![Page 1: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/1.jpg)
Recovering cryptographic keyswith the cold boot attack
Nadia Heninger
Princeton University
February 15, 2010
![Page 2: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/2.jpg)
Joint work with...
“Lest We Remember: Cold Boot Attacks on Encryption Keys”
with J. Alex Halderman, Seth D. Schoen, William Clarkson,William Paul, Joseph A. Calandrino, Ariel J. Feldman, Rick Astley,Jacob Appelbaum, and Edward W. Felten
henceforth known as [HSHCPCFAF 08]
“Reconstructing RSA Private Keys from Random Key Bits”
with Hovav Shacham
![Page 3: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/3.jpg)
Part 1: DRAM Remanence
![Page 4: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/4.jpg)
The Persistence of Memory: Why?DRAM is an array of tiny capacitors.
To write a bit, the capacitor is charged.
When power is on, the state is refreshed every 10 µs.
Without power, they discharge to a ground state.
!"#$%&'()*++$,-'&./+0
12'2)324"+)25,.+')&/+'2/'2/".$+5()6&'7.$')%"3%"+7
*/()%"+&4$25)42'2)&+)4&33&#$5')'.)%"#.8"%
9
1(/2,&#):*;)<.52'&5&'(
=
>%&'")?=@
=
1:*;)A"55
BA2-2#&'.%C
9
:"3%"+7
B:"24)2/4)%"6%&'"C
:"3%"+7)D/'"%825)E)FG),+
>72')&3)6")4./H')%"3%"+7IBut this process takes seconds to minutes.
![Page 5: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/5.jpg)
DRAM Decay Rates
0 2 4 6 8 100
5
10
15
20
25
30
35
40
45
50
55
Seconds Without Power
% D
ecay
B DataB FitD DataD FitE DataE FitF DataF Fit
![Page 6: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/6.jpg)
The Persistence of Memory
5s. 30s. 1m. 5m.
![Page 7: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/7.jpg)
Capturing Residual Data
Residual data can be captured easily, with nospecial equipment
Delivering the Attack!"#$%"&$'()*+"),**-./
Complication
Booting a full OS overwrites large areas of RAM.
SolutionBoot a small low-level program to dump contents of memory.
Implementations
PXE Dump (9 KB)
Delivering the Attack!"#$%"&$'()*+"),**-./
EFI Dump (10 KB)Delivering the Attack
!"#$%"&$'()*+"),**-./USB Dump (22 KB)
Delivering the Attack!"#$%"&$'()*+"),**-./
![Page 8: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/8.jpg)
Follow-up work
“BootJacker: Compromising Computers using Forced Restarts”
[Chan et al. 08]
Uses memory remanence across reboots to completely revive anexisting system, including:
I SSH connections
I SSL sessions
I VPN sessions
I encrypted hard disks
For a good time, press Alt-SysRq-B
![Page 9: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/9.jpg)
Slowing Decay by Cooling
-50℃ 0.0001 % to 0.2% decay after 1-5 min.
![Page 10: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/10.jpg)
![Page 11: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/11.jpg)
!"#$%&''(#)
*+,-.&/01203%405)'6#$
7%89+:;%3#<=>%=?5#)%!"#$%&
!"#$%&'&(()*+$,%$-*)'#,'&
Even cooler
Liquid Nitrogen -196℃
< 0.1% decay after 1 hour
(not necessary in practice)
![Page 12: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/12.jpg)
Countermeasures: Encrypt Memory During Sleep
When entering screen-lock/hibernate/sleep:
I Encrypt RAM with user’s password
When awakened:
I Require user’s password to decrypt RAM
!"#$%&'()*+,$%(-.$/"0(12**&
34*"(*"'*$/"0(5#$**"62,#784/9*$":'*852**&;
! !"#$%&'(<=)(>/'4(.5*$?5(&:55>,$@
34*"(:>:7*"*@;
! <*A./$*(.5*$?5(&:55>,$@(',(@*#$%&'(<=)
)/",$(9*4:B/,$:2(#4:"0*5
CDDDEF
Zzzz...
![Page 13: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/13.jpg)
Countermeasures: Encrypted Memory
Memory encrypted with key
I Randomly chosen at boot
On cache read/write
I Data encrypted/decrypted when written/read
CPU reset clears key
!"#$%&'()*+,$%(-.$/"0(12**&
34*"(*"'*$/"0(5#$**"62,#784/9*$":'*852**&;
! !"#$%&'(<=)(>/'4(.5*$?5(&:55>,$@
34*"(:>:7*"*@;
! <*A./$*(.5*$?5(&:55>,$@(',(@*#$%&'(<=)
)/",$(9*4:B/,$:2(#4:"0*5
CDDDEF
![Page 14: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/14.jpg)
Countermeasures: TPM?
Current TPMs may help attacker
Windows BitLocker in Basic Mode
I On boot, OS loads key from TPM into RAM(No password)
I Vulnerable to cold-boot attack(Even if completely off)
Future TPMs may help
I Need bulk encryption
!"#$
%&''()*+!"#,+-./+0(12+.**.34('
56)789,+:6*;834('+6)+:.,63+#87(
! <)+=88*>+<?+18.7,+4(/+@'8-+!"#+6)*8+AB#
CD8+".,,98'7E
! F&1)('.=1(+*8+3817G=88*+.**.34
CHI()+6@+38-21(*(1/+8@@E
J&*&'(+!"#,+-./+0(12
! D((7+=&14+()3'/2*68)
![Page 15: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/15.jpg)
Thoughts
In reality, you cannot expect decay.
From a theoretical perspective, hardware countermeasures movethe vulnerability around.
Can software encryption be saved?
![Page 16: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/16.jpg)
Part 2: Finding Cryptographic Keys
![Page 17: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/17.jpg)
Looking for cryptographic keys
“Playing ’hide and seek’ with stored keys”[Shamir, van Someren 99]
![Page 18: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/18.jpg)
The reality of the entropy approach
![Page 19: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/19.jpg)
Finding Keys: Use the structure of the key data.
AES implementations typically precompute a sequence of roundkeys from the single 128 or 256-bit key.
Round Key 1
Round Key 2
Core
...
Generation of the 128-bit AES key schedule.
![Page 20: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/20.jpg)
Identifying AES keys in memory
Every encryption program we looked at computed and stored thekey schedules in exactly the same way.
![Page 21: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/21.jpg)
Identifying AES keys in memory
To identify an AES key schedule in memory, scan for a block ofmemory that has the properties of a key schedule.
![Page 22: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/22.jpg)
Identifying AES keys in memory
To identify an AES key schedule in memory, scan for a block ofmemory that has the properties of a key schedule.
![Page 23: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/23.jpg)
Identifying AES keys in memory
To identify an AES key schedule in memory, scan for a block ofmemory that has the properties of a key schedule.
![Page 24: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/24.jpg)
Identifying AES keys in memory
To identify an AES key schedule in memory, scan for a block ofmemory that has the properties of a key schedule.
![Page 25: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/25.jpg)
How to identify RSA keys in memory?
Try multiplying blocks of memory together?
Try decrypting with every block of memory?
![Page 26: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/26.jpg)
PKCS #1: RSA Cryptography Standard
RSAPublicKey ::= SEQUENCE {modulus INTEGER, -- npublicExponent INTEGER -- e
}
RSAPrivateKey ::= SEQUENCE {version Version,modulus INTEGER, -- npublicExponent INTEGER, -- eprivateExponent INTEGER, -- dprime1 INTEGER, -- pprime2 INTEGER, -- qexponent1 INTEGER, -- d mod (p-1)exponent2 INTEGER, -- d mod (q-1)coefficient INTEGER, -- (inverse of q) mod potherPrimeInfos OtherPrimeInfos OPTIONAL
}
![Page 27: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/27.jpg)
PKCS #1: BER-encoding(From a computer running Apache with OpenSSL.)
3082 02 5d
0201
00
0281 81
00 99 63 66 d5 . . .
0203
01 00 01
0281 80
6e 77 ef 54 a7 . . .. . .
SEQUENCElength: 605 bytes
INTEGERlength: 1 byte
(version)
INTEGERlength: 129 bytes
(n)
INTEGERlength: 3 bytes
(e)
INTEGERlength: 128 bytes
(d). . .
![Page 28: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/28.jpg)
Countermeasures: Avoid Standardization andPrecomputation
Don’t store entire key schedules or data structures in memory
I Hurts performance.
XOR key with regions of memory filled with random bits
I Can slow an attacker to some extent.
Tradeoff between security and speed
I Encryption software still needs to efficiently use key.
I Computer still needs to use RAM.
![Page 29: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/29.jpg)
A sad tale of countermeasures: Loop-AES
Loop-AES has elaborate countermeasures against “burn-in”
I Stores 65 different key schedules together with inverted copies
I Key schedules are periodically swapped
In the case of the cold-boot attack, this simplifies finding keys, and
makes it easy to identify exactly which keys belong to Loop-AES.
![Page 30: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/30.jpg)
Part 3: Recovering from bit errors
![Page 31: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/31.jpg)
![Page 32: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/32.jpg)
Problem Statement: unidirectional decay
Remove all but a δ-fraction of the bits, chosenat random, from a (private) encryption key.
(Flip a coin at each bit of the key. Withprobability δ, the attacker gets to see the bit’svalue.)
How to efficiently reconstruct the key?
![Page 33: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/33.jpg)
Correcting Errors in Cryptographic Keys: AES
Use the structure of redundant key data to correct errors.
Round Key 1
Round Key 2
Core
Can retrieve an AES key from 30% of a key schedule in seconds.
[HSHCPCFAF 08],“An Improved Recovery Algorithm for Decayed AES Key ScheduleImages” [Tsow 09]
![Page 34: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/34.jpg)
Correcting Errors in Cryptographic Keys: RSA
Use the structure of redundant key data to correct errors.
pq = N
ed = 1 (mod (p − 1)(q − 1))
edp = 1 (mod p − 1)
edq = 1 (mod q − 1)
Can retrieve an RSA key from 27% of key data in seconds.
![Page 35: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/35.jpg)
Step # 1: Relate key values
We can write down the relationships between redundant keyinformation as equations.
pq = N (1)
ed = 1 (mod (p − 1)(q − 1)) (2)
edp = 1 (mod p − 1) (3)
edq = 1 (mod q − 1) (4)
(upper half of bits of d)
k =e d − 1
N + 1(trick from [Boneh, Durfee, Frankel 98])
g2 − [k(N − 1) + 1]g − k ≡ 0 (mod e)
![Page 36: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/36.jpg)
Step # 1: Relate key values over the integers
We can write down the relationships between redundant keyinformation as equations over the integers.
pq = N (1)
ed + k(p + q) = 1 + k(N − 1) (2)
edp − g(p − 1) = 1 (3)
edq − h(q − 1) = 1 (4)
(upper half of bits of d)
k =e d − 1
N + 1(trick from [Boneh, Durfee, Frankel 98])
g2 − [k(N − 1) + 1]g − k ≡ 0 (mod e)
![Page 37: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/37.jpg)
Step #2: Solve our equations iteratively
Generate a tree of partial solutions, starting at bit 0.
What’s a tree node?
A simultaneous assignment of bits[0 . . . i ] of p, q, d , dp, dq.
It’s easy to lift a solution mod 2i to allequivalent solutions mod 2i+1.
How much branching at each level?
32? No, 4 equations for 5 unknowns.
2? No, we can prune a solution when itconflicts with our known bits.
10. . .
10. . .10. . . 1X
100. . .101. . .
![Page 38: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/38.jpg)
Results for different key redundancy
If the attacker has ... then recoverypartial knowledge of... is efficient for...
d , p, q, dp, dq δ > 2− 245 ≈ .2589
d , p, q δ > 2− 234 ≈ .4126
p, q δ > 2− 212 ≈ .5859
p Open problem
fraction of key bits known.
![Page 39: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/39.jpg)
Experimental validation of analysisTotal number of solutions generated vs. fraction of known bits δ
0.24 0.25 0.26 0.27 0.28 0.29 0.3 0.31 0.32 0.34 0.36 0.38 0.4
010
000
2000
030
000
4000
050
000
6000
070
000
delta
len
Tot
aln
um
ber
ofso
luti
ons
gen
erat
ed
Fraction of known key bits δ
< 1 second to run!
(More than 1 million experiments.)
![Page 40: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/40.jpg)
Problem Statement: bidirectional decay
Provide an error-filled (private) encryption key.
With probability δi , the attacker sees thecorrect value.
10. . .
10. . .10. . . 1
100. . .101. . .
δ0 1− δ0
δ1 1− δ1
Extension of previous algorithm:
Do maximum-likelihood search over tree.
![Page 41: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/41.jpg)
Countermeasures: Cryptography against memory attacks
Model: Adversary chooses lossy function of secret key
“Simultaneous hardcore bits and cryptography against memoryattacks.” [Akavia, Goldwasser, Vaikuntanathan]
I Tool: Lattice-based cryptography
I Resilient to leakage of N(1− o(1)) bits.
“Public-key cryptosystems resilient to key leakage.” [Segev, Naor]
I Tool: DDH, hash proof systems
I Resilient to leakage of N(1− o(1)) bits.
![Page 42: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/42.jpg)
Questions
What makes some key reconstruction problems hard and otherseasy?
For RSA/factoring:
Lattice approaches: Redundancy:
Large blocks ofcontiguous bits,no redundancy.
[Coppersmith 96],[Boneh, Durfee, Frankel 98],[Blomer and May 03],
[Herrmann and May 08]
Non-contiguousbits, redundancy.
[H., Shacham]
What about Diffie-Hellman/discrete log?
![Page 43: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/43.jpg)
Part 4: Putting it all together.
![Page 44: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/44.jpg)
Attacking disk encryption systems
1. Cut the power to the computer.
2. Reboot into a small memory extracting program.
3. Dump the data from RAM to a device of your choosing.
4. Find keys, fix any errors, decrypt hard drive.
Works against:
and others...Microsoft BitLocker Apple Filevault TrueCrypt Loop-AES dm-crypt
![Page 45: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/45.jpg)
”BitLocker, meet BitUnLocker.”!"#$%&'()*+,-))$,"#$!".&'()*/
0)1&23$*4$#&2,&5,56..7,46$&14$)8,4$$4'(9,
:&22)'$,;<",8*#=)+,*)>&&$+,428,>*&?3),5#.)3Demonstration of fully automated attack:Connect USB drive, reboot, and browse files
![Page 46: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/46.jpg)
For video, paper, and source code, visit:
citp.princeton.edu/memory
![Page 47: Recovering cryptographic keys with the cold boot attack](https://reader034.vdocuments.mx/reader034/viewer/2022051506/589708211a28ab24138be776/html5/thumbnails/47.jpg)