Posted on 05/01/2015 2:03:16 PM PDT by dayglored
The problem is the numbers game. When I was an undergrad in computer science, cryptography and AI were the buzz fields. I did not have the mathematical chops to hack it at cryptography and was too “inside-the-box” for AI. Hell, I was a terrible coder too, hence my switch to English comp (which was my passion anyway). Looking back, I don’t know why I had such a problem. I love to hack away in PowerShell nowadays, and I’m re-learning C++.
Anyway, the government was always around, scoping out the math nerds and keeping tabs on new ideas in the comp sci grad school. However, there was always a distrust, and I truly believe that that the NSA is in the dark on some things, even if they are close to cracking some of the older tech. The trick is to stay one step ahead of them and the bad guys, even if it is just baby steps (i.e SSLv3 vs. TLS)
Okay. That makes more sense.
Ah, okay. :)
FWIW, I personally would not trust BitLocker as my only at-rest encryption, because of Microsoft's known record of playing footsie on encryption backdoors (see Skype, etc.). But of course it does no harm in an otherwise well-secured chain.
I've thought about taking my stream of binary PGP/GPG encrypted data, and mixing it (in some pre-determined pattern) with a one-time throw-away random data stream, essentially injecting unused random bytes here and there, not enough to increase the overall size more than say 10%, but enough to make it that much more difficult to find patterns in. (Doing anything that changes the encrypted stream data itself, while it would avoid the small size increase, would mean I can't use a throw-away injection stream.)
But not being a cryptographic expert, I don't know whether the effort is worth it, i.e. does it actually make anything more difficult, or should I just rely on the PGP/GPG encryption and not try to add a confusion factor to it.
Might make more sense to just re-encrypt it a second time with a different 4096-bit key.
Bite me, hackers and NSA!
The encryption keys are embedded in the chip. You can take the BitLocker encrypted drives out of one system and put them into and identical computer and you still won't be able to read them because it will not have the same keys on it's TPM chip. The drives can only be de-crypted on the same computer they were encrypted on.
To the best of my knowledge, BitLocker as a part of the high-end editions of Windows Vista, 7, and 8.x (Enterprise, Ultimate, etc.) is a software-only feature; the software does all the work without need for a TPM. It's mainly for whole-disk encryption.
I believe you're thinking of the newer BitLocker "Device Encryption" (http://en.wikipedia.org/wiki/BitLocker#Device_encryption) which encrypts an entire computer system (typically a handheld device):
"...While device encryption is offered on all versions of 8.1, unlike BitLocker, device encryption requires that the device meet the InstantGo (formerly Connected Standby) specifications, which requires solid-state drives, non-removable RAM (to protect against cold boot attacks) and a Trusted Platform Module (TPM) 2.0 chip..."Or so my current belief is...
As far as I know, we've never implemented BitLocker on any of our systems without TPM. Until I checked that link I wasn't aware you could use BitLocker without it.
Bookmark
Like they say, “Security through obscurity is no strategy.” What you’re talking about is, in a way, salting your encrypted data. As long as you have a mechanism to un-salt it, you shouldn’t have a problem, but if you miss just one of those characters, you could make the data inaccessible.
Truth is, there’s little we’re going to be able to do to completely insulate ourselves from snooping. For instance, I’ve setup my own email server in my home environment just to get away from ISP-managed and, worse, Google, email. I’ve setup complex passwords on my database server, made sure to use the best encryption with strong keys, but I know that if the government wanted to, for some reason REALLY wanted to, get into my email, they could. I’m not a professional cryptographer. I just use the tools that are available to me across the wide Internet and make sure I understand how they all work.
Remember, Microsoft and the entire open source community, along with others, are staking claims to their products being able to keep private data private. When Microsoft spends billions of dollars a year to keep their cryptographic suite up-to-date as well as provide technologies such as Rights Management (AD RMS) to their customers, they’re banking on that technology, when properly implemented, keeping out the bad guys. If it became public that the bad guys, whether Russian or Chinese or even American spooks, had the keys to the kingdom and could hold anyone at ransom over their data, they’d lose their ass professionally. So while I don’t disagree that the NSACIAFBIetc. likely have some tricks up their sleeves that aren’t general public knowledge, a majority of their snooping is going against easy-to-access targets such as standard HTTP traffic, social media, and unencrypted email. If you make at least a minimal, modest effort at keeping your data safe, you’re doing better than the grand majority of people in the world.
To be honest, there’s not much stored in the cloud that would devastate me if it got out. I’ve boiled down my life to be as simple as I can manage without completely isolating myself personally and professionally. If you control the vulnerable vectors to your life, your home, your data, you can maintain some semblance of order without forgoing some of the nicer things in life.
BitLocker CAN be used without a TPM, as tac has pointed out, but you really shouldn’t bother with it. The TPM provides two things:
1) A secure storage platform mated to the machine which ensures that the platform is trusted (hence the name).
2) A cryptographic platform for generating random numbers
Properly implemented, a BitLocker-encrypted hard disk is as secure as any other software-level encrypted disk. BitLocker also has the capability to be fully integrated into your Active Directory environment, thus providing another command and control mechanism over your enterprise data. If that hard drive is lost or stolen, the data on it is useless without being able to “phone home” to a corporate CA.
We went with Dell’s Credant product for years, and it was the most kludgy piece of crap with which I’ve ever had the pleasure of working. The transition to BitLocker was practically seamless, and we’ve had a couple of instances where we demonstrably proved its utility. Say what you want about Microsoft, they make products that work.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.