[Cryptography] Serious paranoia...

Krisztián Pintér pinterkr at gmail.com
Thu Dec 26 15:14:34 EST 2013


Theodore Ts'o (at Thursday, December 26, 2013, 8:33:50 PM):

> So what if the key is splattered all over RAM? If the attacker is
> able to grab arbitrary contents from your system memory, your OS has
> been subverted so badly that there are million other, more simpler
> ways that you can get 0wned.

here are two hypothetical attacks that affects RAM flooding, but most
likely does not affect usual secret handling, and are realistic:

1. i can confiscate/steal your computer a few minutes after logging
in, take the memory out, and recover bits of it with 2^-20
probability. the chance that i recover a password is slim. but if you
wrote password dependent data to 128MB, i can recover it with great
chance. it acts like a massive error correction mechanism.

2. what if i can't just read any memory, but occasionally and
unpredictably a random small piece of it, for example because you leak
it through a bug. my chances to see something i should not increases
with the amount of the data.

obviously, these are very contrived situations. but far from being
impossible. the question is not whether it is an issue or not. the
question is, how serious the threat is and what can we do about it. if
the solution is costly, we might accept the threat as a trade off, for
the time being. but it does not make the issue nonexistent. we can
still aspire to find a solution that does not have this attack angle.
we should aspire.

and that was my point. i would like to see an algorithm that is memory
hard, but the data written to the memory is scrambled by some random
parameter. i can design such an algorithm, it is not that hard. the
problem is, we need to do that effectively and in a way that does not
grant advantage to the bad guys.




More information about the cryptography mailing list