BitLocker, TPM, and tinfoil hats
A few weeks ago, the BBC News published a story that was literally true and hopelessly wrong. Under the headline UK holds Microsoft security talks, political reporter Ollie Stone-Lee wrote:
UK officials are talking to Microsoft over fears the new version of Windows could make it harder for police to read suspects' computer files.
Windows Vista is due to be rolled out later this year. Cambridge academic Ross Anderson told MPs it would mean more computer files being encrypted.
He urged the government to look at establishing "back door" ways of getting around encryptions.
The Home Office later told the BBC News website it is in talks with Microsoft.
That crinkling noise you hear is the sound of tinfoil hats being constructed all around the world. Predictably, the story was widely distributed, and like the old children’s game of Telephone, it became more alarming with each reposting. The story appeared on Microsoft’s Channel 9 Forums, for instance, under the heading “UK Gov Wants Backdoor in Vista.” Ars Technica reported, “Britain wants access to encrypted Vista hard drives.” RealTechNews added their two cents worth in “UK Wants Backdoor Into Vista PCs.”
This is what happens when you let a political reporter write about technology. The real story is far less provocative.
The facts? Yes, some versions of Windows Vista will include an advanced technology called BitLocker that will allow the owner of a computer to encrypt the hard drive so that it can’t be read by anyone without the proper key. (In current beta builds of Windows Vista Ultimate Edition, it’s also known as Secure Startup.) Why would someone who isn’t a criminal want such a feature? Why don’t we ask, oh, the BBC News, which reported this story in June 2004:
A hard drive containing sensitive information on one of Europe's largest financial services groups has been purchased on an internet auction site for just a fiver.
The hard drive was bought as part of research into what happens to lost or stolen laptops.
It contained information including pension plans, dates of birth and home addresses of customers. …
[S]ecurity firm Pointsec Mobile Technologies … purchased 100 hard drives and laptops on internet auction sites to find out how easy it would be for criminals and opportunists to get their hands on valuable company information.
Seven out of 10 hard drives could be read easily despite being supposedly wiped clean.
Pointsec also investigated the life-cycle of a lost laptop. It found that PCs lost at airports or handed into the police were routinely resold with all the information still on them if they were not reclaimed within 3 months.
At one of the auctions used by the lost property department at Gatwick Airport, researchers were able to access information on one in three laptops using simple password recovery software.
People leave notebook computers in taxis, airplanes, and hotel rooms. Lost or stolen hard drives might contain personal financial data, confidential information about an upcoming merger or acquisition, even military secrets. There are good reasons to protect this type of data, especially on mobile PCs.
And the so-called back door? Go back and read that BBC story again. Professor Anderson is the one making the call for a way to break that encryption, not the government. I spoke with Microsoft’s Austin Wilson, Director of Windows Client Product Management, who laid out Microsoft’s policy without any equivocation: “We don't do backdoors in Microsoft software. At all. If it were there, it would be available for criminals to exploit as well.”
And those conversations with the British government? Microsoft cryptographer Niels Ferguson explains:
We are of course talking to various governments; we want them to buy Vista and use BitLocker for their own security. We get the typical questions you always get: ease of use, performance, security, etc. We also get questions from law enforcement organizations. They foresee that they will want to read BitLocker-encrypted data, and they want to be prepared. Like any security technology BitLocker has its avenues of attack and law enforcement should know about them. For example, if they search a house and find a computer, they should also take all USB thumb drives, as these might contain a BitLocker key. This information is not secret; our users need to have the same information when they make the security vs. convenience tradeoff of choosing a key-protection option (TPM only, USB key, TPM + USB key, etc.) We plan on having a KB article with the details when Vista ships.
This isn’t the first time Microsoft has been accused of embedding secrets cryptographic keys into Windows. At the turn of the century, a handful of security researchers were convinced they had found evidence that Microsoft had buried a secret key in Windows NT for use by the United States National Security Agency. And in 2002 privacy advocates were convinced that Microsoft would use the Trusted Platform Module (then known by its code name Palladium and later known as Next-Generation Secure Computing Base), which is one optional component of the BitLocker system, to “establish an unprecedented level of control over users and their computers.” (Ironically, Ross Anderson appears prominently in that story as well.)
Stories like this one get traction because people love a good conspiracy story. As it turns out, in this case at least, the real explanation would make a lousy spy novel. Cryptographic secrets are embedded in hardware because that’s the best way to prevent them from being attacked. Encryption can be used by good guys and crooks alike. Back doors don’t work.
And political reporters should stick to politics.