Cold Boot Attack Utilities Released At HOPE Conference

An anonymous reader writes "Jacob Appelbaum, one of the security researchers who worked on the cold boot attacks to recover encryption keys from memory even after reboot, has announced the release of the complete source code for the utilities at The Last HOPE in New York City. The hope (obligatory pun) is that the release of these tools will help to improve awareness of this attack vector and enable the development of countermeasures and mitigation techniques in both software and hardware. The full research paper (PDF) is also available."

Re:because the fix would have to be in-hardware

[Minwee]

Most server class machines have intrusion detection sensors which will trigger an alarm when the case is opened. They're hardly foolproof, but if you were concerned about this sort of attack then responding appropriately to a "Your Door Is Ajar" event would be a reasonable place to start.

Re:because the fix would have to be in-hardware

[jeiler]

You could add a 'write random crap to RAM' thing to your shutdown procedure, but that won't help if they simply power the machine off.

Actually, one thing that might help would be a "Decrypt then wipe RAM" scheme, where the program decrypts a file, moves the file contents into some form of buffer, then wipes the RAM location where the decryption key was stored (and if necessary, wipe the paging file). It would leave that specific file exposed, but that's a heck of a lot better than leaving the key in RAM.

Re:Tamper proof case, anyone?

[kesuki]

thermite packed around the ram seems the best way to go. then if they tamper with the case, it triggers a 'tramper switch' the thermite goes off, and boom just a molten blob of goo. also, if you're going to have a self destruct on the ram, you may as well do the HDD as well, and you might as well throw in a manual switch along with the 'tamper switch' in case the FBI comes knocking, and have a good plan for how to circumvent your 'tamper switch'.

thermite is a bit extreme, but if you want your data irretrievably destroyed, there is nothing like thermite.

Re:because the fix would have to be in-hardware

[Eternauta3k]

Unless they pot it, or stick it somewhere inaccessible. Of course, someone determined enough will find a workaround (I mean CIA, not random hacker)

Re:Capturing machines with full disk encryption

[Anonymous Coward]

Sounds a bit complicated. Here is how it's done:

1. Get physical access to computer, install hardware keystroke logger.

2. Wait a few days.

3. Seize computer, decrypt harddrive.

Or, for the lazy ones:

1. Park van with Van Eck device at next corner, record keystrokes.

2. Seize computer and decrypt harddrive.

Or, for the people that prefer to stay at home/office:

1. Break into system over network.

2. Download data over network.

Or, alternatively but more risky:

1. Seize computer.

2. Decrypt harddrive on the basis of a HUGE dictionary of known and generated passwords

Re:Memory wiper?

[Anonymous Coward]

The problem is that all I/O for encryption needs to go through the key, so having the key only available on a smart card would cause great performance losses. Smart cards are intended for very low bandwidth uses -- decrypting a volume key so the bulk decryption can finish, or signing a MD5 hash.

Instead, perhaps move the encryption to the drive controller and have some keymanagement abilities there. Then, come a shutdown, its a lot easier for a drive I/O controller to wipe its limited RAM than for a PC to do the same. To boot, the I/O controller can store the key in a tamper resistant package that is a lot harder to compromise than a SIMM/DIMM.