Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: In memory of hard disk encryption? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
In memory of hard disk encryption?

In security we generally claim there is no silver bullet. Or we say no measure ever is protecting you for 100% of the cases.

Typically we think of the hardware of our computers in a specific way. One of those is that the contents of RAM is gone as soon as you turn off the power. Makers of software such as ssh-agent, PGP software and hard disk encryption software rely on encryption keys in RAM that get erased when the system is turned off.

Newly published research goes a long way to show the hardware isn't behaving like most of us think it is and that memory modules, even removed from the motherboard can retain data for seconds to minutes allowing retrieval of the cryptographic keys.

The abstract of the paper: "Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them."

So what does that mean to us ?

  • We might have a new way down the road to do forensics and extract memory images of corrupted systems more reliably than to have to trust the infected system to create the image.
  • Encryption keys in memory might not be safe or be possible to be protected by the OS from access. While some keys might not absolutely be needed in RAM for a long term, e.g. keys to decrypt hard disk images are non-trivial to only keep for very short time in memory.
  • Other secrets kept in memory are likely to have the same problems, think about ssh-agent keeping a copy of your private ssh key ready to let you log in on a remote system, think about pgp keeping the private key ready to not bother you with the passphrase for every email you send or read.

The current trend towards hard disk encryption we see as a means to address other security failures might need to be revised.

I guess it boils down to me saying that every time the media report on a lost laptop containing some long list of sensitive information that the only questions raised seem to be if the disk was encrypted or not, and why in the latter case.

I'd already since quiet some time would like to see added as questions: why was that data sensitive?; are there no better ways to do what that data does (e.g. SSNs are IMHO abused when used to authenticate you, it's like having your password and your loginname the same)?; why was sensitive data stored on a portable device?; where was the absolute need to have the sensitive data?; why was the sensitive data mixed in with less sensitive data?; why was sensitive data allowed out of the organization that collected it?; why was a laptop containing sensitive data left unattended?; ... There usually is a long chain of failures before such data gets leaked. Assuming all of them are normal except the last link that was missing on the chain isn't the right -nor fair- reaction.

In the future now there should be even more questions that need answers:

  • How long ago was the laptop turned off ?
  • Was the laptop turned off, or just asleep?
  • What encryption product was used and does it wipe its keys from RAM upon shutdown or sleep actions ?
  • ...

Still, if you have confidential material, disk encryption is one of the layers, just don't use it as the only layer.

More information:

--
Swa Frantzen -- Gorilla Security

Swa

760 Posts
Feb 21st 2008
So, if we disable standby (sleep mode) on laptops, and the laptops are not compromised within minutes of being shut down, we're still "safe"?

I think for sensitive enviroments, forced power-offs might be a new policy...
Jason

4 Posts
I think that setting the BIOS to do a full memory test on start-up might help clear the RAM contents. It will delay system start, and I'm not sure it's available as an option on all machines anymore. It seems that a lot of the modern consumer PC's are set to not test RAM in order to appear to start faster, but it seems that the default settings for enterprise servers are set to do a test on each boot.

Of course, the best thing would be for the software to perform a wipe of the keys itself, since it knows where those keys are.
Anonymous
There are no easy answers here.

Some products doing full disk encryption even let one steal the key of the crypto as they use it to get to the fancy graphical interface before prompting the user for a password ...

BIOS settings can be changed by the attacker, RAM modules can be removed from the system and read in another system.

The software itself cannot wipe the key in all cases as it might be crashed by removing power and then rebooting, or removing the modules.
Swa

760 Posts
I do not encrypt my entire hard drive (who cares if people steal my copy of Office!) but rather only a small file which is mounted using PGPDisk on demand and which contains things I care about. I have instructed PGP to auto un-mount on sleep as well as after x number of idle minutes. I believe PGP wipes the key from RAM tho I'd have to re-read the technical manual on PGP to be sure... If I was truly paranoid it is pretty easy to press the "blow all encrypted disks" keystroke if I had to walk away, again assuming that part of RAM is re-written and wiped. Reentering a passphrase or hard device isn't that difficult. True, a hard power cut would probably defeat this, but why are you leaving your property laying around in the first place? One solution could probably be to have all the keys, stored and active, on a portable device that you absolutely leave connected to your person. Maybe facial recognition on the front of the laptop that wipes the key if you walk off? Star Trek style keyboard buttons that know who's tying? Who knows!
Anonymous

Sign Up for Free or Log In to start participating in the conversation!