Disk encryption may not be secure enough, new research finds
Computer scientists have discovered a novel way to bypass the encryption used in programs like Microsoft's BitLocker and Apple's FileVault and then view the contents of supposedly secure files.
In a paper (PDF) published Thursday that could prompt a rethinking of how to protect sensitive data, the researchers describe how they can extract the contents of a computer's memory and discover the secret encryption key used to scramble files. (I tested these claims by giving them a MacBook with FileVault; here's a slideshow.)
"There seems to be no easy remedy for these vulnerabilities," the researchers say. "Simple software changes are likely to be ineffective; hardware changes are possible but will require time and expense; and today's Trusted Computing technologies appear to be of little help because they cannot protect keys that are already in memory. The risk seems highest for laptops, which are often taken out in public in states that are vulnerable to our attacks. These risks imply that disk encryption on laptops may do less good than widely believed."
The nine researchers listed on the paper include San Francisco-area programmers Jacob Appelbaum and Seth Schoen and a team of Princeton University computer scientists such as graduate students J. Alex Halderman and Nadia Heninger and professor Ed Felten. The paper is titled "Lest We Remember: Cold Boot Attacks on Encryption Keys."
Their technique doesn't attack the encryption directly. Rather, it relies on gaining access to the contents of a computer's RAM--through a mechanism as simple as booting a laptop over a network or from a USB drive--and then scanning for encryption keys. How the scan is done is one of the most clever portions of the paper.
The reason I say this research could prompt a rethinking of how to protect data is that many of us who use encrypted file-systems believe that if our computers are lost or stolen, our data will be secure. But if a thief (or nosy border guard, or FBI agent) nabs my laptop locked with a screen saver or in sleep mode with the RAM intact, the paper shows that encryption provides no protection.
"You can't rely on the screen saver," said Peter Gutmann, a computer science professor at the University of Auckland in New Zealand who has done related work but is not affiliated with Thursday's paper. "If you really are that worried, you have to turn off your PC."
The researchers say their technique works against Apple's FileVault, the BitLocker Drive Encryption feature included in the Enterprise and Ultimate versions of Windows Vista, the open-source product TrueCrypt, and the dm-crypt subsystem built into Linux kernels starting with 2.6. The other researchers include William Clarkson, William Paul, and Ariel J. Feldman.
In its marketing literature, Apple promises that, with FileVault turned on, "the data in your home folder is encoded and your information is secure if your computer is lost or stolen." When I contacted the company for comment, Apple would say only this: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
Microsoft was more forthcoming, saying:
The claims detailed in the Princeton paper are not vulnerabilities, per se, but simply detail the fact that contents that remain in a computer's memory can be accessed by a determined third party if the system is running. BitLocker is an effective solution to help safe guard personal and private data on mobile PCs and provides a number of protection options that meet different end-user needs. Like all full volume encryption products BitLocker has a key-in memory when the system is running in order to encrypt/decrypt data, on the fly, for the drive/s in use. If a system is in 'Sleep mode' it is, in effect, still running. We recognize users want advice with regards to BitLocker and have published best practice guidance in the Data Encryption Toolkit (available here). In it we discuss the balance of security and usability and detail that the most secure method to use BitLocker is hibernate mode and with multi-factor authentication.
At this point, clever readers might be thinking: If the attack involves executing a specific memory-dump utility while rebooting, then Apple, HP, Toshiba, and so on can simply lock down the hardware to prevent any such utility from being run until the RAM can be safely wiped. Problem solved?
Well, not so fast. Another interesting technique that Thursday's paper describes is how to supercool the RAM chips with a can of compressed air held upside-down. Then the cooled memory can be physically extracted and inserted in another computer owned by the attacker. (If the memory is permanently affixed to the motherboard, there are still other methods [PDF] that can be used.)
The paper states:
Contrary to the expectation that DRAM loses its state quickly if it is not regularly refreshed, we found that most DRAM modules retained much of their state without refresh, and even without power, for periods lasting thousands of refresh intervals. At normal operating temperatures, we generally saw a low rate of bit corruption for several seconds, followed by a period of rapid decay. We obtained surface temperatures of approximately −50 degrees C with a simple cooling technique: discharging inverted cans of "canned air" duster spray directly onto the chips. At these temperatures, we typically found that fewer than 1% of bits decayed even after 10 minutes without power. To test the limits of this effect, we submerged DRAM modules in liquid nitrogen (ca. −196 degrees C) and saw decay of only 0.17% after 60 minutes out of the computer.
Gutmann, the New Zealand computer scientist, previewed this kind of attack in a 1996 paper that said: "To extend the life of stored bits with the power removed, the temperature should be dropped below -60 degrees C. Such cooling should lead to weeks, instead of hours or days, of data retention."
But in reality, such extreme methods probably won't be necessary. If thieves, FBI agents, or border guards have physical access to a computer that's turned on, they have other options. In 2004, Maximillian Dornseif showed how to extract the contents of a computer's memory merely by plugging in an iPod to the Firewire port. A subsequent presentation by "Metlstorm" in 2006 expanded the Firewire attack to Windows-based systems.
Translation: If you use an encrypted file-system and want privacy and security when you're not using your computer, you need to shut down your computer and wait a few minutes for the RAM contents to vanish. Another option for sensitive files is to use an encrypted volume like a PGP disk and unmount it as soon as you're done.
That assumes PGP erases the encryption keys from memory once the volume is unmounted, which the company swears it does. "We go well beyond that," said John Dasher, PGP Corporation's director of product management, adding that PGP products take "very elaborate measures to make sure that things are properly and completely disposed of."
He downplayed the potential threat to users of PGP, which provides both whole disk encryption and volume encryption and the researchers speculate will be vulnerable as well. "We never say buy whole disk and you're done," Dasher said. "You want to protect the device. You want to protect the data itself. And of course you're not going to get rid of your network protection. Security's not about buying whole disk encryption (and calling it a day)."
In response to the overall claim about the vulnerability of encrypted file-systems, Dasher said, "Even if it's true, I don't know if it changes my behavior."
It's been known for a long time--at least since Gutmann's 1996 paper--that encryption keys are vulnerable when stored in memory. And additional research (PDF) by Adi Shamir and Nicko van Someren two years later talks about identifying encryption keys by scanning hard drives.
By demonstrating the limits of off-the-shelf encryption products, what the research published on Thursday may do is shift the debate from academic arguments to how to protect users in real-world situations. It also advances previous research by calculating how long dynamic RAM chips hold their contents at different temperatures (little decay until a few seconds elapse) and offering algorithms to reconstruct encryption keys even when the contents of memory have begun to decay.
The reconstruction technique works by taking into account what's known as a "key schedule" for algorithms such as DES and AES, the U.S. government's Advanced Encryption Standard. A key schedule is used in certain kinds of ciphers that do multiple rounds of encryption. The computer scientists said that it takes them "a few seconds" to reconstruct AES keys with 10 percent of the bits decayed; the more decay, the longer it takes.
So what are the countermeasures? As I noted above, shutting down the system, zeroing memory on boot, and unmounting encrypted volumes are some options. The paper suggests others, including limiting booting from network or removable drives, better methods of putting a computer to sleep (perhaps involving encrypting the portions of memory with the keys to the file system), recomputing keys when they're needed to avoid keeping copies in memory, and hardware changes such as tamperproof or encrypting RAM.
There is one irony here. One Princeton Ph.D. student, Joseph Calandrino, is listed as having "performed this research while under appointment to the Department of Homeland Security." Because this research lets them bypass file-system encryption in some cases, police agencies are the most obvious and immediate beneficiaries of this research.
As early as 1984, the FBI Laboratory began developing computer forensics hardware. And we know from the Scarfo, Forrester-Alba, and Boucher cases how intent federal police agencies are in trying to find ways to circumvent the privacy that encryption provides. If the feds didn't know about these techniques already--remember, they were years ahead of everyone else in inventing public key cryptography--today will be a very good day for Homeland Security.
Update 12:30pm: I've been asked whether encrypted swap was turned on in our test to see if they could bypass FileVault. It was. But it actually doesn't matter; remember, they're analyzing the contents of RAM, not the contents of the hard drive.
Declan McCullagh, CNET News' chief political correspondent, chronicles the intersection of politics and technology. He has covered politics, technology, and Washington, D.C., for more than a decade, which has turned him into an iconoclast and a skeptic of anyone who says, "We oughta have a new federal law against this." E-mail Declan. 
You could have gotten to that point right away before you bored me to tears.
The preboot environment is totally OS independent. The solution is provided by Wave Systems Corp. Dell, ASI and NEC-Europe are bundling their notbooks with the necessary security software.
The issue raised here is best restated as something that is simply inherent to cryptography:
"Encryption is no more secure than are the decryption keys."
What is news is that the following are probably not well-communicated to or understood by users:
1. If the computer is stolen or otherwise accessed while it is still on (standby included), it is likley that the key is in memory and could be accessed. Microsoft provides convenient APIs to temporarily protect data like this, but the protection can really only be active when the key is not in use. Apple does not directly offer APIs for this kind of protection of in-memory data, although an equivalent can be made using the keychain APIs.
2. Even when off, it is possible that the key may be stored on disk as a consequence of swapping memory to disk. The developer of the technology must do certain things to prevent such swapping of critical data like this. And it is difficult to get every aspect of this correct, so even a well-intentioned attempt to prevent the storage of the key on disk may not succeed in all scenarios.
3. The encryption key is only as secure as the user's password. Passwords are extremely easy to get. To use the example given in this article, go to your local coffee shop with a small video camera, and capture video of the first few seconds of a customer's use of their laptop. You can likely derive their username and password by watching the video frame-by-frame.
Or you could store your files on an https website, hopefully that is still secure, or the software could store your key on a secured website. If the files are truly that important they really probably shouldn't be on your laptop but on some server that requires multifactor authentication and operates over an encrypted channel.
I just can't see how anyone can think it is OK to walk around with people's social security #'s and credit card info on a laptop.
Disk encryption technologies are intended to protect your data *in the event of your laptop being stolen*. The idea is, if you encrypt the volume, the thief can no longer just put your HDD into a different machine and see all your data. So you see, physical access is a valid assumption for this attack.
And secondly, this is not about simple identity theft (SSNs etc.). Considering the sophistication of the attack, it would be used on a more targetted victim.
Think industrial espionage -- key team members with source code, marketing materials, strategy docs, merger/acquisition plans etc. on their laptops. The idea is, a competitor would actually *pay someone* to steal the laptop (professional theif) and pay someone to get the data (professional hacker).
Since this is about recovering data from regular RAM, it won't help.
If the secure virtual memory option clears RAM as well on shutdown, that might help.
and have my Mac set to use "secure virtual memory". That
should keep out most thieves.
Anything more sensitive that that is kept online encrypted with
gpg. And my private keys are not kept on my hard drive.
If anyone wants my data they are going to have to work hard to
get it. And they'll probably be very disappointed if they do
break in. :)
snap from the paper.
"In the process of testing FileVault, we discovered that Mac OS X 10.4 and 10.5 keep multiple copies of
the user?s login password in memory, where they are vulnerable to imaging attacks. Login passwords are
often used to protect the default keychain, which may protect passphrases for FileVault disk images."
Yeah, I read the paper. The paper doesn't address Apple's "secure virtual memory" per my question, although it appears this doesn't encrypt the RAM on the fly, just that temporarily stored on the hard drive.
Perhaps a temporary fix is to overwrite the proper locations of RAM with fake keys before shutdown. I probably wouldn?t just zero it out. A crazy future RAM design may optimize by setting a bit at some random location instead of actually zeroing data, or it might abstract the actual write location away from the code, or it might do something entirely unpredictable. This article shows how hardware can trick you.
Perhaps someone will start to sell ?safe ram? that zeros out on power. However, anyone that has ever tried to implement an encryption routine knows it just keeps you up all night looking for solutions that eventually get worked around anyway.
That doesn?t mean its worthless protection. It would protect your data from the average laptop thief. However, if you think encrypting your data protects it from everyone, well that?s actually the point of failure, not the DRAM.
If I put my tinfoil hat on, I would wonder how the Government feels about Vista Ultimate shipping with BitLocker. Don?t they have a back door anyway?
So, don't store the keys in RAM. Store the hard drive encryption key on a flash drive that must be present and pluged in for the encryption software to be able to decrypt the hard drive.
Kennsington (I think it's them) has a USB key encryption system that has 2 authentication keys needed to activate the system. The first is a password needed to enable the flash drive when it is inserted in the PC's USB port, and the second is the actual key on that drive that is used to decrypt the hard drive on-the-fly.
The first key is there in case you lose the USB key.
What of someone steals your PC while the USB key is in it (or along with your USB key)? You're screwed. There is no technology that will take the ultimate responsibility for security away from the end user, and there never will be.
The ultimate solution here is making a motherboard that flashes RAM at shutdown - if that option is selected in the BIOS.
I don't know if this is something that requires a hardware change, but I'd think that it could be accomplished with a ?simple? change to the BIOS.
The only thing about changing the BIOS is that the BIOS needs enough juice to run the RAM flash instructions at shutdown - which may not be the case if there is an immediate power failure. In that case, a capacitor or larger CMOS battery would have to be used.
But, in the short term, a simple BIOS update would seem to be better than nothing at all.
[http://The keys being in memory is a requirement to be able to decrypt data off storage on the fly. |http://The keys being in memory is a requirement to be able to decrypt data off storage on the fly. ]
Store the hard drive encryption key on a flash drive that must be present and plugged in for the encryption software to be able to decrypt the hard drive.
[http:// This doesn't do anything. The key must still be loaded off the flash drive into main system memory. It still must be loaded into CPU registers which can and will still be found in various caches. |http:// This doesn't do anything. The key must still be loaded off the flash drive into main system memory. It still must be loaded into CPU registers which can and will still be found in various caches. ]
[snip]
The ultimate solution here is making a motherboard that flashes RAM at shutdown - if that option is selected in the BIOS.
[nope. option 1: pull power leads right off the motherboard. option 2: pull DRAM chips directly off the motherboard. ]
I don't know if this is something that requires a hardware change, but I'd think that it could be accomplished with a ?simple? change to the BIOS. The only thing about changing the BIOS is that the BIOS needs enough juice to run the RAM flash instructions at shutdown - which may not be the case if there is an immediate power failure. In that case, a capacitor or larger CMOS battery would have to be used.
[ again - option 1: pull DRAM directly off the motherboard. option 2: disable the capacitor/battery.
Permanently affix the DRAM chips to the motherboard? No - the paper lists methods of interrogating the DRAC chips while still connected. ]
One way to fix this is with a proximity detector of some sort (they have them for pet doors, etc.) The user has a transmitter on their keyring. If they get more than 5 feet from the laptop (or push a panic button) the password is wiped, the encrypted volumes are umounted (linux command).
I'm wondering, if you choose not to whether it is more secure.
"The Princeton researchers acknowledged that in these advanced modes, BitLocker encrypted data could not be accessed using the vulnerability they discovered."
http://curtisville.spaces.live.com/
Is the Bush camp now involved in this? LOL
It's probably a relatively short time until quantum computers can scale up to larger number of bits to process, in which case encryption that can be brute forced will be immediately redundant since a quantum machine could search the entire key space with a single 'cpu cycle' (or quantum equivalent).
Quite apart from new machines there is buzzing activity in algebraic cryptography, perhaps a newly discovered isomorphism will lead to completely breaking AES (it's much more likely this will happen than not).
Anyone who says "my data will never be decrypted by someone else in my lifetime" is pooly informed in both security and history.
Last but not least, don't forget the most popular and oldest technique to retrieve passwords, the "rubber hose" method. Beat someone with a rubber hose (or whatever else, include 'truth serums' e.t.c...) until they eventually give you their password. So yes, even if you've used 256 AES followed by Serpent followed by Two-Fish then MARS and Triple-DES.... you will just take more of a beating and have to give more passwords and it is only a matter of short time until your data is read.
- by hippyspanner August 27, 2009 4:21 AM PDT
- Give the guy a break, some people just read marketing hype and don't understand risks. Although anyone who has a genuine reason to protect their data to this extent, should have an experienced security team to whom this is all old news (or they'll be owned in many other ways).
- Like this Reply to this comment
-
(34 Comments)One annoying piece of mis-information is the following:
"If the feds didn't know about these techniques already--remember, they were years ahead of everyone else in inventing public key cryptography"
This is absolute rubbish, UK's GCHQ invented public key cryptography at least 10 years before 'the feds' got round to designing computer forensics hardware! USA is actually way behind UK (and probably underground) in terms of technical knowledge, only leading in super-computer use.
"In 1997, it was publicly disclosed that asymmetric key algorithms were developed by James H. Ellis, Clifford *****, and Malcolm Williamson at GCHQ in the UK in the early 1970s. The researchers independently developed Diffie-Hellman key exchange and a special case of RSA. The GCHQ cryptographers referred to the technique as "non-secret encryption" (source wikipedia)