Why does BitLocker not use RSA? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)Should RSA public exponent be only in 3, 5, 17, 257 or 65537 due to security considerations?Securely read encryption key from NVRAM of TPM 1.2Methods of cold boot attacks in the wildClarification of RSA Key Exchange (TLS 1.2) and AES for On-Going Message ExcahngeShould I really salt in a RSA/AES hybrid connection?Anniversary Update with Bitlocker Reboot without Encryption KeyIs it possible to extract secrets from a TPM without knowing the PIN?Security of TPM 1.2 for providing tamper-evidence against firmware modificationHow does full memory encryption in newer processes protect against DMA attacks?How does Bitlocker + TPM prevent me seeing the HDD contents with another OS?Is GPG's AES encryption that much stronger than its RSA headers?
Why do C and C++ allow the expression (int) + 4*5;
Can two people see the same photon?
Marquee sign letters
Why does BitLocker not use RSA?
In musical terms, what properties are varied by the human voice to produce different words / syllables?
How do I say "this must not happen"?
First paper to introduce the "principal-agent problem"
Do i imagine the linear (straight line) homotopy in a correct way?
malloc in main() or malloc in another function: allocating memory for a struct and its members
"Destructive power" carried by a B-52?
As a dual citizen, my US passport will expire one day after traveling to the US. Will this work?
What is a more techy Technical Writer job title that isn't cutesy or confusing?
Noise in Eigenvalues plot
What criticisms of Wittgenstein's philosophy of language have been offered?
What did Turing mean when saying that "machines cannot give rise to surprises" is due to a fallacy?
Flight departed from the gate 5 min before scheduled departure time. Refund options
Random body shuffle every night—can we still function?
How to achieve cat-like agility?
By what mechanism was the 2017 UK General Election called?
Determine whether an integer is a palindrome
Adapting the Chinese Remainder Theorem (CRT) for integers to polynomials
Why complex landing gears are used instead of simple, reliable and light weight muscle wire or shape memory alloys?
2018 MacBook Pro won't let me install macOS High Sierra 10.13 from USB installer
Statistical analysis applied to methods coming out of Machine Learning
Why does BitLocker not use RSA?
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)Should RSA public exponent be only in 3, 5, 17, 257 or 65537 due to security considerations?Securely read encryption key from NVRAM of TPM 1.2Methods of cold boot attacks in the wildClarification of RSA Key Exchange (TLS 1.2) and AES for On-Going Message ExcahngeShould I really salt in a RSA/AES hybrid connection?Anniversary Update with Bitlocker Reboot without Encryption KeyIs it possible to extract secrets from a TPM without knowing the PIN?Security of TPM 1.2 for providing tamper-evidence against firmware modificationHow does full memory encryption in newer processes protect against DMA attacks?How does Bitlocker + TPM prevent me seeing the HDD contents with another OS?Is GPG's AES encryption that much stronger than its RSA headers?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
If I do not understand wrong from this post and Wikipedia page of the BitLocker and TPM, by default, BitLocker uses symmetric cryptography like AES. However, TPM is capable of performing RSA encryption.
Given that, the RSA key is stored in the TPM, why BitLocker does not use the asymmetric encryption (i.e., RSA)? By using such encryption technique, we might be able to defend against the cold boot attack or sniffing on LPC bus.
aes rsa tpm bitlocker cold-boot-attack
edited 2 hours ago
chrki
1053
asked 23 hours ago
user3862410user3862410
315
New contributor
user3862410 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
If I do not understand wrong from this post and Wikipedia page of the BitLocker and TPM, by default, BitLocker uses symmetric cryptography like AES. However, TPM is capable of performing RSA encryption.
Given that, the RSA key is stored in the TPM, why BitLocker does not use the asymmetric encryption (i.e., RSA)? By using such encryption technique, we might be able to defend against the cold boot attack or sniffing on LPC bus.
aes rsa tpm bitlocker cold-boot-attack
edited 2 hours ago
chrki
1053
asked 23 hours ago
user3862410user3862410
315
New contributor
user3862410 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
8
How would using asymmetric encryption even help? Unless you never intend to write any data to the disk, you would need to have both sides of the key in memory in order to use the disk anyway. (I suppose there are special cases where you'd want a disk anyone can read but with strong authentication of its content -- but even there encrypting each block separately with an asymmetric primitive would not be the solution of choice).
– Henning Makholm
15 hours ago
add a comment |
If I do not understand wrong from this post and Wikipedia page of the BitLocker and TPM, by default, BitLocker uses symmetric cryptography like AES. However, TPM is capable of performing RSA encryption.
Given that, the RSA key is stored in the TPM, why BitLocker does not use the asymmetric encryption (i.e., RSA)? By using such encryption technique, we might be able to defend against the cold boot attack or sniffing on LPC bus.
aes rsa tpm bitlocker cold-boot-attack
edited 2 hours ago
chrki
1053
asked 23 hours ago
user3862410user3862410
315
New contributor
user3862410 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
If I do not understand wrong from this post and Wikipedia page of the BitLocker and TPM, by default, BitLocker uses symmetric cryptography like AES. However, TPM is capable of performing RSA encryption.
Given that, the RSA key is stored in the TPM, why BitLocker does not use the asymmetric encryption (i.e., RSA)? By using such encryption technique, we might be able to defend against the cold boot attack or sniffing on LPC bus.
aes rsa tpm bitlocker cold-boot-attack
aes rsa tpm bitlocker cold-boot-attack
edited 2 hours ago
chrki
1053
asked 23 hours ago
user3862410user3862410
315
New contributor
user3862410 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 hours ago
chrki
1053
asked 23 hours ago
user3862410user3862410
315
New contributor
user3862410 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 hours ago
chrki
1053
edited 2 hours ago
chrki
1053
edited 2 hours ago
chrki
1053
1053
asked 23 hours ago
user3862410user3862410
315
New contributor
user3862410 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 23 hours ago
user3862410user3862410
315
asked 23 hours ago
user3862410user3862410
315
315
New contributor
user3862410 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
user3862410 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
user3862410 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
8
How would using asymmetric encryption even help? Unless you never intend to write any data to the disk, you would need to have both sides of the key in memory in order to use the disk anyway. (I suppose there are special cases where you'd want a disk anyone can read but with strong authentication of its content -- but even there encrypting each block separately with an asymmetric primitive would not be the solution of choice).
– Henning Makholm
15 hours ago
add a comment |
8
How would using asymmetric encryption even help? Unless you never intend to write any data to the disk, you would need to have both sides of the key in memory in order to use the disk anyway. (I suppose there are special cases where you'd want a disk anyone can read but with strong authentication of its content -- but even there encrypting each block separately with an asymmetric primitive would not be the solution of choice).
– Henning Makholm
15 hours ago
8
8
How would using asymmetric encryption even help? Unless you never intend to write any data to the disk, you would need to have both sides of the key in memory in order to use the disk anyway. (I suppose there are special cases where you'd want a disk anyone can read but with strong authentication of its content -- but even there encrypting each block separately with an asymmetric primitive would not be the solution of choice).
– Henning Makholm
15 hours ago
How would using asymmetric encryption even help? Unless you never intend to write any data to the disk, you would need to have both sides of the key in memory in order to use the disk anyway. (I suppose there are special cases where you'd want a disk anyone can read but with strong authentication of its content -- but even there encrypting each block separately with an asymmetric primitive would not be the solution of choice).
– Henning Makholm
15 hours ago
add a comment |
3 Answers
3
active
oldest
votes
Asymmetric encryption is vastly inferior to symmetric encryption. That is, in all respects, except one -- being asymmetric. When that property is needed, there's no way around it, obviously.
Asymmetric encryption is much slower. It is much more susceptible to showing recognizable patterns of some kind given non-random input. You need much larger key sizes to provide an adequate level of protection, and the system is much more vulnerable in general with current and future technology (reasonably-sized quantum computers will basically mean instant death for RSA, but AES is pretty much "yeah, so what" in that respect).
That's the reason why asymmetric encryption is almost never used to encrypt bulk data.
Nothing prevents you from encrypting a terabyte of data with RSA using 2048 bit chunks, much like you encrypt a terabyte with AES in 128 bit chunks. Only just, it doesn't make sense to do that because it is several thousand times slower, and at the same time is much more insecure.
answered 14 hours ago
DamonDamon
3,347917
vastly inferior? Compare the expand of cryptography after invention on Asymmetric Cryptography.
– kelalaka
13 hours ago
@kelalaka For communication.
– wizzwizz4
5 hours ago
add a comment |
Asymmetric encryption like RSA is limited in that you can only use it to encrypt data the size of the key. With a 2048 bit key, you can only encrypt 2048 bits of information. For this reason RSA is unsuitable for bulk encryption like disks - and even for small files like email messages.
This is why almost all uses of asymmetric encryption involve "hybrid encryption". RSA is used to encrypt the key for a symmetric algorithm like AES, and AES is used to encrypt the bulk data. PGP is an example of a hybrid encryption application.
Correction - as @HenningMakholm points out in the comments, it isn't that asymmetric can't be chained to handle larger blocks of data the way symmetric algorithms do, it's that doing so is impractical from a performance point of view. The end effect is the same, but the mechanism is different.
answered 21 hours ago
gowenfawrgowenfawr
55k11115163
8
And AES can only encrypt 128 bits of information. There are well-known solutions to using AES for larger amounts of data, and some of them could be applied with RSA as the underlying primitive instead of AES. Performance would be dismal, though, which is the real reason why this is not done.
– Henning Makholm
15 hours ago
2
I'm not sure why this answer has so many upvotes, it's flat-out wrong. That's not the difference between RSA and AES, it's the difference between block-ciphers (including both RSA and AES) and stream ciphers. And it's not even a big deal, since you can easily turn any block cipher into a stream cipher using the various modes.
– BlueRaja - Danny Pflughoeft
5 hours ago
add a comment |
The coldboot attack can be performed on any encryption scheme as long as the keys are residing on the memory. For full-disk encryption (FDE) with symmetric algorithms like AES , you will need to take out the key from the TPM, where you will be applicable to coldboot attack.
Though the TPM is capable of RSA encryption and decryptions, for FDE the RSA has problems, in short the speed;
- RSA must use AOEP scheme to be secure which reduces the message size.
- To speed up the public key encryption the public key is selected as 3, 5, ... However, the decryption to access one block will be much more slower even you use CRT to gain 4x speed.
- Even the TPM can perform RSA encryption on the chip, it will be much slower for Full Disk Encryption (FDE).
Therefore, TPM based FDEs use TPM as a key storage.
answered 13 hours ago
kelalakakelalaka
1,2252817
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
user3862410 is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207771%2fwhy-does-bitlocker-not-use-rsa%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Asymmetric encryption is vastly inferior to symmetric encryption. That is, in all respects, except one -- being asymmetric. When that property is needed, there's no way around it, obviously.
Asymmetric encryption is much slower. It is much more susceptible to showing recognizable patterns of some kind given non-random input. You need much larger key sizes to provide an adequate level of protection, and the system is much more vulnerable in general with current and future technology (reasonably-sized quantum computers will basically mean instant death for RSA, but AES is pretty much "yeah, so what" in that respect).
That's the reason why asymmetric encryption is almost never used to encrypt bulk data.
Nothing prevents you from encrypting a terabyte of data with RSA using 2048 bit chunks, much like you encrypt a terabyte with AES in 128 bit chunks. Only just, it doesn't make sense to do that because it is several thousand times slower, and at the same time is much more insecure.
answered 14 hours ago
DamonDamon
3,347917
vastly inferior? Compare the expand of cryptography after invention on Asymmetric Cryptography.
– kelalaka
13 hours ago
@kelalaka For communication.
– wizzwizz4
5 hours ago
add a comment |
Asymmetric encryption is vastly inferior to symmetric encryption. That is, in all respects, except one -- being asymmetric. When that property is needed, there's no way around it, obviously.
Asymmetric encryption is much slower. It is much more susceptible to showing recognizable patterns of some kind given non-random input. You need much larger key sizes to provide an adequate level of protection, and the system is much more vulnerable in general with current and future technology (reasonably-sized quantum computers will basically mean instant death for RSA, but AES is pretty much "yeah, so what" in that respect).
That's the reason why asymmetric encryption is almost never used to encrypt bulk data.
Nothing prevents you from encrypting a terabyte of data with RSA using 2048 bit chunks, much like you encrypt a terabyte with AES in 128 bit chunks. Only just, it doesn't make sense to do that because it is several thousand times slower, and at the same time is much more insecure.
answered 14 hours ago
DamonDamon
3,347917
vastly inferior? Compare the expand of cryptography after invention on Asymmetric Cryptography.
– kelalaka
13 hours ago
@kelalaka For communication.
– wizzwizz4
5 hours ago
add a comment |
Asymmetric encryption is vastly inferior to symmetric encryption. That is, in all respects, except one -- being asymmetric. When that property is needed, there's no way around it, obviously.
Asymmetric encryption is much slower. It is much more susceptible to showing recognizable patterns of some kind given non-random input. You need much larger key sizes to provide an adequate level of protection, and the system is much more vulnerable in general with current and future technology (reasonably-sized quantum computers will basically mean instant death for RSA, but AES is pretty much "yeah, so what" in that respect).
That's the reason why asymmetric encryption is almost never used to encrypt bulk data.
Nothing prevents you from encrypting a terabyte of data with RSA using 2048 bit chunks, much like you encrypt a terabyte with AES in 128 bit chunks. Only just, it doesn't make sense to do that because it is several thousand times slower, and at the same time is much more insecure.
answered 14 hours ago
DamonDamon
3,347917
Asymmetric encryption is vastly inferior to symmetric encryption. That is, in all respects, except one -- being asymmetric. When that property is needed, there's no way around it, obviously.
Asymmetric encryption is much slower. It is much more susceptible to showing recognizable patterns of some kind given non-random input. You need much larger key sizes to provide an adequate level of protection, and the system is much more vulnerable in general with current and future technology (reasonably-sized quantum computers will basically mean instant death for RSA, but AES is pretty much "yeah, so what" in that respect).
That's the reason why asymmetric encryption is almost never used to encrypt bulk data.
Nothing prevents you from encrypting a terabyte of data with RSA using 2048 bit chunks, much like you encrypt a terabyte with AES in 128 bit chunks. Only just, it doesn't make sense to do that because it is several thousand times slower, and at the same time is much more insecure.
answered 14 hours ago
DamonDamon
3,347917
answered 14 hours ago
DamonDamon
3,347917
answered 14 hours ago
DamonDamon
3,347917
answered 14 hours ago
DamonDamon
3,347917
3,347917
vastly inferior? Compare the expand of cryptography after invention on Asymmetric Cryptography.
– kelalaka
13 hours ago
@kelalaka For communication.
– wizzwizz4
5 hours ago
add a comment |
vastly inferior? Compare the expand of cryptography after invention on Asymmetric Cryptography.
– kelalaka
13 hours ago
@kelalaka For communication.
– wizzwizz4
5 hours ago
vastly inferior? Compare the expand of cryptography after invention on Asymmetric Cryptography.
– kelalaka
13 hours ago
vastly inferior? Compare the expand of cryptography after invention on Asymmetric Cryptography.
– kelalaka
13 hours ago
@kelalaka For communication.
– wizzwizz4
5 hours ago
@kelalaka For communication.
– wizzwizz4
5 hours ago
add a comment |
Asymmetric encryption like RSA is limited in that you can only use it to encrypt data the size of the key. With a 2048 bit key, you can only encrypt 2048 bits of information. For this reason RSA is unsuitable for bulk encryption like disks - and even for small files like email messages.
This is why almost all uses of asymmetric encryption involve "hybrid encryption". RSA is used to encrypt the key for a symmetric algorithm like AES, and AES is used to encrypt the bulk data. PGP is an example of a hybrid encryption application.
Correction - as @HenningMakholm points out in the comments, it isn't that asymmetric can't be chained to handle larger blocks of data the way symmetric algorithms do, it's that doing so is impractical from a performance point of view. The end effect is the same, but the mechanism is different.
answered 21 hours ago
gowenfawrgowenfawr
55k11115163
8
And AES can only encrypt 128 bits of information. There are well-known solutions to using AES for larger amounts of data, and some of them could be applied with RSA as the underlying primitive instead of AES. Performance would be dismal, though, which is the real reason why this is not done.
– Henning Makholm
15 hours ago
2
I'm not sure why this answer has so many upvotes, it's flat-out wrong. That's not the difference between RSA and AES, it's the difference between block-ciphers (including both RSA and AES) and stream ciphers. And it's not even a big deal, since you can easily turn any block cipher into a stream cipher using the various modes.
– BlueRaja - Danny Pflughoeft
5 hours ago
add a comment |
Asymmetric encryption like RSA is limited in that you can only use it to encrypt data the size of the key. With a 2048 bit key, you can only encrypt 2048 bits of information. For this reason RSA is unsuitable for bulk encryption like disks - and even for small files like email messages.
This is why almost all uses of asymmetric encryption involve "hybrid encryption". RSA is used to encrypt the key for a symmetric algorithm like AES, and AES is used to encrypt the bulk data. PGP is an example of a hybrid encryption application.
Correction - as @HenningMakholm points out in the comments, it isn't that asymmetric can't be chained to handle larger blocks of data the way symmetric algorithms do, it's that doing so is impractical from a performance point of view. The end effect is the same, but the mechanism is different.
answered 21 hours ago
gowenfawrgowenfawr
55k11115163
8
And AES can only encrypt 128 bits of information. There are well-known solutions to using AES for larger amounts of data, and some of them could be applied with RSA as the underlying primitive instead of AES. Performance would be dismal, though, which is the real reason why this is not done.
– Henning Makholm
15 hours ago
2
I'm not sure why this answer has so many upvotes, it's flat-out wrong. That's not the difference between RSA and AES, it's the difference between block-ciphers (including both RSA and AES) and stream ciphers. And it's not even a big deal, since you can easily turn any block cipher into a stream cipher using the various modes.
– BlueRaja - Danny Pflughoeft
5 hours ago
add a comment |
Asymmetric encryption like RSA is limited in that you can only use it to encrypt data the size of the key. With a 2048 bit key, you can only encrypt 2048 bits of information. For this reason RSA is unsuitable for bulk encryption like disks - and even for small files like email messages.
This is why almost all uses of asymmetric encryption involve "hybrid encryption". RSA is used to encrypt the key for a symmetric algorithm like AES, and AES is used to encrypt the bulk data. PGP is an example of a hybrid encryption application.
Correction - as @HenningMakholm points out in the comments, it isn't that asymmetric can't be chained to handle larger blocks of data the way symmetric algorithms do, it's that doing so is impractical from a performance point of view. The end effect is the same, but the mechanism is different.
answered 21 hours ago
gowenfawrgowenfawr
55k11115163
Asymmetric encryption like RSA is limited in that you can only use it to encrypt data the size of the key. With a 2048 bit key, you can only encrypt 2048 bits of information. For this reason RSA is unsuitable for bulk encryption like disks - and even for small files like email messages.
This is why almost all uses of asymmetric encryption involve "hybrid encryption". RSA is used to encrypt the key for a symmetric algorithm like AES, and AES is used to encrypt the bulk data. PGP is an example of a hybrid encryption application.
Correction - as @HenningMakholm points out in the comments, it isn't that asymmetric can't be chained to handle larger blocks of data the way symmetric algorithms do, it's that doing so is impractical from a performance point of view. The end effect is the same, but the mechanism is different.
answered 21 hours ago
gowenfawrgowenfawr
55k11115163
edited 12 hours ago
answered 21 hours ago
gowenfawrgowenfawr
55k11115163
answered 21 hours ago
gowenfawrgowenfawr
55k11115163
answered 21 hours ago
gowenfawrgowenfawr
55k11115163
55k11115163
8
And AES can only encrypt 128 bits of information. There are well-known solutions to using AES for larger amounts of data, and some of them could be applied with RSA as the underlying primitive instead of AES. Performance would be dismal, though, which is the real reason why this is not done.
– Henning Makholm
15 hours ago
2
I'm not sure why this answer has so many upvotes, it's flat-out wrong. That's not the difference between RSA and AES, it's the difference between block-ciphers (including both RSA and AES) and stream ciphers. And it's not even a big deal, since you can easily turn any block cipher into a stream cipher using the various modes.
– BlueRaja - Danny Pflughoeft
5 hours ago
add a comment |
8
And AES can only encrypt 128 bits of information. There are well-known solutions to using AES for larger amounts of data, and some of them could be applied with RSA as the underlying primitive instead of AES. Performance would be dismal, though, which is the real reason why this is not done.
– Henning Makholm
15 hours ago
2
I'm not sure why this answer has so many upvotes, it's flat-out wrong. That's not the difference between RSA and AES, it's the difference between block-ciphers (including both RSA and AES) and stream ciphers. And it's not even a big deal, since you can easily turn any block cipher into a stream cipher using the various modes.
– BlueRaja - Danny Pflughoeft
5 hours ago
8
8
And AES can only encrypt 128 bits of information. There are well-known solutions to using AES for larger amounts of data, and some of them could be applied with RSA as the underlying primitive instead of AES. Performance would be dismal, though, which is the real reason why this is not done.
– Henning Makholm
15 hours ago
And AES can only encrypt 128 bits of information. There are well-known solutions to using AES for larger amounts of data, and some of them could be applied with RSA as the underlying primitive instead of AES. Performance would be dismal, though, which is the real reason why this is not done.
– Henning Makholm
15 hours ago
2
2
I'm not sure why this answer has so many upvotes, it's flat-out wrong. That's not the difference between RSA and AES, it's the difference between block-ciphers (including both RSA and AES) and stream ciphers. And it's not even a big deal, since you can easily turn any block cipher into a stream cipher using the various modes.
– BlueRaja - Danny Pflughoeft
5 hours ago
I'm not sure why this answer has so many upvotes, it's flat-out wrong. That's not the difference between RSA and AES, it's the difference between block-ciphers (including both RSA and AES) and stream ciphers. And it's not even a big deal, since you can easily turn any block cipher into a stream cipher using the various modes.
– BlueRaja - Danny Pflughoeft
5 hours ago
add a comment |
The coldboot attack can be performed on any encryption scheme as long as the keys are residing on the memory. For full-disk encryption (FDE) with symmetric algorithms like AES , you will need to take out the key from the TPM, where you will be applicable to coldboot attack.
Though the TPM is capable of RSA encryption and decryptions, for FDE the RSA has problems, in short the speed;
- RSA must use AOEP scheme to be secure which reduces the message size.
- To speed up the public key encryption the public key is selected as 3, 5, ... However, the decryption to access one block will be much more slower even you use CRT to gain 4x speed.
- Even the TPM can perform RSA encryption on the chip, it will be much slower for Full Disk Encryption (FDE).
Therefore, TPM based FDEs use TPM as a key storage.
answered 13 hours ago
kelalakakelalaka
1,2252817
add a comment |
The coldboot attack can be performed on any encryption scheme as long as the keys are residing on the memory. For full-disk encryption (FDE) with symmetric algorithms like AES , you will need to take out the key from the TPM, where you will be applicable to coldboot attack.
Though the TPM is capable of RSA encryption and decryptions, for FDE the RSA has problems, in short the speed;
- RSA must use AOEP scheme to be secure which reduces the message size.
- To speed up the public key encryption the public key is selected as 3, 5, ... However, the decryption to access one block will be much more slower even you use CRT to gain 4x speed.
- Even the TPM can perform RSA encryption on the chip, it will be much slower for Full Disk Encryption (FDE).
Therefore, TPM based FDEs use TPM as a key storage.
answered 13 hours ago
kelalakakelalaka
1,2252817
add a comment |
The coldboot attack can be performed on any encryption scheme as long as the keys are residing on the memory. For full-disk encryption (FDE) with symmetric algorithms like AES , you will need to take out the key from the TPM, where you will be applicable to coldboot attack.
Though the TPM is capable of RSA encryption and decryptions, for FDE the RSA has problems, in short the speed;
- RSA must use AOEP scheme to be secure which reduces the message size.
- To speed up the public key encryption the public key is selected as 3, 5, ... However, the decryption to access one block will be much more slower even you use CRT to gain 4x speed.
- Even the TPM can perform RSA encryption on the chip, it will be much slower for Full Disk Encryption (FDE).
Therefore, TPM based FDEs use TPM as a key storage.
answered 13 hours ago
kelalakakelalaka
1,2252817
The coldboot attack can be performed on any encryption scheme as long as the keys are residing on the memory. For full-disk encryption (FDE) with symmetric algorithms like AES , you will need to take out the key from the TPM, where you will be applicable to coldboot attack.
Though the TPM is capable of RSA encryption and decryptions, for FDE the RSA has problems, in short the speed;
- RSA must use AOEP scheme to be secure which reduces the message size.
- To speed up the public key encryption the public key is selected as 3, 5, ... However, the decryption to access one block will be much more slower even you use CRT to gain 4x speed.
- Even the TPM can perform RSA encryption on the chip, it will be much slower for Full Disk Encryption (FDE).
Therefore, TPM based FDEs use TPM as a key storage.
answered 13 hours ago
kelalakakelalaka
1,2252817
answered 13 hours ago
kelalakakelalaka
1,2252817
answered 13 hours ago
kelalakakelalaka
1,2252817
answered 13 hours ago
kelalakakelalaka
1,2252817
1,2252817
add a comment |
add a comment |
user3862410 is a new contributor. Be nice, and check out our Code of Conduct.
user3862410 is a new contributor. Be nice, and check out our Code of Conduct.
user3862410 is a new contributor. Be nice, and check out our Code of Conduct.
user3862410 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207771%2fwhy-does-bitlocker-not-use-rsa%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
8
How would using asymmetric encryption even help? Unless you never intend to write any data to the disk, you would need to have both sides of the key in memory in order to use the disk anyway. (I suppose there are special cases where you'd want a disk anyone can read but with strong authentication of its content -- but even there encrypting each block separately with an asymmetric primitive would not be the solution of choice).
– Henning Makholm
15 hours ago