[Cryptography] RAM memories as one source of entropy

Joachim Strömbergson Joachim at Strombergson.com
Mon Feb 10 05:12:42 EST 2014

Hash: SHA256


Kent Borg wrote:
> That doesn't mean that there might not be other ways to get
> interesting entropy from DRAM, just that is doesn't seem to be free
> for the reading in recent hardware; you might have to do some
> hardware engineering to do it, at which point there have got to be
> better ways to add some entropy-yielding hardware to your design.

No, there seems to be quite a lot of problems. Esp with remanence and
temperature. Even though the cited papers shows some promise, there are
quite a lot of others that shows other problems. There are actually real
issues with using RAM memories that we will have to consider and design
mitigation solutions to in our Cryptech design.

The paper "Data remanence in semiconductor devices" from 2001 by Peter
Gutmann is a very good and relevant paper. He describes the remanence
effects and specifically points to the problem of having keys in SRAM
memories at fixed positions. This is something we probably should plan
to handle.

Sergei P. Skorobogatov has written several papers on remanence effects
and points to the need to detect that the ambient temperature for the
system to not be lower than a given level. If that happens keys should
be destroyed. This applies for all memories: "Semi-invasive attacks -- A
new approach to hardware security analysis" from 2005 is a good paper:

But Skorobogatov also shows that just temperature detection is enough.
We really should do active zeroisation of memories when a relevant event
has been reached (temperature, breach of tamper protection, unplanned
movement of unit etc.) And external SRAM power supply connection should
be automatically shorted to ground whenever the power is off. Floating
VCC seems to drastically increase remanence.

The paper "Data Remanence Effects on Memory Based Entropy Collection for
RFID Systems" from 2011 by Nitesh Saxena and Jonathan Voris is probably
the most relevant for the discussion of using SRAM as basis for entropy.
The papers shows that the remanence effects are bad enough to make it
impractical to use in RFID tags in which the memory is also used for
other processing. The extraction of enough entropy simply takes too long
time. Esp. when the temperature drops. A good paper.

Finally there are at least some design work being done to implement SRAM
cells with remanence protection. The paper "Security strategy of
powered-off SRAM for resisting physical attack to data remanence" from
2009 describes modified SRAM cells that reduces remanence effects. This
is not very applicable to Cryptech though since we will not be building
ASICs (though someone might use the Cryptech design to do so):

Remanence can even be used as a clock the TARDIS protocol uses decay
memory decay as part of a secure protocol for embedded devices. Really
cool research!

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the cryptography mailing list