1 / 18

0x1A Great Papers in Computer Security

This paper discusses the vulnerability of encryption keys to cold boot attacks and presents countermeasures to protect data on laptops. It explores the decay of RAM, capturing residual data, dealing with bit errors, and demonstrated attacks on various encryption software.

nhuynh
Download Presentation

0x1A Great Papers in Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS 380S 0x1A Great Papers inComputer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/

  2. J. Alex Halderman et al.Lest We Remember:Cold Boot Attacks on Encryption Keys(USENIX Security 2008)

  3. Protecting Data on a Laptop Password: ******** File system On-the-fly crypto Disk drivers

  4. Common Attack Scenario Security Assumptions The encryption is strong The OS protects the key in RAM …the attacker might reboot to circumvent the OS, but since RAM is volatile, the key will be lost…

  5. Dynamic RAM Volatility DRAM cell(capacitor) 0 1 1 0 Write “1” Refresh (read and rewrite) Refresh interval ≈ 32 ms What if we don’t refresh?

  6. Decay After Cutting Power 5 secs 30 secs 60 secs 300 secs

  7. Capturing Residual Data • No special equipment needed, but … • … booting OS overwrites large areas of RAM • Solution: boot a small low-level program to dump out memory contents • PXE dump (9 KB) • EFI dump (10 KB) • USB dump (22 KB) • What if BIOS clears RAM? • Common on systems with error-corrected RAM

  8. Slowing Decay By Cooling -50°C < 0.2% decay after 1 minute

  9. Even Cooler -196°C Liquid nitrogen < 0.17% decay after 1 hour Not necessary in practice

  10. Dealing with Bit Errors Some bit errors inevitable, especially without cooling(increasing with memory density) Given corrupted K’, find K: Brute-force search over low Hamming distance to K’e.g. 256-bit key with 10% error: > 256 guesses (too slow!) Most programs storeprecomputed derivatives of K(e.g. key schedules) These derivatives contain redundancy; we can treat them as error correcting codes Naïve Approach Insight

  11. Correcting Bit Errors in DES Key schedule contains ~14 redundant copies of each bit from the key 0100000010000100 ~20% error 0 0000000000000000

  12. AES Key Schedule 128-bit key K  10 more 128-bit keys for cipher rounds  Round 0 key (K)    Core Round 1 key … … Round 10 key Byte

  13. Correcting Bit Errors in AES (1) Key schedule recovered from memory (contains errors)  Round 0 key (K)    Core Round 1 key 1. Slices: 4 bytes in Round 0 determine 3 bytes in Round 1 2. Enumerate 232 possibilities for each 7 byte slice 3. Eliminate values unlikely to have decayed to observed bytes (excludes vast majority)

  14. Correcting Bit Errors in AES (2) Key schedule recovered from memory (contains errors)  Round 0 key (K)    Core Round 1 key 4. Repeat for each of the 4 slices 5. Combine possible slice values into candidate keys 6. Test candidates keys by expanding them into full key schedules – compare to recovered memory

  15. Finding AES Key Schedules • Iterate through each byte of memory • Treat following region as an AES key schedule • For each word in the candidate “schedule” … • Calculate correct value, assuming other bytes correct • Take Hamming distance to observed value • If total distance is low, output the key

  16. Demonstrated Attacks Windows BitLocker Mac OS FileVault Linux dm-crypt Linux LoopAES TrueCrypt

  17. Countermeasures • Encrypt key in memory when screen-locked • Avoid precomputation • Fully encrypted memory • Trusted Platform Module (TPM) Read paper for discussion

More Related