This story appeared on Network World at

http://www.networkworld.com/columnists/2008/022608-bradner.html

Cold bits as a security bypass

Bypassing disk encryption with a spray can

'Net Insider By Scott Bradner , Network World , 02/26/2008

Network World's headline was certainly designed to catch a security person's eye: "Disk encryption easily cracked, researchers find." In most cases, however, the risk, while real, is less than the headline implies.

It turns out that some researchers at Princeton University followed up on earlier research showing that modern computer memories retained their contents even with the power off (known as memory remanence), and that the retention time could be lengthened by cooling the memory. (See the chapter on physical tamper resistance in Ross Anderson's Security Engineering: A Guide to Building Dependable Distributed Systems. This information almost makes me want to reminisce about core memory.) The researchers then set about seeing whether they could use various techniques, including ones related to memory remanence, to extract encryption keys that had been stored in the memory of a computer that was using disk encryption. In many cases, they found they could find the key and thus break the security of the encrypted disk.

The Princeton researchers describe their attack in their paper "Lest We Remember: Cold Boot Attacks on Encryption Keys" and describe it in a video on their Web site, including cooling the memory chips using a spray can of duster.

The risk of the particular attack can be largely mitigated if the user has an idea about when his computer might be attacked, For example, you are entering the United States and are worried about U.S. Customs wanting to peer into your machine. In this case -- and in other cases where you are worried that a laptop could be stolen -- you can be well protected if you do not have the machine set to auto-logon and you turn the machine fully off (not just into sleep mode) when you are told to shut down your electronic devices in preparation for landing. You would be even better off using the hidden volume mode in TrueCrypt so you could boot the machine for the nice Customs people and they would not even know you had encrypted information on your machine -- so they would not badger you for your key.

The paper also includes a number of ways that computer manufacturers and operating-system vendors can reduce or eliminate the disclosure risk. I use FileVault on my Mac, and I hope Apple will tweak its software to maximize the protection. Not because, I hasten to add, that I have any illegal information on my laptop, but because I have information that some of my clients would not like to see in the press.

It is harder to protect against someone grabbing a computer from your desk when your back is turned. It helps to enable a password-protected screen saver that kicks in when the cover is closed, but the thief could just not close the cover. Note that no fancy effort is needed in this case because the thief already has access to your unencrypted disks through the regular user interface.

One place where the Princeton process clearly can be used is where the thief steals a computer with a locking wake-up screen that uses disk encryption and that the user has put into sleep mode. The thief will not be able to log on to the machine because of the wake-up screen. The machine has power, however, so the memory is not fading. Cooling the memory would allow the thief to swap the memory to another computer for reading. So, don't leave your laptop lying around on the front seat of your car in sleep mode with state secrets on it.

Disclaimer: I'm not sure how you could tell if some parts of Harvard University were in sleep mode, but in any case, the above discussion is mine, not the university's.