| Submit your comments on this article |
| Science |
| Researchers: Disk Encryption Not Secure |
| 2008-02-22 |
| The five minute video at the link is way more informative than this article. Researchers with Princeton University and the Electronic Frontier Foundation have found a flaw that renders disk encryption systems useless if an intruder has physical access to your computer -- say in the case of a stolen laptop or when a computer is left unattended on a desktop in sleep mode or while displaying a password prompt screen. The attack takes only a few minutes to conduct and uses the disk encryption key that's stored in the computer's RAM. The attack works because content as well as encryption keys stored in RAM linger in the system, even after the machine is powered off, enabling an attacker to use the key to collect any content still in RAM after reapplying power to the machine. "We've broken disk encryption products in exactly the case when they seem to be most important these days: laptops that contain sensitive corporate data or personal information about business customers," said J. Alex Halderman, one of the researchers, in a press release. "Unlike many security problems, this isn't a minor flaw; it is a fundamental limitation in the way these systems were designed." The researchers successfully performed the attack on several disk encryption systems -- Apple's FileVault, Microsoft's BitLocker, as well as TrueCrypt and dm-crypt -- but said they have no reason to believe it won't work on other disk encryption systems as well, since they all share similar architectures. They released a paper about their work as well as a video demonstration of the attack (below). |
| Posted by:gorb |
| #5 Nope. They are talking about grabbing it out of warm RAM in a coldstart. That yields the keys. Meaning you pwn the disk after that. |
| Posted by: OldSpook 2008-02-22 22:26 |
| #4 Wouldn't a temp file dump and over-wright before going into standby or hibernate cure the problem for the cost of adding a few lines of code to the machine? |
| Posted by: bigjim-ky 2008-02-22 18:26 |
| #3 Watched the video -- it would be a concern were I trying to protect state secrets from James Bond. I'd be just as happy if idiot Connecticut state workers would simply encrypt my tax form on their laptop when they decide to leave it at a local tavern. In Connecticut this has happened twice in one friggin' year, and nothing has happened -- no firings no recriminations... I know I am ranting, but this is the right burg, no? |
| Posted by: regular joe 2008-02-22 18:08 |
| #2 Um... duh. Any system can be cracked, therefore is not "secure". The only "secure" computer is one that is turned off, encased in concrete, buried 1000 feet in the earth and guarded by a heavy armored division and patriot missiles. Even smart cards have risks, since they are used by people. The whole idea of the concept is to make it so difficult to breach a system is that it makes 99% of the potential attackers not worth trying or the risks are much greater than the reward. That way you can keep the other 1%, which is usually foreign agents, under constant scrutiny. |
| Posted by: DarthVader 2008-02-22 09:53 |
| #1 Folks this has ALWAYS been the weak point of any system - if it has to be loaded to and kept in RAM, then its vulnerable. However, there are differently designed systems out there which use a hardware key and circuit (think smart card) through which all the decryption is done, thus the key only exists in the card, and is only present when the hardware is attached. The method in this article cannot break a system that works that way. If you have a DirecTV, then you have such a system. I know people on the cryptosystem implementation team back in 92-3 (don't ask), and Adi Shamir, the 'S' in RSA, did the cryptosystem, which uses hardware for private key. Irish hackers resorted to using a scanning electron microscope to do key recovery on the initial wave of smart cards. |
| Posted by: OldSpook 2008-02-22 08:50 |