Whole-disk Encryption not secure?

[jet042]

Saw this on the ISC today. A team of researchers at Princeton has discovered that the secret keys used to encrypt and decrypt data by most whole-disk encryption products stores the key in the system's memory (no surprise there) and that those bits of memory hold their data for up to a few minutes after the PC is turned off (BIG surprise). I haven't read the whole paper yet, but the abstract seems to imply that they were able to recover secret data from disks encrypted with a host of popular products including Vista's BitLocker and TrueCrypt.

Links:
ISC Diary
Paper
Project home page

 

[2ffat]

Here are step by step instructions on how ZDNet did it on an Apple.





James P. Cottingham
-----------------------------------------
[sup]I'm number 1,229!
I'm number 1,229![/sup]

 

[lhuegele]

Everyone acted so suprised at this news and that's the only thing that suprised me.

Nothing in I.T. is 100% secure or hack-proof. If you have enough knowledge and determination, you can get around anything.

 

[chiph]

If an attacker has physical access to the computer, you can assume it's been compromised.

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[tjbradford]

where else would it store the key! (unless you have a usb key)

there has to be something that decrypts the data on the fly as its accessed a username + password will create the key and then leave it there until you power off the machine , if your close enough to have access to it after a few minutes and have the tools required to get the memory out of it and into a device where it can have the key extracted then your the invisible man "with an invisible tool kit"

thinking about it if you were then you could just watch them type the password theres no need for an invisible toolkit that was silly of me ............................

 

[jet042]

I think the recent commenters have missed a key part of this research. The ability to recover anything from the volatile memory of a machine after power has been removed from the device flies in the face of 50+ years of understanding about how computers work.

That the technology is not secure isn't surprising, that this attack vector even exists is. If this was obvious (in anything but hind-sight), Princeton wouldn't have been funding the research.

 

[lhuegele]

I don't see where anyone said this was "obvious".....just NOT suprising....

Systems are so complex that it's not "suprising" that someone would find a vulnerability of this nature.

 

[Salem]

Relying on manufacturers isn't any better either.
This somewhat older link tells more.

http://www.schneier.com/blog/archives/2004/10/the_doghouse_le.html

--
If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.

 

[LawnBoy]

But what is surprising is the physics involved. DRAM must be refreshed to maintain it's state. It's a big hassle (compared to SRAM) that complicates the circuitry and creates timing issues that can be just awful to design around.

So if DRAM can be read after not being refreshed in waaaaay too long, why bother refreshing it at all? This would simplify motherboards significantly; reducing parts count, power requirements, heat dissipation...

I suspect that latches on the chips are being read, rather than the RAM itself. Not that it matters.

But yes, I am surprised at this.

"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes