Lest We Remember: Cold Boot Attacks on Encryption Keys
advertisement
Lest We Remember: Cold Boot Attacks on Encryption Keys J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten In Proceedings of the 2008 USENIX Security Symposium. Awarded Best Student Paper Presented by: Payas Gupta Year II of SRG In today’s talk… • • • • • • • • Introduction Characterizing Remanence Effects Imaging Residual Memory Key Reconstruction Identifying Keys in Memory Attacking Encrypted Disks Countermeasures and Limitations Conclusions Introduction • Is it true? – Computer’s memory is erased almost immediately when it loses power. • Ordinary DRAMs typically lose their contents gradually over a period of seconds • Data will persist for minutes or even hours if the chips are kept at low temperatures Introduction • Exploit DRAM remanence effects to recover cryptographic keys held in memory • Defeated popular encryption systems including BitLocker, TrueCrypt etc. • Many other security systems are probably vulnerable. – Mac OS X leaves the user’s login password in memory, and can be recovered using Cold boot attack. Introduction • However, newer memory technologies, which use higher circuit densities, tended to decay more quickly than older ones • Could able to reconstruct keys – AES, DES, triple DES, RSA, tweak keys Characterizing Remanence Effects • DRAM cell is essentially a capacitor • Over time charge will leak and cell will lose its state – To forestall this, cell must be refreshed – Standard refresh time is order of ms Decay at different temperatures Submerged into Liquid Nitrogen (-196˚C) for 60 minutes Only 0.17% decay After 5 seconds After 30 seconds After 60 seconds After 5 minutes Imaging tools • Booting the system will overwrite some portions of memory • Bad options – Loading full OS into memory • Use tiny special-purpose programs, produce accurate dumps of memory contents to some external medium Imaging tools • PXI network boot – Intel’s Preboot Execution Environment (PXE) – Implemented 9KB standalone application that can be booted via PXE – Extracted memory images at 300 Mb/s with gigabit Ethernet cards. • USB drives – Implemented a 10KB plug-in for the SYSLINUX bootloader that can be booted from an external USB drive. • iPods Imaging attacks • Simple reboot – Configure BIOS and boot the imaging tools • Transferring DRAM modules – Cooling a module before powering it off can slow decay sufficiently to allow it to be transferred to another machine with minimal decay. Cold Boot attack Before powering off the computer… spray an upside-down canister of multipurpose duster directly onto the memory chips, cooling them to -50˚C Cold Boot attack Data will persist for several minutes after power loss Cold Boot attack Even if we remove the DRAM from the computer Key Reconstruction • Designed algorithms which can correct errors quickly with range 5%-50% depending on the type of key. • Most Encryption programs speed up computation by storing data precomputed from the encryption keys. • This data contains much more structure than the key itself A SORT OF ECC FOR THE KEY Modeling the decay • Assumption, that all bits decay to the same ground state. • P(10) = δ0 P(01) = δ1 – P of decaying to ground state approaches 1 as time goes on. – P of flipping in the opposite direction remains constant and tiny. • Observed – Bits tend to decay in predictable order – Actual order of decay appeared fairly random wrt location. RSA Key Generation • • • • • • Choose two prime numbers p and q N=pq Φ(n) = (p-1)(q-1) e public key exponent de ≡ 1(mod Φ(n)) d private key exponent RSA keys • RSA public key consists – Modulus N – Public key exponent e • RSA private key consists – Private exponent d • Optional values – Prime factor p and q of N – d mod(p-1) – d mod(q-1) – q-1 mod p Reconstructing RSA private keys Previous approaches • Let n=lg(N) • N can be factored in polynomial time – Coppersmith [14] • given the n/4 LSB of p – Boneh, Durfee and Frankel [9] • given the n/4 LSB of d – Blomer and May [7] • given the n/4 LSB of d mod(p-1) Reconstructing RSA private keys • Error could be distributed across all bits of the key data, so previous approaches are not directly applicable • Given, public modulus N • p’ and q’ are recovered from memory • Deduce values for the original p and q by iteratively reconstructing them from LSBs. Reconstructing RSA private keys • δ -> probability of unidirectional decay. • 1024-bit primes (2048-bit key) – δ = 4% • median reconstruction time = 4.5s – δ = 6% • median reconstruction time = 2.5min • 512-bit primes – δ = 10% • median reconstruction time = 1min Identifying RSA keys in memory • Most widely used format for RSA is as specified in PKCS – This object, packaged in DER encoding is the standard format for storage and interchange of private keys. • They search of identifying features of the DER-encoding itself. – Sequence identifier 0x30 followed a few bytes later by the DER encoding of the RSA version number and then by the DER encoding of the next field. Attacking … BitLocker • BitLocker – – operates as a filter driver – Resides between the file system and the disk driver, encrypting and decrypting individual sectors on demand. – AES encryption in CBC mode – Secret pad key and CBC encryption key BitLocker Procedure BitUnLocker • External USB hard-disk containing Linux • A custom SYSLINUX-based bootloader • FUSD filter driver that allows BitLocker volumes to be mounted under Linux. • ATTACK- Power cut, connect external USB hard disk and boot. – Dump Memory image and apply keyfind algorithm. Attacking … Loop-AES • Loop-AES – on-the-fly disk encryption package for Linux systems. • Encrypt AES in CBC mode • Each disk block is encrypted with one of 64-encryption keys. • Additional AES key to generate IVs. • keyfind program revealed 65 AES keys. • For each of the AES keys, it maintains two copies of the key schedule in memory, one normal copy and one with each bit inverted. Countermeasures and Limitations • Scrubbing Memory – Avoid storing keys in memory – Overwrite unwanted keys – Systems can also memory at boot time • Limit booting from network or removable media • Avoiding precomputation • Physical Defenses – Sensors respond to low temperatures or opening of computer’s case Countermeasures and Limitations • Encrypting in the disk Controller – Main encryption keys are stored in the disk controller rather than in DRAM Conclusions • DRAMs hold their values for surprisingly long intervals without power or refresh. • Defeat several popular disk encryption systems. • Today’s Trusted Computing technologies cannot protect keys that are already in memory • Architecture should be changed • DRAM is untrusted and avoid storing sensitive data there
