I've read this TechNet blog post, but I still can't determine how secure BitLocker is against a malicious user that attempts to brute force attack the recovery password. Is anyone familiar with this? Also, how about offline brute force attacks against the recovery password?
7 Answers
I've done some further analysis, and I believe I have determined that brute force attacking the recovery password would not be a good use of anyone's time....that is assuming my math is correct.
The recovery password is created starting with a 128-bit key, split into 8 groups of 16 bits of entropy, written as a value between 0 and 65,535 (2^16 - 1). Each group of six digits must be divisible by 11, which is used as a check against keys mistyped by the user when entering the groups.
Each of the 8 groups of 6 digits must be less than 720,896 (which is 2^16 *11); indicating that each of the eight groups has 2^16 possible values, and altogether this means that there are (2^16)^8 possible combinations; which is ~3.4028 x 10^38 combinations.
Assuming we could somehow process 500 trillion passwords an hour (which would be 3,623 times more than the ~138 billion passwords per hour capability of a desktop computer in 2008 under 10% load), it would still take us ~7.7 x 10^19 years to brute force crack this 48 character numerical recovery password.
Obviously, attackers would likely not consider brute force attacks against the BitLocker recovery password and would resort to attacking weaker links in the chain.
4The numbers are astronomically high. We can't predict with 100% accuracy how powerful computers will be in the future, but at least for now, cracking such a password would be a complete waste of time.
A more useful consideration would be protection against things like cold boot attacks, which most encryption softwares have protected against, but BitLocker is still vulnerable to.
3It is reasonably resilient in my opinion. The math is sound and without custom bruting tools, manual recovery by key exhaustion would take a long time. I am of the opinion that custom bruting software exists (if a linux driver exists so does a brute forcing tool) and without a TPM to limit retries, it could be done in a reasonable time frame. On the other hand...the BSD full disk encryption system is a BEAST. I don't have much math outside of the limited keyspace(they say it kind of isn't due to the retry limitation, but again linux driver=brute force tool). last note:they are digits not characters so no alpha or symbol
5From a Moore's Law perspective: if computing power continues doubles every two years, then an N-bit key can be considered crackable within 2*N years - starting around, say, 1950.
So for a 128-bit key, we can perhaps hope to be routinely brute-forcing Bitlocker keys by the year 2200.
For a 256-bit key, probably by the time we reach the year 2500.
(Give or take a wide margin of error, and depending on Moore's Law continuing to hold.)
Passware Kit Forensic 10.1 claims to be able to crack the password (and ultimately the entire drive) in 20 minutes:
1If its about bruteforce only, it can resist during years and years cause you have billions of possiblities, but this video can show you how to hack it without brute-force (i think)
1It's more about the software that is protecting the encryption key. How much this OS is safe to being hacked? As soon as someone can log into the system, this person has access to the encryption key, even if the key is buried deep into the TPM.
So we are back to how much is Windows seven (or Vista) resilient to account hacking? The answer is that it has already been hacked:
5
