in plain sight by blending into the
crowd is a good approach. If you have something to hide, do it via a side
channel, preferably off line and carry on using what everyone else does for
everything else.

------
AdmiralAsshat
Here's the most worrying line of the article, in my opinion:

 _Asked about instances in which Microsoft built methods to bypass its
security and about backdoors generally, a company spokesperson told me that
Microsoft doesn’t consider complying with legitimate legal requests
backdoors._

Which says to me, "There are no backdoors, provided we redefine the word
'backdoor' to be exclude all of the mechanisms we currently employ."

~~~
MichaelGG
Could also refer to users keeping their key backed up in their Microsoft
Account.

------
nickpsecurity
The article is a horrendous failure by The Intercept, which I usually love to
read. The most important part of evaluating trust is character. Microsoft's
character on the topic is to use low-quality software processes until forced
otherwise, notify NSA etc about bugs so they can hit them, help them do the
same with third party software (eg Skype), backdoor their own stuff (eg
NSAKEY), and so on. This is one of the least trustworthy companies in
existence with a known track record in subverting security and crypto of their
customers.

So, his research comes down to two major options: the above company's crypto
product with assurances of their PR team; a proprietary product with no
troubling history & endorsed by a well-known cryptographer. If Win8 and above,
he should start talking about BestCrypt rather than dropping a whole extra
paragraph on Bitlocker's advantages and how its fine for the average user.
It's not fine because (a) the source screws _all_ of its users, (b)
alternatives only flourish if you support them (vote with wallet), and (c) a
site accepting submissions on corrupt organizations by leakers should never
recommend trusting security tech of a corrupt organization whose contributes
to the evils they report on.

So, this post is just stupid except for the tiny parts where it mentions
alternatives. Matter of fact, it reads like an advertisement written with the
assistance of Microsoft's lawyers and publicists. I'm not saying it was but
any objective investigation should never look like that.

Conclusion: Don't trust The Intercept for INFOSEC advice, don't trust
Microsoft for security/crypto, use BestCrypt if on modern Windows, use
VeraCrypt for Win7 or earlier, and switch to Linux if possible for extra
transparency/options.

~~~
tptacek
NSAKEY is not a Microsoft NSA backdoor. Given where it lived in the security
design for Microsoft, it doesn't even make sense as an NSA backdoor.

~~~
nickpsecurity
"Microsoft said that the key's symbol was "_NSAKEY" because the NSA is the
technical review authority for U.S. export controls, and the key ensures
compliance with U.S. export laws" (Wikipedia on NSAKEY)

We actually don't know what it is past that. So, Microsoft says it was
required for export approval & made backup key. NSA controls those export
requirements. A declassified CIA document [1] from the period shows export
changes were pro-escrow and most big companies were onboard. In short, the
NSA, FBI, CIA, and other companies agreed on escrow keys for export of strong
cryptography. Microsoft added an escrow (err backup) key called _NSAKEY for
export approval. Logically, we should assume it was a COMSEC backdoor for NSA
so Microsoft could make money on exports.

Assuming anything else is logically questionable given no hard data
contradicting this and Microsoft's history of covert cooperation with NSA in
_much worse ways_. Hard data as in statements by Microsoft such as above
straight up saying who ordered the change and what it does vs the mere
speculation we saw elsewhere.

[1]
[http://www.foia.cia.gov/sites/default/files/DOC_0006231614.p...](http://www.foia.cia.gov/sites/default/files/DOC_0006231614.pdf)

~~~
tptacek
I sometimes don't know where to start with comments like these.

We do in fact know what it is, because no matter what the bits of the secret
key are, the use of the key in Microsoft's software is published: the code
we're talking about isn't obfuscated.

You say "[l]ogically, we should assume it was a COMSEC backdoor for NSA so
Microsoft could make money on exports". You say that as if it was impossible
to look at the code and see where the key is used. It obviously isn't. People
have done that work. They did it years and years ago. They explained what the
key does. But the conspiracy theory about NSAKEY being a secret backdoor keeps
coming up.

Once again: _the key we 're talking about doesn't even make sense as a
backdoor_. It's a second authentication key, the first of which is a key
Microsoft already has, and could already use to the exact same effect.

~~~
nickpsecurity
Given your rep, I'll assume you did thorough research and drop NSAKEY for now.
I'll dig up that old work later for verification. If it checks out, I'll pass
the correction along to others bringing it up along with modifying Wikipedia
article to keep it from confusing others.

~~~
tptacek
'geofft addressed this better than I ever did:

[https://news.ycombinator.com/item?id=9297787](https://news.ycombinator.com/item?id=9297787)

~~~
nickpsecurity
Bookmarked for my later research. Thank you.

