In Depth Security Vol. III

Proceedings of the DeepSec Conferences
Magdeburger Institut für Sicherheitsforschung (Verlag)
  • 1. Auflage
  • |
  • erschienen am 20. November 2019
  • |
  • 208 Seiten
E-Book | ePUB ohne DRM | Systemvoraussetzungen
978-3-9817700-5-6 (ISBN)
This book contains a broad spectrum of carefully researched articles dealing with IT-Security: the proceedings of the DeepSec InDepth Security conference, an annual event well known for bringing together the world's most renowned security professionals from academics, government, industry, and the underground hacking community. In cooperation with the Magdeburger Institut für Sicherheitsforschung (MIS) we publish selected articles covering topics of past DeepSec conferences. The publication offers an in-depth description which extend the conference presentation and includes a follow-up with updated information.
Carefully picked, these proceedings are not purely academic, but papers written by people of practice, international experts from various areas of the IT-Security zoo. You find features dealing with IT-Security strategy, the social domain as well as with technical issues, all thoroughly researched and hyper contemporary. We want to encourage individuals, organizations and countries to meet and exchange, to improve overall security, understanding and trust. We try to combine hands-on practice with scientific approach. This book is bringing it all together.
  • Englisch
  • 5,95 MB
978-3-9817700-5-6 (9783981770056)
weitere Ausgaben werden ermittelt

The Bitlocker Password Cracker

Elena Agostini and Massimo Bernaschi

BitLocker is a full-disk encryption feature available in recent Windows versions. It is designed to protect data by providing encryption for entire volumes and it makes use of a number of different authentication methods. In this work we present a solution, named BitCracker, to attempt the decryption, by means of a dictionary attack, of memory units encrypted by BitLocker with a user supplied password. To that purpose, we resort to GPU (Graphics Processing Units) that are, by now, widely used as general-purpose coprocessors in high performance computing applications. BitLocker decryption process requires the execution of a very large number of SHA-256 hashes and also AES, so we propose a very fast solution, highly tuned for Nvidia GPU, for both of them. In addition we take the advantage of a weakness in the BitLocker decryption algorithm to speed up the execution of our attack. We benchmark our solution using the three most recent Nvidia GPU architectures (Kepler, Maxwell and Pascal), carrying out a comparison with the Hashcat password cracker. Finally, our OpenCL implementation of BitCracker has been recently released within John The Ripper, Bleeding-Jumbo version.

Keywords: BitLocker, Hash, SHA-256, AES, GPU, CUDA, Cryptographic Attack, Password Cracking

Citation: Agostini, E. & Bernaschi, M. (2019). BitCracker: BitLocker meets GPUs. In S. Schumacher & R. Pfeiffer (Editors), In Depth Security Vol. III: Proceedings of the DeepSec Conferences (Pages 1-16). Magdeburg: Magdeburger Institut für Sicherheitsforschung

1 Introduction

BitLocker is a data protection feature that integrates with the Windows operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. It offers a number of different authentication methods, like Trusted Platform Module, Smart Key, Recovery Password, user supplied password. Bit-Locker features a pretty complex proprietary architecture but it also leverages some well-known algorithms, like SHA-256 and AES. It is possible, and relatively easy (to this purpose, commercial tools are available (Elcomsoft Forensic Disk Decryptor 2018)) to instantly decrypt disks and volumes protected with BitLocker by using the decryption key extracted from the main memory (RAM). In addition, it is also possible to decrypt for offline analysis or instantly mount BitLocker volumes by utilizing the escrow key (BitLocker Recovery Key) extracted from a user's Microsoft Account or retrieved from Active Directory.

If the decryption key can not be retrieved, the only alternative remains to unlock password-protected disks by attacking the password. The same commercial tools above mentioned, offer this as an option but in a quite generic form (i.e.,) without taking into account the specific features of BitLocker. Moreover, according to some comments1, they may be also not fully reliable. The goal of the present paper is to describe our approach to attack BitLocker password-protected storage units. We carefully studied available information about Bit-Locker architecture and directly inspected several types of units in order to find out how to minimize the amount of work required to check a candidate password. The platforms we use for the attack are based on Nvidia GPUs and we carefully optimized the most computing intensive parts of the procedure achieving a performance that is, at least, comparable with that provided by well-known password crackers like Hashcat (Hashcat 2018) for the evaluation of the SHA-256 digest function. However, the main goal of our work is not providing an alternative to Hashcat as a general framework for dictionary attacks but to offer the first open-source high performance tool to test the security of storage units protected by BitLocker using the user password and recovery password authentication methods.

2 BitLocker

BitLocker (formerly BitLocker Drive Encryption) is a full-disk encryption feature included in the Ultimate and Enterprise editions of Windows Vista and Windows 7, the Pro and Enterprise editions of Windows 8 and Windows 8.1, Windows Server 2008 and Windows 10. It is designed to protect data by providing encryption for entire volumes.

BitLocker can encrypt several types of memory units like internal hard disks or external memory devices 2(flash memories, external hard disks, etc..) offering a number of different authentication methods, like Trusted Platform Module, Smart Key, Recovery Key, password, etc.. In this paper we focus on two different authentication modes: the user password mode, in which the user, to encrypt or decrypt a memory device, must type a password (as represented in Figure 1) and the recovery password mode, that is a 48-digit key generated by BitLocker (regardless of the authentication method chosen by the user) when encrypting a memory device3. By means of the recovery password the user can access an encrypted device in the event that she/he can't unlock the device normally.

Figure 1: BitLocker encryption of an USB pendrive using the password authentication method.

During the encryption procedure, each sector in the volume is encrypted individually, with a part of the encryption key being derived from the sector number itself. This means that two sectors containing identical unencrypted data will result in different encrypted bytes being written to the disk, making it much harder to attempt to discover keys by creating and encrypting known data. BitLocker uses a complex hierarchy of keys to encrypt devices. The sectors themselves are encrypted by using a key called the Full-Volume Encryption Key (FVEK). The FVEK is not used by or accessible to users and it is, in turn, encrypted with a key called the Volume Master Key (VMK). Finally, the VMK is also encrypted and stored in the volume; for instance, if the memory device has been encrypted with the user password method, in the volume metadata there are two encrypted VMKs: the VMK_U, that is the VMK encrypted with the user password, and the VMK_R, that is the VMK encrypted with the recovery password.

During the decryption procedure (Figure 2) BitLocker, depending on the authentication method in use, starts to decrypt the VMK. Then, if it obtains the right value for the VMK, it decrypts in turn the FVEK and then the entire memory device.

The attack described in the present paper aims at decrypting the correct VMK key which belongs to an encrypted memory unit through a dictionary attack to the user password or to the recovery password. That is, if an attacker is able to find the password to correctly decrypt the VMK key, she/he is able to decrypt the entire memory unit with that password.

Figure 2: BitLocker encryption/decryption scheme

2.1 User Password VMK Decryption Procedure

To gain an insight about the workings of our attack, more information are necessary about the VMK decryption procedure (Figure 3) when the authentication method is a user password (see also (N. Kumar and V. Kumar 2008) (Aorimn 2018) and (Metz 2018)):

1. the user provides the password;

2. SHA-256 is executed twice on it;

3. there is a loop of 0x100000 iterations, in which SHA-256 is applied to a structure like:

typedef struct {

unsigned char updateHash[32];

//last SHA-256 hash calculated

unsigned char passwordHash[32];

//hash from step 2

unsigned char salt[16];

uint64_t hash_count;

// iteration number

} bitlockerMessage;

4. this loop produces an intermediate key, used with AES to encrypt the Initialization Vector (IV) (derived from a nonce);

5. XOR between encrypted IV and encrypted Message Authentication Code (MAC) to obtain the decrypted MAC;

6. XOR between encrypted IV and encrypted VMK to obtain the decrypted VMK;

7. if the MAC, calculated on the decrypted VMK, is equal to the decrypted MAC, the input password and the decrypted VMK are correct;

Figure 3: VMK decryption procedure

All the elements required by the decryption procedure (like VMK, MAC, IV, etc..) can be found inside the encrypted volume. In fact, during the encryption, BitLocker stores not only encrypted data but also metadata that provide information about encryption type, keys position, OS version, file system version and so on. Thanks to (Metz 2018), (Aorimn 2018), (N. Kumar and V. Kumar 2008) and (Kornblum 2009) we understood how to get all of these informations reading the BitLocker Drive Encryption (BDE) encrypted format. After an initial header, every BDE volume contains 3 (for backup purposes) FVE (Full Volume Encryption) metadata blocks, each one composed by a block header, a metadata header and an array of metadata entries.

Figure 4: FVE metadata block, BitLocker Windows 8.1

In Figure 4 we report an example of FVE block belonging to a memory unit encrypted with Windows 8.1, enumerating the most interesting parts:

  1. The "-FVE-FS-" signature, which marks the beginning of an FVE block
  2. The Windows version number
  3. The type and value of a VMK metadata entry
  4. According to this value, the VMK has been encrypted using the user password authentication method
  5. The...

Dateiformat: EPUB
Kopierschutz: ohne DRM (Digital Rights Management)


Computer (Windows; MacOS X; Linux): Verwenden Sie eine Lese-Software, die das Dateiformat EPUB verarbeiten kann: z.B. Adobe Digital Editions oder FBReader - beide kostenlos (siehe E-Book Hilfe).

Tablet/Smartphone (Android; iOS): Installieren Sie bereits vor dem Download die kostenlose App Adobe Digital Editions (siehe E-Book Hilfe).

E-Book-Reader: Bookeen, Kobo, Pocketbook, Sony, Tolino u.v.a.m. (nicht Kindle)

Das Dateiformat EPUB ist sehr gut für Romane und Sachbücher geeignet - also für "glatten" Text ohne komplexes Layout. Bei E-Readern oder Smartphones passt sich der Zeilen- und Seitenumbruch automatisch den kleinen Displays an. Ein Kopierschutz bzw. Digital Rights Management wird bei diesem E-Book nicht eingesetzt.

Weitere Informationen finden Sie in unserer E-Book Hilfe.

Download (sofort verfügbar)

9,99 €
inkl. 7% MwSt.
Download / Einzel-Lizenz
ePUB ohne DRM
siehe Systemvoraussetzungen
E-Book bestellen