Am Fri, 23 May 2008 07:57:11 -0700 (PDT) schrieb Phil <philtickle200@xxxxxxxxx>: > To clarify: My understanding of key scrubbing in > loop-aes is it is designed to prevent burn in as > described in the Guttmann paper, which has not yet > been shown to be a practical threat at any rate. > Unlike the so-called "cold boot" attack, which can be > defeated if keys in memory are overwritten after use. Yes, the authors also clearify this point at http://citp.princeton.edu/memory/faq/ -- Q. Isn’t this the same as burn-in effects noticed by Gutmann? Can’t encryption programs rotate keys to get around this? A. Gutmann notes that data written to RAM for extended periods may become “burned in,” allowing it to be easily recovered later. We describe a different effect: data written even momentarily to RAM persists for a non-trivial period of time. We exclusively rely on the latter effect to recover data. This allows us to recover keys even if, following Gutmann’s advice, those keys are stored only briefly at any single location within RAM. -- And there is even a section about loop-AES in their paper (§ 7.5) http://citp.princeton.edu/pub/coldboot.pdf -- [...] Loop-AES attempts to guard against the long-term memory burn-in effects described by Gutmann [25] and others. For each of the 65 AES keys, it maintains two copies of the key schedule in memory, one normal copy and one with each bit inverted. It periodically swaps these copies, ensuring that every memory cell stores a 0 bit for as much time as it stores a 1 bit. Not only does this fail to prevent the memory remanence attacks that we describe here, but it also makes it easier to identify which keys belong to Loop-AES and to recover the keys in the presense of memory errors [...] -- so keyscrubbing can even help the attackers ;) - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
