Re: Security Flaw in Popular Disk Encryption Technologies

"Igor Mozolevsky" <igor@xxxxxxxxxxxxxxxx> wrote:

On 24/02/2008, Bill Moran <wmoran@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
"Igor Mozolevsky" <igor@xxxxxxxxxxxxxxxx> wrote:
>
> On 23/02/2008, Brooks Davis <brooks@xxxxxxxxxxx> wrote:
>
> >
> > You should actually read the paper. :) They successfully defeat both
> > of these type of protections by using canned air to chill the ram and
> > transplanting it into another machine.
>
> Easy to get around this attack - store the key on a usb
> stick/cd/whatever and every time the OS needs to access the encrypted
> date the key should be read, data decrypted, then key wiped from the
> memory; or have the daemon erase the key from memory every T minutes
> and re-acquire the key at next access attempt...


This is only effective if the sensitive data is infrequently accessed.
If the unit is asleep, then software isn't running and it's not possible
to kick of a timer to clear the memory, so it doesn't even start to
solve that problem.

IMO the possibility of such attack is so remote that it doesn't really
warrant any special attention, it's just something that should be kept
in mind when writing "secure" crypto stuff...

Then you're not using this to protect data of a particular sensitive
nature, or you're being a fool.

Fact is, data is "sensitive" to different degrees. It's also valuable
to different degrees.

If you're worried about your personal financial information on your
laptop being stolen, then modern disk encryption is fine. But, if you've
got a mobile device with the sensitive information from 1000s of people
on it, the stakes are different. That device is liable to be the target
of an attack specifically to get the _data_.

You're correct in 90% of the cases, but there's still the 10% that some
of us need to consider.

The fact is that the attack is not difficult, and it's not a matter of
whether or not someone _can_ bypass your disk encryption, it's more a
matter of whether or not they actually care enough to bother, or whether
the $$$ they can get for the stolen hardware alone will satisfy them.
Each user/organization really needs to evaluate this information with
regards to their own situation, but it's important to understand the
details of the risk when making such a decision.

--
Bill Moran
Collaborative Fusion Inc.

wmoran@xxxxxxxxxxxxxxxxxxxxxxx
Phone: 412-422-3463x4023
_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Security Flaw in Popular Disk Encryption Technologies
    ... >> of these type of protections by using canned air to chill the ram and ... > memory; or have the daemon erase the key from memory every T minutes ... IMO the possibility of such attack is so remote that it doesn't really ...
    (freebsd-hackers)
  • Re: PROFESSIONAL floating-point algorithms.
    ... )> You used the exact same fallacious logic to attack my point of view. ... forward by tight coupling of humor with instruction. ... I SAID, idiota, that the CPU changes variables by executing IO ... You only have to write the value *once*, then you can read it from memory ...
    (comp.programming)
  • Re: IPv4 fragmentation --> The Rose Attack
    ... What you list above is, to an extent, different from this attack. ... attack stems from the very requirement to reassemble packets. ... IPv6, one is to keep fragments for 60 seconds. ... kernel memory for tens of minutes by sending two small packets. ...
    (Bugtraq)
  • Re: Security Flaw in Popular Disk Encryption Technologies
    ... does that mean that geli properly wipes keys from RAM when a laptop is turned off? ... This attack has to be defended against in hardware; it exploits a 'feature' of modern day RAM chips, which can not be controlled by software. ... As encrypted volumes simply require keys to be in memory to be able to use the volumes, the encryption software is vulnerable to this attack. ...
    (freebsd-hackers)
  • Re: Timing attack on general purpose processor
    ... >The main difference between warmup and prefetch technique is that we ... >memory latency. ... >access to many cache lined by the latency of only one. ... >is going to improve the performance of the AES and the timing attack is ...
    (sci.crypt)