BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Cold Boot Attacks on Encryption Keys

Subject: [Discuss] Cold Boot Attacks on Encryption Keys
From: bogstad at pobox.com (Bill Bogstad)
Date: Sat, 9 Nov 2013 01:38:43 -0500
In-reply-to: <527DA694.5090402@gmail.com>
References: <527CC7D4.50000@stephenadler.com> <li6mwle1xr3.fsf@panix5.panix.com> <527D4B03.8070300@borg.org> <527D50D1.4000902@gmail.com> <527D5312.9040209@borg.org> <527D58EB.6010203@gmail.com> <CAJFsZ=qLGt1x6uyt=TRu+-tVPxJY76tvFeP2n2v_UcUhoe1+-g@mail.gmail.com> <527DA694.5090402@gmail.com>

On Fri, Nov 8, 2013 at 10:05 PM, Tom Metro <tmetro+blu at gmail.com> wrote:
> Bill Bogstad wrote:
>> Cold Boot Attacks on Encryption Keys

> But then the scenario starts to get a bit more far fetched. The people
> seizing your server apparently already know or suspect you are using
> full disk encryption, and your data is valuable enough to warrant
> bringing in people skilled enough to hot jumper your machine to a
> portable power source before moving it back to a lab where the RAM can
> be frozen and dumped.

Depending on the size of the computer, they don't need any special
skills to keep the juice going when they move it.    I'm pretty sure
that anyone who reads this mailing list could figure out how to use a
HotPlug (available for less than $600) to do it.

http://www.wiebetech.com/products/HotPlug.php

Apparently,  the "authorities" do this often enough that a commercial
product was developed to make it easy.   A mouse jiggler" is included
so that the password protected screensaver doesn't kick in while the
system is being transported.  Recovering the encryption key from
memory is only needed if the screensaver has a chance to come on.  Of
course, they can do that at their leisure; when an expert has time.

> In any case, as soon as the machine is moved or a cover opened, a trip
> switch cuts power internally. If they weren't expecting this, you've
> increased your chances that all or most of your key will be corrupted by
> the time they get some freon on your RAM.

This definitely makes it tougher.   They have to bring the freon with
them and do everything on-site.  Probably not doable in the middle of
a gun battle at KAOS' headquarters.

BTW, this is getting a little far afield from the circumstance where
the owner of the system deliberately pulls the plug on their system.
The scenario where you are running into the server room to pull the
plug with the good/bad guys right on your tail is probably such that
the key will not be recoverable by the attackers.   Still I thought
that it was worth mentioning that just because power has been removed
doesn't mean that the key is gone.

Bill Bogstad

References:
- [Discuss] ssd's in linux
  - From: adler at stephenadler.com (Stephen Adler)
- [Discuss] ssd's in linux
  - From: smallm at panix.com (Mike Small)
- [Discuss] ssd's in linux
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] ssd's in linux
  - From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] ssd's in linux
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] ssd's in linux
  - From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] ssd's in linux
  - From: bogstad at pobox.com (Bill Bogstad)
- [Discuss] Cold Boot Attacks on Encryption Keys
  - From: tmetro+blu at gmail.com (Tom Metro)

Prev by Date: [Discuss] Cold Boot Attacks on Encryption Keys
Next by Date: [Discuss] ssd's in linux
Previous by thread: [Discuss] Cold Boot Attacks on Encryption Keys
Next by thread: [Discuss] ssd's in linux
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org