Lest We Remember Cold Boot Attacks on Encryption Keys J. Alex

Document Sample
Lest We Remember Cold Boot Attacks on Encryption Keys J. Alex Powered By Docstoc
					Lest We Remember: Cold Boot Attacks on
           Encryption Keys
J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul,
  Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten

  In Proceedings of the 2008 USENIX Security Symposium.
                           Awarded Best Student Paper

                                                     Presented by:
                                                      Payas Gupta

                                 Year II of SRG
In today’s talk…

 •   Introduction
 •   Characterizing Remanence Effects
 •   Imaging Residual Memory
 •   Key Reconstruction
 •   Identifying Keys in Memory
 •   Attacking Encrypted Disks
 •   Countermeasures and Limitations
 •   Conclusions

 • Is it true?
   – Computer’s memory is erased almost
     immediately when it loses power.
 • Ordinary DRAMs typically lose their
   contents gradually over a period of
 • Data will persist for minutes or even
   hours if the chips are kept at low

 • Exploit DRAM remanence effects to
   recover cryptographic keys held in
 • Defeated popular encryption systems
   including BitLocker, TrueCrypt etc.
 • Many other security systems are
   probably vulnerable.
   – Mac OS X leaves the user’s login password
     in memory, and can be recovered using
     Cold boot attack.

 • However, newer memory technologies,
   which use higher circuit densities,
   tended to decay more quickly than
   older ones
 • Could able to reconstruct keys
   – AES, DES, triple DES, RSA, tweak keys
Characterizing Remanence Effects

 • DRAM cell is essentially a capacitor
 • Over time charge will leak and cell will
   lose its state
   – To forestall this, cell must be refreshed
   – Standard refresh time is order of ms
Decay at different temperatures

  Submerged into Liquid Nitrogen (-196˚C) for 60 minutes
  Only 0.17% decay
After 5 seconds
After 30 seconds
After 60 seconds
After 5 minutes
Imaging tools

 • Booting the system will overwrite some
   portions of memory
 • Bad options
   – Loading full OS into memory
 • Use tiny special-purpose programs,
   produce accurate dumps of memory
   contents to some external medium
Imaging tools

 • PXI network boot – Intel’s Preboot
   Execution Environment (PXE)
   – Implemented 9KB standalone application
     that can be booted via PXE
   – Extracted memory images at 300 Mb/s
     with gigabit Ethernet cards.
 • USB drives
   – Implemented a 10KB plug-in for the
     SYSLINUX bootloader that can be booted
     from an external USB drive.
 • iPods 
Imaging attacks

 • Simple reboot
   – Configure BIOS and boot the imaging tools
 • Transferring DRAM modules
   – Cooling a module before powering it off
     can slow decay sufficiently to allow it to be
     transferred to another machine with
     minimal decay.
Cold Boot attack

  Before powering off the computer… spray an upside-down canister of
  multipurpose duster directly onto the memory chips, cooling them to -50˚C
Cold Boot attack

  Data will persist for several minutes after power loss
Cold Boot attack

  Even if we remove the DRAM from the computer
Key Reconstruction

 • Designed algorithms which can correct
   errors quickly with range 5%-50%
   depending on the type of key.
 • Most Encryption programs speed up
   computation by storing data
   precomputed from the encryption keys.
 • This data contains much more
   structure than the key itself

Modeling the decay

 • Assumption, that all bits decay to the
   same ground state.
 • P(10) = δ0             P(01) = δ1
   – P of decaying to ground state approaches
     1 as time goes on.
   – P of flipping in the opposite direction
     remains constant and tiny.
 • Observed
   – Bits tend to decay in predictable order
   – Actual order of decay appeared fairly
     random wrt location.
RSA Key Generation

 •   Choose two prime numbers p and q
 •   N=pq
 •   Φ(n) = (p-1)(q-1)
 •   e  public key exponent
 •   de ≡ 1(mod Φ(n))
 •   d  private key exponent
RSA keys

• RSA public key consists
  – Modulus N
  – Public key exponent e
• RSA private key consists
  – Private exponent d
• Optional values
  – Prime factor p and q of N
  – d mod(p-1)
  – d mod(q-1)
  – q-1 mod p
Reconstructing RSA private keys

 Previous approaches
 • Let n=lg(N)
 • N can be factored in polynomial time
   – Coppersmith [14]
     • given the n/4 LSB of p
   – Boneh, Durfee and Frankel [9]
     • given the n/4 LSB of d
   – Blomer and May [7]
     • given the n/4 LSB of d mod(p-1)
Reconstructing RSA private keys

 • Error could be distributed across all bits
   of the key data, so previous
   approaches are not directly applicable

 • Given, public modulus N
 • p’ and q’ are recovered from memory
 • Deduce values for the original p and q
   by iteratively reconstructing them from
Reconstructing RSA private keys

 • δ -> probability of unidirectional decay.
 • 1024-bit primes (2048-bit key)
   – δ = 4%
     • median reconstruction time = 4.5s
   – δ = 6%
     • median reconstruction time = 2.5min
 • 512-bit primes
   – δ = 10%
     • median reconstruction time = 1min
Identifying RSA keys in memory

 • Most widely used format for RSA is as
   specified in PKCS
   – This object, packaged in DER encoding is
     the standard format for storage and
     interchange of private keys.
 • They search of identifying features of
   the DER-encoding itself.
   – Sequence identifier 0x30 followed a few
     bytes later by the DER encoding of the
     RSA version number and then by the DER
     encoding of the next field.
Attacking … BitLocker

 • BitLocker –
   – operates as a filter driver
   – Resides between the file system and the
     disk driver, encrypting and decrypting
     individual sectors on demand.
   – AES encryption in CBC mode
   – Secret pad key and CBC encryption key
BitLocker Procedure

 • External USB hard-disk containing
 • A custom SYSLINUX-based bootloader
 • FUSD filter driver that allows BitLocker
   volumes to be mounted under Linux.

 • ATTACK- Power cut, connect external
   USB hard disk and boot.
   – Dump Memory image and apply keyfind
Attacking … Loop-AES

 • Loop-AES – on-the-fly disk encryption
   package for Linux systems.
 • Encrypt AES in CBC mode
 • Each disk block is encrypted with one
   of 64-encryption keys.
 • Additional AES key to generate IVs.
 • keyfind program revealed 65 AES keys.
 • For each of the AES keys, it maintains
   two copies of the key schedule in
   memory, one normal copy and one with
   each bit inverted.
Countermeasures and Limitations

 • Scrubbing Memory
   – Avoid storing keys in memory
   – Overwrite unwanted keys
   – Systems can also memory at boot time
 • Limit booting from network or
   removable media
 • Avoiding precomputation
 • Physical Defenses
   – Sensors respond to low temperatures or
     opening of computer’s case
Countermeasures and Limitations

 • Encrypting in the disk Controller
   – Main encryption keys are stored in the disk
     controller rather than in DRAM

 • DRAMs hold their values for surprisingly
   long intervals without power or refresh.
 • Defeat several popular disk encryption
 • Today’s Trusted Computing technologies
   cannot protect keys that are already in
 • Architecture should be changed
 • DRAM is untrusted and avoid storing
   sensitive data there

Shared By: