Decrypting BitLocker – extracting the key from the TPM chip


Connecting the sniffer to the TPM module via the LPC bus

Full disk encryption BitLocker in Windows OS it is considered a fairly reliable way to save data. By default, it uses the Advanced Encryption Standard (AES) algorithm in block coupling mode (CBC) or in mode rigged codebook with ciphertext theft (XTS) based on xor-encrypt-xor (XEX) with a 128- or 256-bit key.

In theory, this is a pretty strong scheme. The only problem is that the BitLocker private key is stored in Trusted Platform Module (TPM), and in some cases (on some computers) it can be removed by gaining physical access to the device.


BitLocker

Full disk encryption in Windows 10 can be enabled in Control Panel → System and Security → BitLocker Drive Encryption.

TPM (Trusted Platform Module) is a specification that describes a cryptographic processor in which cryptographic keys are stored to protect information. As you can see in the screenshot, BitLocker has the ability to work without a compatible crypto processor. In this case, the keys are stored in a different location.

In short, BitLocker encrypts data using a Full Volume Encryption Key (FVEK). This key is in turn encrypted using the volume master key (VMK).

The VMK key is encrypted with several “protectors”. There are two of them in the default configuration. One is the TPM, the other is the recovery key:

All this is done so that an attacker, having physical access to the device, will not be able to load Linux on the laptop (or remove the disk) and gain access to the data.



Chaining Block Encryption (CBC)

BitLocker in its default configuration requires no additional user intervention. This is because TPM is only used to decrypt VMK. Any changes to the BIOS or bootloader code will change configuration registers (PCRs)and TPM will not open VMK.



Encryption in xor-encrypt-xor (XEX) mode

Since data decryption occurs automatically, it is enough to intercept the VMK from the TPM, enter it into any BitLocker library, and decrypt the drive.

Removing the key

Keys can be extracted from the TPM using an inexpensive FPGA module or logic analyzer. The first to use this method in 2019

demonstrated

hacker Denis Andzakovic from Pulse Security. He published a proof-of concept and

sniffer source code

.

The sniffer connects to LPC bus, from where it receives the master key for encrypting the volume. With this key you can decrypt the disk. The 2019 demonstration used an HP laptop with a TPM 1.2 chip and a Surface Pro 3 tablet with a TPM 2.0 chip, indicating that both versions of TPM were vulnerable. For the attack, the author used the DSLogic Plus 16 logic analyzer (cost about $150).

The HP motherboard has an Infineon SLB96350 chip. It acts as a cryptoprocessor and is connected via the LPC bus:

The sniffer is connected to this bus:

Since the LPC operates at 33 MHz, the engineer set the data acquisition frequency to 100 MHz:

After decoding the packets over the LPC bus, all that remains is to find the VMK key in the dump of the recorded traffic. You can find it by title 0x2c 0x00 0x00 0x00.

A few bytes after the header the key body begins.

To listen to the Surface Pro 3 key, the specialist used a devkit Lattice ICEStickwhich is sold at a price about $49.

In 2021, Denis’s experiment with Bitlocker key sniffing reproduced specialists from SCRT Information Security on a laptop Lenovo ThinkPad L440 with ST Microelectronics P24JPVSP cryptoprocessor (equivalent to ST33TPM12LPC).

In this case, a similar iCEstick40 FPGA device from Lattice Semiconductor was used and software sniffer With some modifications TPM is for listening.

Having found the aforementioned key header in the dump, it is then extracted in its entirety using the command grep and recording the 32 subsequent hex values:

$ cut -f 2 -d\' log6 | grep '24..00$' | perl -pe 's/.{8}(..)..\n/$1/' | grep -Po "2c0000000100000003200000(..){32}"
2c00000001000000032000005af9490916013a0bc177b3301d41508c4af8abb8583de5e4c60bbbabafad8a3a

Disk decryption is performed by the program

dislocker

which in recent versions supports the option

--vmk

and accepts VMK keys directly without FVEK reconstruction:

$ hexdump -C vmk
00000000  5a f9 49 09 16 01 3a 0b  c1 27 b3 30 1d 41 50 8c  
00000010  4a f8 ab b8 58 3d e5 e4  c6 0b bb ab cf ad 8a 3a
$ sudo dislocker -v -V /dev/sdb3 --vmk vmk -- /media/bl
$ sudo mount -o ro,loop /media/bl/dislocker-file /media/blm
$ ls /media/blm
'$RECYCLE.BIN'             ESD            pagefile.sys    'Program Files (x86)'         Users
'$SysReset'                hiberfil.sys   PerfLogs         Recovery                     Windows
 Chocolatey                install        ProgramData      swapfile.sys
'Documents and Settings'   Intel         'Program Files'  'System Volume Information'

Thus, in the event of a laptop being lost/stolen when using BitLocker, data safety cannot always be relied upon. It is important to understand which TPM module is used in the device. If it is not combined with the CPU and is located on a separate chip, then how vulnerable is the bus to sniffing. The TPM is usually connected over a low-speed LPC, I2C or SPI bus, which operates at 25-33 MHz and

easily accessible for listening on cheap equipment

.

A few weeks ago information has appearedthat even a $4 Raspberry Pi Pico can be used as a sniffer, and the whole process takes less than a minute.

But there is also a positive aspect: if the user has forgotten his password or BitLocker PIN, then on some computers the files can still be recovered.

Microsoft published recommendations for additional protection when using BitLocker. The company recommends add an additional authentication factor before downloading (for example, PIN code).

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *