The cold boot attack code for things like Truecrypt , released

[Modelworks]

Well, the code is out there now.
Wonder how long it takes people to start making use of it. I don't have anything to hide, but its a heads up for those of you that do .


http://www.hackaday.com/2008/0...attack-tools-released/

The team from Princeton has released their cold boot attack tools. Earlier this year they showed how to recover crypto keys from the memory of a machine that had been powered off. Now they've provided the tools necessary to acquire and play around with your own memory dumps. The bios_memimage tool is written in C and uses PXE to boot the machine and copy the memory. The package also has a disk boot dumper with instructions for how to run it on an iPod. There's also efi_memimage which implements the BSD TCP/IP stack in EFI, but it can be problematic. aeskeyfind can recover 128 and 256bit AES keys from the memory dumps and rsakeyfind does the same for RSA. They've also provided aesfix to correct up to 15% of a key. In testing, they only ever saw 0.1% error in there memory dumps and 0.01% if they cooled the chips first.

 

[Jeff7]

So what would it take then for Truecrypt's developers to add a feature that would, either on shutdown or program exit, run a zero-write over the memory space used to store the encryption key?

 

[Modelworks]

Originally posted by: Jeff7
So what would it take then for Truecrypt's developers to add a feature that would, either on shutdown or program exit, run a zero-write over the memory space used to store the encryption key?

That would work.
But it still would not stop someone from just walking up to the pc and pulling the plug then using the cold boot method.

 

[Legendary]

chipsets that wipe memory on boot?
surely there's something internal that would execute before this program would be able to take hold, and if there is, that could be coded to wipe memory?

 

[Modelworks]

After looking over the code I see the easiest way to prevent using it is to password protect the bios or the entire pc if your bios has the option.
Both code samples require access to the bios to make the pc boot from either usb or network. If the pc already boots off the network then that still is a problem.

That still does not prevent someone from popping the cover, clearing the cmos , which removes the password, and then running the software.
They could also remove the memory sticks themselves. But it will all have to be done rather quick and I think those options aren't as likely to happen as just booting a pc, entering bios, then running some software off a usb drive.

So if you do have something to protect I recommend setting a bios password at the least.

 

[irishScott]

Originally posted by: Modelworks

Originally posted by: Jeff7
So what would it take then for Truecrypt's developers to add a feature that would, either on shutdown or program exit, run a zero-write over the memory space used to store the encryption key?

That would work.
But it still would not stop someone from just walking up to the pc and pulling the plug then using the cold boot method.

This is why you don't leave encrypted information open/mounted in a public place. Kinda defies the point of encryption.

 

[Modelworks]

Originally posted by: irishScott

Originally posted by: Modelworks

Originally posted by: Jeff7
So what would it take then for Truecrypt's developers to add a feature that would, either on shutdown or program exit, run a zero-write over the memory space used to store the encryption key?

That would work.
But it still would not stop someone from just walking up to the pc and pulling the plug then using the cold boot method.

This is why you don't leave encrypted information open/mounted in a public place. Kinda defies the point of encryption.

The problem is office environments where people put the pc in sleep modes or leave it with screensavers after they have logged out. Encryption software is going to have to adapt to do what Jeff7 suggested. Write zero's over the memory space after a user logs out. Offices will also need to password protect the bios.

 

[irishScott]

Originally posted by: Modelworks

Originally posted by: irishScott

Originally posted by: Modelworks

Originally posted by: Jeff7
So what would it take then for Truecrypt's developers to add a feature that would, either on shutdown or program exit, run a zero-write over the memory space used to store the encryption key?

That would work.
But it still would not stop someone from just walking up to the pc and pulling the plug then using the cold boot method.

This is why you don't leave encrypted information open/mounted in a public place. Kinda defies the point of encryption.

The problem is office environments where people put the pc in sleep modes or leave it with screensavers after they have logged out. Encryption software is going to have to adapt to do what Jeff7 suggested. Write zero's over the memory space after a user logs out. Offices will also need to password protect the bios.

I don't know about other encryption software, but truecrypt's default setting is to dismount on log-out. You can also set it to dismount when the screensaver comes on. I know a clean dismount clears the RAM/cached passwords, not sure about the BIOS.