[115570] in cryptography@c2.net mail archive
Re: cold boot attacks on disk encryption
daemon@ATHENA.MIT.EDU (Jacob Appelbaum)
Thu Feb 21 16:16:24 2008
Date: Thu, 21 Feb 2008 12:39:58 -0800
From: Jacob Appelbaum <jacob@appelbaum.net>
To: "Perry E. Metzger" <perry@piermont.com>
CC: "Ali\, Saqib" <docbook.xml@gmail.com>, cryptography@metzdowd.com
In-Reply-To: <874pc2m6l3.fsf@snark.cb.piermont.com>
Hi,
I'm one of the coauthors of the paper and I'd love to chime in.
Perry E. Metzger wrote:
> "Ali, Saqib" <docbook.xml@gmail.com> writes:
>> This methods requires the computer to be "recently" turned-on and unlocked.
>
> No, it just requires that the computer was recently turned on. It need
> not have been "unlocked" -- it jut needed to have keying material in RAM.
>
This is correct.
>> So the only way it would work is that the victim unlocks the disks
>> i.e. enter their preboot password and turn off the computer and
>> "immediately" handover (conveniently) the computer to the attacker so
>> that the attacker remove the DRAM chip and store in nitrogen.
>
> LN2 is pretty trivial to get your hands on, and will remain happy and
> liquid in an ordinary thermos for quite some hours or longer. However,
> the authors point out that canned air works fine, too.
>
Yes, this is also correct. Canned air is often found in server rooms. An
attacker might not even need to bring anything with them to leverage
this attack.
>> And the attacker has to do all this in less then 2 seconds.... :)
>
> No, they may even have minutes depending on the RAM you have.
>
This is an important point. Without cooling, it's not merely a matter of
a second or less. This is a common misconception that even in light of
new evidence is difficult to believe. I think reading our paper and
understanding our graphs should help with this.
>> Or am I missing something?
>
> People readily assume that rebooting or turning off a computer wipes
> RAM. It doesn't. This is just more evidence that it is bad
> to assume that the contents of RAM are gone even if you turn off the
> machine.
Yes. General purpose memory isn't a safe place to store keying material
and software countermeasures are a step behind. Even with obfuscated key
schedules or strange byte ordering, the physical properties of the
memory chips are going to be difficult to overcome.
As our paper states: "There is no easy solution to this problem."
I'm happy to field questions if this is the proper forum.
Best,
Jacob Appelbaum
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
