Cold Boot attacks on RAM to defeat Encryption

Saturday, February 23, 2008

In security we generally claim there is no silver bullet. Or we say no measure ever is protecting you for 100% of the cases.

Typically we think of the hardware of our computers in a specific way. One of those is that the contents of RAM is gone as soon as you turn off the power. Makers of software such as ssh-agent, PGP software and hard disk encryption software rely on encryption keys in RAM that get erased when the system is turned off.

Newly published research goes a long way to show the hardware isn't behaving like most of us think it is and that memory modules, even removed from the motherboard can retain data for seconds to minutes allowing retrieval of the cryptographic keys.

So what does that mean to us ?
  • We might have a new way down the road to do forensics and extract memory images of corrupted systems more reliably than to have to trust the infected system to create the image.
  • Encryption keys in memory might not be safe or be possible to be protected by the OS from access. While some keys might not absolutely be needed in RAM for a long term, e.g. keys to decrypt hard disk images are non-trivial to only keep for very short time in memory.
  • Other secrets kept in memory are likely to have the same problems, think about ssh-agent keeping a copy of your private ssh key ready to let you log in on a remote system, think about pgp keeping the private key ready to not bother you with the passphrase for every email you send or read.
The paper is available here

-- Anish

0 comments:

  © Blogger templates Newspaper by Ourblogtemplates.com 2008

Back to TOP