Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Protecting your disk with biometric devices?

Protecting your disk with biometric devices?

  • Comments 3
  • Likes

As you (hopefully) know, Windows Vista ships with a component we call Bitlocker - at least some of the Windows Vista versions do. Now, Bitlocker can be run with different way of protecting your keys: a TPM chip (basically a smartcard on your motherboard), a normal USB-stick, the TPM chip with a password and the TPM chip with a USB-stick. If we look into these options, we have certain advantages and dis-advantages:

  • TPM chip: First and fore most, you need a TPM v 1.2. For example, my notebook only runs TPM 1.1, which means, even though I have a TPM chip it is useless for Bitlocker. From the risk perspective, if I protect my keys with the TPM, one can boot (if they have my machine) and my secrets are protected by my login credentials "only". What they cannot do is booting from another OS and then mounting the disk.
  • USB-stick: at the first glimpse, these seems pretty attractive: You can basically more or less use any USB-stick and the computer will not boot up without the USB-stick attached to it. Cool, isn't it? The attacker would need the notebook and the USB-.stick. But let's be honest here: I used this setup over a few months and my USB-stick is in the same bag as the notebook because I am lazzy..... So, if you get my bag, you won.
  • TPM and PIN: There you cannot boot until you enter the PIN. This is one of the solutions I think should be looked into as it prohibits anybody to get further than the BIOS load with this disk.
  • TPM and USB stick: See above. Does not make it any better if you look at the combination of the two paragraphs.

So, out of the box, I would try to use the TPM with PIN or (if you happen not to have a TPM 1.2) use the USB-solution and try to educate the users (ever tried to do that????)

Now, I used a kind of am additional option: I am using Bitlocker with a USB-stick but I am using a USB-stick that is protected with my fingerprint. This is a pretty smart device as the fingerprint-reader is part of the USB-stick meaning that the notebook does not even see the USB-stick until I am authenticated with one of my fingerprints. If you have this, the following scenario works:

  1. I attach my USB.stick to my notebook
  2. I boot it up
  3. As the computer close to immediately needs access to the USB-stick and does not find any (as I am not yet authenticated to it), it runs into the Bitlocker recovery screen
  4. I am unlocking my USB-stick with my fingerprint
  5. I am pressing "Esc" to reboot my machine
  6. the Machine boots

I know that the point withthe recovery screen is not too nice but this is the only way it works. Beforehand, there is no power on the USB port and therefore the stick cannot be unlocked and then it takes only a fraction of a second until Bitlocker sees that it has no USB stick attached and this is simply not enough time for the USB stick to recognize that I have my finger on the stick. With this limitation, I think that this is a really nice setup. If you now get hold of my notebook bag, you even have the USB stick but not my finger (I hope). You will therefore not have access to my disk nor boot my machine.

Cool, isn't it?

Roger

Comments
  • What USB Biometric stick do you use that can run without the OS?  i've looked and can't find one anywhere.

    Thanks

  • I am using one of a company called Veridicom (http://www.veridicom.com/). There is at least one other vendor but I cannot give you the names (as I do not have them :-))

    Roger

  • Yeah, that does seem to be a big problem.  The Veridicom sticks are about $130 US as opposed to $50 or so for vendors such as Axiom...so what seems like an inexpensive solution ends up being close to what one could maybe do with a more comprehensive biometric solution.  The $100 or so for Software Assurance to even get BitLocker for a new machine us $130 a piece for bio readers makes a practical BitLocker deployment rather spendy.

    Anybody else know of any less-expensive BL-compatible bio USB sticks?  Gonna have to go PIN if I can't find one soon.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment