February 21, 2008

Disk encryption subverted by memory remanence

Ed Felten and others report[1] that because DRAM retains information even after power is unavailable for refresh it is possible to capture encryption keys and other information by cold-rebooting. Each DRAM cell is essentially a capacitor which encodes a single bit through either being charged or not. Charge slowly leaks away without a refresh and more modern memory (c. 2006) decays more rapidly than older memory (c.1999). The full details are published[2] and evaluation is conducted of the success of such attacks on TrueCrypt, dm-crypt, FileVault and BitLocker. The effectiveness of the attack is correlated negatively with temperature. Amusingly using TPM with BitLocker makes it less secure. Less amusingly it appears to be relatively easy to defeat these AES-based systems. Suggestions for minimizing the success of this type of attack focus on avoiding storing the keys and making it difficult to network-boot or otherwise remotely access the machines — some of the attack methods involved PXE booting of minimal kernels.

1. http://www.freedom-to-tinker.com/?p=1257

2.  http://citp.princeton.edu/pub/coldboot.pdf