|
|
|
|
|
|
by HHad3
39 days ago
|
|
|
This article is probably not correct. The actual behavior is documented [1]: > BitLocker hashes the user-specified personal identification number (PIN) by using SHA-256, and the first 160 bits of the hash are used as authorization data sent to the TPM to seal the volume master key. So what's actually happening is that the PIN is used to derive an authValue passed to the TPM, which compares it to the expected value, and can trigger lockout on too many mismatches. I can't find specifics to how Windows configures the TPM wrt. lockout, but the mechanism described in the article appeared fishy to me, and contradicts official docs. It also would not make sense that TPM+PIN was known to be safe against bus sniffing attacks if it would still reveal all data required to brute-force the PIN. [1] https://learn.microsoft.com/en-us/windows/security/operating... |
|
|
https://blog.scrt.ch/2024/10/28/privilege-escalation-through...
This one does say "it appears that the user’s PIN is sent to the TPM which releases the intermediate key only if the provided secret is correct, thus effectively preventing offline bruteforce attacks."
Given this, I can't see how it would be possible for anything like YellowKey to work on a cold booted TPM+PIN system without someone already knowing the PIN.
Perhaps when the exploit author said "it works with PIN" they meant "it works if you enter the correct PIN"... or they are just lying. I'm not sure.