On Mon, Jun 30, 2008 at 06:08:54PM -0700, Chris wrote:
> I realize these attacks are showy, I was just being overprotective. As
> an exercise, would it be possible to just use a register.
Yes, but difficult.
> I guess the
> register will get swapped out to memory anyways... Are there no CPU
> registers avaialable to the kernel that don't get swapped?
It depends. The kernel and compiler can actually do with a lot
less registers than a current CPU has. Inf fact some registers
may not ever be used on certain architectures. You could then
store the encryption key in them. However you loose some
desirable properties by that (in addition to this being
very invasive, if actually no register is free). One is that
you can aonly store one or a small number of keys. In addition,
the actual key-setup is a lot larger than the key, and it has
to be created in order for the cipher to be used. So at times
you will have the key in main memory. You can remove it from
that again.
However if that is acceptable, you can do the following thing:
It is possible to blow up they key using something called an
"all or nothing transform". With this you can, e.g. distribute
a 128 bit key (secure today for symmetric crypto) over, say,
128kB of memory. If this memory loses a certain number of bits,
the key is irretrivable. Then you only retrive the kkey when
you do crypto operations and wipe it immediately afterwards,
keeping only the large form. (This is not done because a)
it is complicated b) it is possibly overly paranoid c) it
is a lot of effort).
Just to give you an idea on how such a transform could look,
consider the following: partition your 128kB into 1024 words
of 128 bits each. Fill all of them with cryptographically
strong randomness, except one. Build the xor (bitwise) of
all words and your key and put that in the last word.
Key recovery is easy: Just xor all words together. However,
if on power loss, bits in 64 different positions lose state,
distributed over the 1024 words (and only 1 or only 0 bits
will lose state, not both), the xor-sum will have no relation
anymore to the key. It is obvious that you do not need a lot of
lost bits (but more than 64, since that are 64 positions where
one or more bits needs to lose state) for this condition to be
met. More bits do not make it better (''no relation'' is already
maximal), but also do not make it worse. Scale up the
memory size for better results or use more sophisticated
transformations.
> Oh well. I
> was not really worried about an attack, but just curious.
Very good. I advise taking a crypto course. Interesting
stuff if taugt well. I can also hogly reccomend Schneiers
"Applied Cryptography" and "Practical Cryptograpy".
The latter covers very concrete implementation issues,
the former is a bit more on the theoretical side. Both
are worth having and reading.
> Thanks for the input.
No problem.
Arno
> -Chris Miceli
>
> Arno Wagner wrote:
> >On Mon, Jun 30, 2008 at 08:54:27AM -0700, Chris wrote:
> >
> >>Hello,
> >>My name is Chris Miceli, and I was recently exposed to a video
> >>describing an attack relying on persistent memory
> >>(http://news.cnet.com/8301-13578_3-9876060-38.html
> >><http://news.cnet.com/8301-13578_3-9876060-38.html>). I was wondering
> >>if dm-crypt has any methods to help protect against this attack. My
> >>friend and I are very curious about security techniques and had some
> >>input that I was wondering about. Since the encryption key is
> >>frequently used (every read and write), it should be stored in the cpu
> >>cache. Would there be a way to not keep the key in memory but only in
> >>cache, like a TPM.
> >>
> >
> >No. The cache is hidden and cannot be administrated or used
> >for any specific purpose or instead of main memory.
> >
> >
> >>Is this medium of storage and less vulnerable to these
> >>attacks? I realize this sacrifices cache space, but the key is
> >>probably there anyways. What do you think?
> >>
> >
> >These attacks are showy, but not very relevant. If somebody steals
> >you PC, they will either keep it running, and hence do not need this
> >attack, just some other attack against OS and hardware. Or they will
> >switch the machine off for an extended period of time. The only real
> >thing you could do is to use a secure microcontroller for all the
> >encryption (think motion detector and termite). A TPM has not enough
> >power to do encryption.
> >
> >Arno
> >
> >
>
> ---------------------------------------------------------------------
> dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
> To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
> For additional commands, e-mail: dm-crypt-help@xxxxxxxx
>
--
Arno Wagner, Dipl. Inform., CISSP --- Email: arno@xxxxxxxxxxx
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
