I think I found a flaw in the way Bitlocker handles manually entering your key that would make it very vulnerable to a brute force attack. You can read about it here on my site. It seems like I am the only one who thinks this a big deal. Is there something I am missing? Is my reasoning flawed somehow?

That is the problem. It doesn't check the whole key but each six digit group. For instance if you enter the first six and get one digit wrong, that group of six will start flashing and telling you one of the digits are incorrect. It is ONLY after entering all six numbers correctly that you can move on to the second group of six numbers. If you get a digit wrong in that group it will flash until you get those numbers correct and continues until you get all eight groups correct. By having the program respond this way Microsoft took a 48 digit passcode that had 10 followed by 47 zeros of possible combination's and made it a six digit passcode with only a million possible cominations that has to cracked eight times (one for each group of six). Understand what I am saying?

That is the problem. It doesn't check the whole key. It checks each six digit group. For instance if you enter the first six and get one digit wrong, that group of six will start flashing and telling you one of the digits are incorrect. It is ONLY after entering all six numbers correctly that you can move on to the second group of six numbers. If you get a digit wrong in that group it will flash until you get those numbers correct and continues until you get all eight groups correct. By having the program respond this way Microsoft took a 48 digit passcode that had 10 followed by 47 zeros of possible combination's and made it a six digit passcode with only a million possible cominations that has to cracked eight times (one for each group of six). Understand what I am saying?

I do not understand what you want to crack. You can't crack a bitlockerkey because there is no rule to compute it entirely. You can brute force it only. The 8 groups are independent. Each group of six is effectively a group of 5 with a check-digit.Test: Enter any 5digit-combination and try which check-digit fits. That means each group can have 5^10 combinations. As the groups are independent with all 8 groups you get 8^(5^10) combinations. So to find a suitable bitlockerrecoverykey from scatch you need in worstcase 8^(5^10) tries. 5^10 is about 9.7 times more than "only a million possible combinations". Even if your first guess out of 9765625 combinations is right, bitlocker will tell you that the checksum is right but it will not tell you that that guess is the right one for the recovery-key. The recoverykey is one of 8^9765625 combinations.

I do not understand what you want to crack. You can't crack a bitlockerkey because there is no rule to compute it entirely. You can brute force it only. The 8 groups are independent. Each group of six is effectively a group of 5 with a check-digit.Test: Enter any 5digit-combination and try which check-digit fits. That means each group can have 10^5 combinations. As the groups are independent with all 8 groups you get (10^5)^8 combinations. So to find a suitable bitlockerrecoverykey from scatch you need in worstcase (10^5)^8 tries. Edit: The calculation of the possible combinations was (totally - shame - ) wrong. An answer in this thread points to "http://blogs.msdn.com/b/si_team/archive/2006/08/10/694692.aspx". With this information that there is no check-digit but a check if the group can be divided by 11, i think the calculation of the possibles combinations is: ((10^6)/11)^8 which is about 4,67e+39

I do not understand what you want to crack. You can't crack a bitlockerkey because there is no rule to compute it entirely. You can brute force it only. The 8 groups are independent. Each group of six is effectively a group of 5 with a check-digit.Test: Enter any 5digit-combination and try which check-digit fits. That means each group can have 5^10 combinations. As the groups are independent with all 8 groups you get 8^(5^10) combinations. So to find a suitable bitlockerrecoverykey from scatch you need in worstcase 8^(5^10) tries. 5^10 is about 9.7 times more than "only a million possible combinations". Even if your first guess out of 9765625 combinations is right, bitlocker will tell you that the checksum is right but it will not tell you that that guess is the right one for the recovery-key. The recoverykey is one of 8^9765625 combinations. Brute force is a method of cracking and there are rules for any key generation (there is no such thing as random in computing). However there is one rule that stands out and weakens the key considerably. That rule is numbers only. Why is it, do you think, that Microsoft doesn't use a numbers only scheme on the keys used to protect the software they sell? That is because Microsoft knows (along with everyone and his bother) that a numbers only key (no matter how long) is relatively weak as compared to alpha-numeric keys. In this age of botnets and such it is like trying to stop cars from using a road by installing speed bumps, it might slow them down a bit but it wont stop them. At first I thought maybe you were correct and it was only 1 digit out of the six the program checks before moving on to the next group, so I just now went into recovery mode to test that theory. No matter which digit I made incorrect (the first, second, third, fourth, fifth or sixth) the program would not let me continue until all digits in any single group were correct. Since the program lets you know if each six digit group is right or wrong before moving on to the next group it would be an easy matter for a brute force cracking program to take advantage of this. Once again we are back to only having to crack (brute force) a six digit number eight times. But even if you are correct, why do that? Any hint at all weakens the key. When entering a key for a Microsoft product does it tell you if you got it right or wrong before entering the whole key? * On a side note, while doing these test I went though the entire recovery key 8 times just trying different things. One time the program did let me enter one wrong digit in one group. However, I when I went back and tried a different number in the same digit location it started flashing again. I couldn't replicate the program letting me enter a wrong digit in that group or any others in subsequent tests. Maybe Im just am not understanding how a "check-digit" works.

I don't know if Th0u posted this link ( http://blogs.msdn.com/b/si_team/archive/2006/08/10/694692.aspx ) on my site or someone else but it explains it quite well. It seems that the program only checks is the six digit groups are potentially valid by being divisible by 11. This makes a world of difference to the security scheme and doesn't weaken the key nearly as much as I thought (although I am in disagreement with the site, which states that "it doesn't weaken the key at all).

I don't know if Th0u posted this link ( http://blogs.msdn.com/b/si_team/archive/2006/08/10/694692.aspx ) on my site or someone else but it explains it quite well. It seems that the program only checks is the six digit groups are potentially valid by being divisible by 11. This makes a world of difference to the security scheme and doesn't weaken the key nearly as much as I thought (although I am in disagreement with the site, which states that "it doesn't weaken the key at all). Hmm, maybe I'm misuderstanding, but it seems like this restriction (all valid keys are divisible by 11), means that the potential valid key pool is reduced substantially (it's 1/11 of the entire theoretical pool). Isn't that bad too?

Perhaps I'm too naive to know the real underlying considerations here. However, working with encryption and various other security products through the years, I've learned never to accept things at face value. The numbers required during key entry may be possible to break in individual groups; via brute force; and over time. What I've learned though; there is seldom a single layer of security; and with past publications from MS regarding the embedded security within BitLocker; it is unlikely that just the initial/visible layer is the only component to their overall security model applied to BitLocker. Add to that, it is unlikely that MS shall provide/divulge their encryption algorythms and key architecture to the public; I could suggest that such a brute force attack be attempted and actually test the theorys being presented here. If it succeeds (which I believe it will fail); then there is cause for alarm. Just my 2 cents worth (which really isn't much; as I know at least two huge corporations - employees in excess of 200K each - that have close ties with MS and US government; are satisfied their data is protected sufficient to manage/supprt their financal security and overall defense data... Following exhaustive testing against the encrypted data and the key generation. Of course, this was against the Enterprise version of BitLocker.)

Perhaps I'm too naive to know the real underlying considerations here. However, working with encryption and various other security products through the years, I've learned never to accept things at face value. The numbers required during key entry may be possible to break in individual groups; via brute force; and over time. What I've learned though; there is seldom a single layer of security; and with past publications from MS regarding the embedded security within BitLocker; it is unlikely that just the initial/visible layer is the only component to their overall security model applied to BitLocker. Add to that, it is unlikely that MS shall provide/divulge their encryption algorythms and key architecture to the public; I could suggest that such a brute force attack be attempted and actually test the theorys being presented here. If it succeeds (which I believe it will fail); then there is cause for alarm. Just my 2 cents worth (which really isn't much; as I know at least two huge corporations - employees in excess of 200K each - that have close ties with MS and US government; are satisfied their data is protected sufficient to manage/supprt their financal security and overall defense data... Following exhaustive testing against the encrypted data and the key generation. Of course, this was against the Enterprise version of BitLocker.)