Offline Bruteforce attack against a Bitlockered Windows PC

The attack you outline is a fundamental problem for all types of encryption: If you want to use a password as the (source of) the encryption key, the password must have as much entropy as the desired encryption strength, otherwise you are vulnerable to offline brute-forcing.

So yes, if Bitlocker just used the password you entered as the (source of) the key, it would be vulnerable to this attack.

Bitlocker provides multiple authentication mechanisms, which address this problem in different ways.

  • The recommended mechanism (AFAIK) is to use the computer's Trusted Platform Module (TPM). With TPM authentication (called Transparent operation mode with Bitlocker), the TPM chip stores the Bitlocker key. The TPM is specifically designed to only release that key if certain password/PIN is provided, and to limit the number of authentication attempts. Therefore a comparably weak password/PIN is enough, because the password cannot be attacked off-line, as it is stored in the TPM.
  • Another solution is to use USB Key Mode. In that mode, either the key is stored on a USB key (optionally protected by a password), or a special USB device is used which performs secure authentication (similar to a TPM chip). Again, an off-line attack is not possible, because the key is stored on the USB device. However, if the USB device is just a simple storage device, an off-line attack against it is possible (thus it must be stored very securely).

USB Key Mode and TPM can be combined for even better security.

Note that it is possible to use Bitlocker without a TPM chip (though this is apparently not recommended by Microsoft). If you do that, then you are indeed vulnerable to password bruteforcing attacks, so you need a password with sufficient entropy, i.e. at least 128 bit, better 168 bit.

For an extensive discussion of the design choices, security tradeoffs and technology of Bitlocker, see the paper AES-CBC + Elephant diffuser, A Disk Encryption Algorithm for Windows Vista by Niels Ferguson, available from http://go.microsoft.com/fwlink/?LinkId=80598 .


BitLocker encrypts the drive using a "volume master key", which is never placed directly in persistent storage anywhere. One or more "key protectors" are present in the volume metadata, each one of which provides a way to obtain the VMK. For the PIN/Password-based protectors, the password is passed through a very slow key derivation function (something like bcrypt, but I'm not actually sure what function or what the exact parameters are). The parameters probably vary by hardware, but it takes over half a second on my work machine.

I believe this derived key is then checked against a stored hash and, if it matches, used to decrypt the VMK (that is, the PIN/Password protector contains an version of the VMK, encrypted using the key that the KDF spits out, and a hash of the derived key, used to check the derived key's correctness).

To attempt to brute-force the password, you will need to figure out the algorithm and its parameters (salt, work factor, etc.). Unless you have serious computing resources available, it will take a very long time for a brute-force search to find anything due to the slow KDF.

The most publicly code-usable implementation of BL that I know of is the dislocker git repo, dislocker being an open-source (partial) implementation of BitLocker (written as a FUSE driver). I'm not aware of any ready-built brute-forcing tool for BitLocker, but you could probably build one on top of dislocker's code. It'll probably take a while to run, though!


Full disk encryption tools rely on AES which is still considered secure today. So most attacks focus target the operating system itself instead of the encryption mechanism such tools use.

The attacks you may face in case your machine is stolen depend on several factors. First of all, on how you configured it. Configurations that require authentication prior to booting the operating system prevent a hacker from immediately attacking the operating system. So first of all, set Bitlocker with the pre-boot authentication option.

Before you encrypt the disks, be sure your machine is safe of the presence rootkits and bootkits which may have the same privileges as your operating system and can even compromise your full volume encryption key as it is encrypted by the volume master key and stored in the encrypted volume. Note that UEFI is intended to protect your system again the presence of rootkits and bootkits, however it is not foolproof.

An other thing to consider is brute force sign-in attacks that can be performed even against the pre-boot authenticator we mentioned above.

Also an attacker may use Thunderbolt to connect an other device to your laptop. Because DMA (direct memory access) ports do not provide authentication or access control to protect the contents of the computer’s memory to which the device have a read access only, you can imagine an attack based on these facts (called DMA attacks). Note that in case you are running Windows 8 then you may be know that Windows 8 InstantGo–certified devices do not have DMA ports, eliminating the risk of DMA attacks

So in conjunction with configuring the pre-boot authentication, you may also use USB device (such as a flash drive) to store the BitLocker startup key and use it to authenticate along with your PIN/password: this an other layer of security in which even if your PIN/password is brute-forced, the Bitlocker start-up key is still safe (suppose your laptop and USB device can not be stolen by the same attacker)

Tags:

Windows

Bitlocker

Password Cracking

Related

Securely erasing personal data from Android phone before selling Is using Tor and VPN combination more secure? Why Can't Google Just Switch to Pushing Android Security Updates Directly to Users? Prevention of user's passwords being stored as plain text in bash history How can CloudFlare provide a valid SSL certificate for domains not under its control? Is "mini-httpd" a secure web server? How do I purge Windows of my private data when formatting the drive is not an option? Does the Content Security Policy header provide a false sense of security if a page is served over unencrypted HTTP? How can the content of a file refer to its own MD5? Should I be worried if I accidentally entered my password in a username field? I don't recognise my DNS server's address: does this mean I am compromised? Can I rely on openssl_random_pseudo_bytes() being very random in PHP?

Recent Posts