Friday, February 22, 2008

Cracking disk encryption

I guess in addition to strong passwords you should also consider shutting down your computer instead of simply putting it to sleep.

A new paper (PDF) by a group of Princeton computer scientists suggests that disk encryption is vulnerable to a hack that will be hard to correct for: data about the encryption can be extracted from the machine's RAM.


With the memory contents in hand, the next step was to crack the encryption and compensate for the sporadic memory errors. Here, the researchers relied on the fact that most decryption systems store information derived from the encryption keys in memory to speed calculations.


The paper describes algorithms for recognizing and extracting AES, DES, RSA, and tweak key information from memory. The authors have also turned these on most of the common encryption methods, including TrueCrypt and dm-crypt, as well as Mac OS-X's FileVault and Vista's BitLocker. Using an external USB drive, the authors were able to identify and extract the key and mount a BitLocker-encrypted volume in about 25 minutes. While wandering around the memory of an Intel Mac, they not only cracked the FileVault encryption but also stumbled onto multiple copies of the login password.

No comments: