Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lest We Remember: Cold-Boot Attacks on Encryption Keys

Published byClifford Griffith Modified over 5 years ago

Similar presentations

Presentation on theme: "Lest We Remember: Cold-Boot Attacks on Encryption Keys"— Presentation transcript:

1 Lest We Remember: Cold-Boot Attacks on Encryption Keys
Hee Seok Kim – Authors: J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten

2 On February 2008…

3 DRAMs…

4 When DRAMs go offline… Data written on DRAMs doesn’t get wiped out immediately Data still resides within DRAMs for the short time being – Data Remanency Original After 30s After 60s After 5min

5 When DRAMs go offline… Also data fades slower in lower temperatures

6 When DRAMs go offline… Also data fades slower in lower temperatures
Seconds without Power Average Bit Errors No Cooling (%) -50 °C (%) 128MB SDRAM 60 41 300 50 512MB DDR 360 600 256MB DDR 120 42 512MB DDR2 40 0.025 80 0.18

7 Attack Methods Attack when target reboots
No power disconnection, but defensive software might 0-out memory Attack when target boots after power off for awhile Prone to a little bit of bit errors, but no 0-ing out the memory Attack after mounting the cold memory onto other system Need to lower temperature of memory and physically remove it

8 Lowering Bit Error Rate
Lower the temperature of memory As shown in the experiment above, it prolongs data kept inside with lower corruption rate Use error correcting algorithm provided Algorithm can be used to recover DES, AES and RSA keys

9 DES Key Reconstruction
DES encryption uses 16 round-keys produced from key scheduling of a master key 14 of those 16 round-keys have repeated key within Consider those 14 round-keys as the repetition code of each bit from the original key, then correct error accordingly. Experiments showed 98% chance of correctly reconstructing the original key with 50% bit error

10 AES Key Reconstruction
Slice up the keys and use linearity in the key scheduling Pick 7 bytes from the first 2 round-keys as shown in diagram Guess the correct key by measuring Hamming distance from the recovered key Expand candidates using AES key schedule, then compare distance to the further round-keys 15% bit error took less than 1 second to reconstruct full key.

11 RSA Key Reconstruction
Previous attacks on RSA with least significant bit is not usable as bit errors may propagate onto those bits Instead, deduce and build values from least significant bits. Note that we know for sure that THE least significant bit is always 1, as prime number > 2 With error rate 4%, reconstruction took 4.5 secs as a median value, while 6% error took minutes.

12 Key Identification AES key identification
Consider 176 or 240 bytes as key schedule For each word ( byte ) in the potential key schedule, calculate distance between that byte to the byte that supposedly produced from surrounding bytes If Hamming distance is low, consider it as real key schedule, output the key Iterate through all the bytes in the memory

13 Key Identification RSA key identification – Look for RSA private key formats. Query through memory for known fields in PKCS ( consists of version, modulus, publicExponent, privateExponent, prime1, prime2, exponent1, exponent2, and more fields ), then locate the private key. ( One can easily get public key component if attacking a server ) Search for the part of memory that has similar structure to DER encoding.

14 https://youtu.be/JDaicPIgn9U?t=3m
Attacking BitLocker A disk encryption feature for Win Vista or 7 Uses AES-CBC encryption Laptop with 2GB memory as a target medium Need to recover secret padding key and CBC encryption key Attacked on both reboot method and power off method without any cooling Took 25 min to recover keys and decrypt entire disk

15 Attacking FileVault Disk encryption for Mac OS X
User password for Initialization vector Encrypts through AES-CBC mode Used Intel-based Machintosh using Mac OS 10.4 Need to find secret padding key and CBC encryption key ( IV is only need to decrypt first block )

16 Proposed Mitigations Encrypting memory when suspending the system
Store keys in other places than memory Limit booting from network or USB Physical Defenses using something like sensors Encrypting in the disk controller instead of memory

17 It was 2008… The Aftermath? From DDR3, memory scramblers are introduced as basic protection from the cold boot attack Memory scramblers XOR the pseudo random numbers with data to be written DDR3: Number generated from pseudo random number generated from boot time and address to be written

18 It was 2008… The Aftermath? DDR3 was broken in 2016
Attack effective on both DDR3 and DDR4 was released on 2017 Intel SGX, by far, can provide effective defense against cold boot attack.

19 It was 2008… The Aftermath? Attacking the mobile RAM
RAM is attached to the device directly. Device need to be cooled down, but also need to be kept over 0 °C If not, both chip and battery will be damaged. Fastboot the device, attach to PC using USB to run hostile program Remanence Effect on Android Galaxy Nexus

20 Recent Defenses Encrypting outside of DRAM: 1. Cache-based:
Copker – 2011 Sentry – 2015 CaSE 2. Register-based: TRESOR – 2014 3. GPU-based: PixelVault – 2014

21 Conclusion Remanency of RAM lasts long
Just hibernating laptops or phones wouldn’t save you Information on DRAM is easy to attack

22 Additional References
Yitbarek, Salessawi Ferede, et al. "Cold Boot Attacks are Still Hot: Security Analysis of Memory Scramblers in Modern Processors." High Performance Computer Architecture (HPCA), 2017 IEEE International Symposium on. IEEE, 2017. Bauer, Johannes, Michael Gruhn, and Felix C. Freiling. "Lest we forget: Cold-boot attacks on scrambled DDR3 memory." Digital Investigation 16 (2016): S65-S74. Müller, Tilo, and Michael Spreitzenbarth. "Frost." International Conference on Applied Cryptography and Network Security. Springer, Berlin, Heidelberg, 2013. Müller, Tilo, Felix C. Freiling, and Andreas Dewald. "TRESOR Runs Encryption Securely Outside RAM." USENIX Security Symposium. Vol Guan, Le, et al. "Copker: Computing with Private Keys without RAM." NDSS Vasiliadis, Giorgos, et al. "Pixelvault: Using gpus for securing cryptographic operations." Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2014. Colp, Patrick, et al. "Protecting data on smartphones and tablets from memory attacks." ACM SIGPLAN Notices  (2015): Zhang, Ning, et al. "CaSE: Cache-assisted secure execution on ARM processors." Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 2016.

23 Q&A Thank you for listening

Download ppt "Lest We Remember: Cold-Boot Attacks on Encryption Keys"

Similar presentations

ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
White-Box Cryptography

White-Box Cryptography
Protecting Data on Smartphones & Tablets from Memory Attacks Patrick ColpJiawen Zhang James Gleeson Sahil Suneja Eyal de Lara Himanshu Raj Stefan Saroiu.

Protecting Data on Smartphones & Tablets from Memory Attacks Patrick ColpJiawen Zhang James Gleeson Sahil Suneja Eyal de Lara Himanshu Raj Stefan Saroiu.
Lest We Remember Cold-Boot Attacks Against Disk Encryption J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A.

Lest We Remember Cold-Boot Attacks Against Disk Encryption J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A.
IT Systems Memory EN230-1 Justin Champion C208 – 3273 www.staffs.ac.uk/personal/engineering_and_technology/jjc1.

IT Systems Memory EN230-1 Justin Champion C208 –
Introduction to Computer Terminology

Introduction to Computer Terminology
0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security
File System and Full Volume Encryption Sachin Patel CSE 590TU 3/9/2006.

File System and Full Volume Encryption Sachin Patel CSE 590TU 3/9/2006.
Presented By Peter Matthews

Presented By Peter Matthews
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Computers in the real world Objectives Understand what is meant by memory Difference between RAM and ROM Look at how memory affects the performance of.

Computers in the real world Objectives Understand what is meant by memory Difference between RAM and ROM Look at how memory affects the performance of.
MAC OS – Unit A Page: 10-11, 12-13 Investigating Data Processing Understanding Memory.

MAC OS – Unit A Page: 10-11, Investigating Data Processing Understanding Memory.
CS 1308 Computer Literacy and the Internet. Introduction  Von Neumann computer  “Naked machine”  Hardware without any helpful user-oriented features.

CS 1308 Computer Literacy and the Internet. Introduction  Von Neumann computer  “Naked machine”  Hardware without any helpful user-oriented features.
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.

Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.
Protecting Data on Smartphones and Tablets from Memory Attacks

Protecting Data on Smartphones and Tablets from Memory Attacks
Practical Computer Literacy Week-02

Practical Computer Literacy Week-02
Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.

Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.

Similar presentations

Ads by Google