cold boot attacks on disk encryption

Jacob Appelbaum jacob at appelbaum.net
Thu Feb 21 15:39:58 EST 2008 

Hi,

I'm one of the coauthors of the paper and I'd love to chime in.

Perry E. Metzger wrote:
> "Ali, Saqib" <docbook.xml at gmail.com> writes:
>> This methods requires the computer to be "recently" turned-on and unlocked.
> 
> No, it just requires that the computer was recently turned on. It need
> not have been "unlocked" -- it jut needed to have keying material in RAM.
> 

This is correct.

>> So the only way it would work is that the victim unlocks the disks
>> i.e. enter their preboot password and turn off the computer and
>> "immediately" handover (conveniently) the computer to the attacker so
>> that the attacker remove the DRAM chip and store in nitrogen.
> 
> LN2 is pretty trivial to get your hands on, and will remain happy and
> liquid in an ordinary thermos for quite some hours or longer. However,
> the authors point out that canned air works fine, too.
> 

Yes, this is also correct. Canned air is often found in server rooms. An
attacker might not even need to bring anything with them to leverage
this attack.

>> And the attacker has to do all this in less then 2 seconds.... :)
> 
> No, they may even have minutes depending on the RAM you have.
> 

This is an important point. Without cooling, it's not merely a matter of
a second or less. This is a common misconception that even in light of
new evidence is difficult to believe. I think reading our paper and
understanding our graphs should help with this.

>> Or am I missing something?
> 
> People readily assume that rebooting or turning off a computer wipes
> RAM. It doesn't. This is just more evidence that it is bad
> to assume that the contents of RAM are gone even if you turn off the
> machine.

Yes. General purpose memory isn't a safe place to store keying material
and software countermeasures are a step behind. Even with obfuscated key
schedules or strange byte ordering, the physical properties of the
memory chips are going to be difficult to overcome.

As our paper states: "There is no easy solution to this problem."

I'm happy to field questions if this is the proper forum.

Best,
Jacob Appelbaum

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list