Protection for quasi-offline memory nabbing

Jon Callas jon at callas.org
Fri Mar 21 13:38:51 EDT 2008 

On Mar 19, 2008, at 6:56 PM, Steven M. Bellovin wrote:
> I've been thinking about similar issues.  It seems to me that just
> destroying the key schedule is a big help -- enough bits will change  
> in
> the key that data recovery using just the damaged key is hard, per
> comments in the paper itself.

It is. That's something everyone should consider doing. However, I was  
struck by the decay curves shown in the Cold Boot paper. The memory  
decays in an S-curve. Interestingly, both the smoothest S-curve and  
the sharpest were in the most recent equipment.

However, this suggests that for a relatively small object (like a 256- 
bit key) is apt to see little damage. If you followed the strategy of  
checking for single-bit errors, then double-bit, then triple-bit, I  
hypothesize that this simple strategy would be productive, because of  
that curve.

(I also have a few hypotheses on which bits will go first. I  
hypothesize that a high-power bit surrounded by low-power ones will go  
first, and a low-power bit amongst high-power ones will go last. I  
also hypothesize that a large random area is reasonably likely to get  
an early single-bit error. My rationale is that the area as a whole is  
going to have relatively high power 'consumption' because it is  
random, but the random area is going to have local artifacts that will  
hasten a local failure. Assuming that 1 is high-power and 0 is low- 
power, you expect to see a bitstring of 00100 or 0001000 relatively  
often in a blob of 32kbits (4KB) or 64kbits (8KB), and those lonely  
ones will have a lot of stress on them.)

Despite that my hypotheses are only that, and I have no experimental  
data, I think that using a large block cipher mode like EME to induce  
a pseudo-random, maximally-fragile bit region is an excellent  
mitigation strategy.

Now all we need is someone to do the work and write the paper.

	Jon

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list