Disk encryption made secure by amnesia
Written by Alex Armstrong   
Sunday, 01 May 2011

Amnesia - losing your memory - is an unlikely way to ensure that you don't lose your data but it's the method suggested for fixing the Cold Boot Attack that currently renders all disk encryption useless.

 

You might not have realized that disk encryption has a flaw that makes it possible for anyone with a small amount of technical ability to read the data - the Cold Boot Attack. The reason for the vulnerability is the way the keys are stored to deliver high speed encryption. Now Patrick Simmons at University of Illinois at Urbana-Champaign has a solution that could make disk encryption secure once again - amnesia.

Disk encryption is specifically intended to keep data safe when attackers have access to the physical machine. It is the perfect security for laptops and mobile devices because if they are physically lost or stolen then without the encryption key the data are worthless to anyone attempting to break in - no matter how long they have to do the job. You can make the encryption secure as you like by increasing the key length.

dramsodimm

There is even a well respected standard for disk encryption - AES Advanced Encryption Standard. It uses repeated encryption to make the data secure. Typically the data will be encrypted ten times using a different 128 bit key for each round of encryption. The keys are generated by permuting an initial encryption key and so the whole scheme is secured with a single key that is made more difficult to fine by the repeated encryption of the data using derived keys.

Unfortunately there is the small problem of implementing AES efficiently. In an ideal world keys would be generated as and when they were needed and would never be stored in memory in a form that could be retrieved. As disk encryption has to fast, otherwise users wouldn't turn it on. the keys are pre-generated and stored in RAM and this is the basis for the Cold Boot Attack.

It turns out that DRAM doesn't lose its contents immediately it is switched off. It takes time, seconds or even minutes, for the stored charge to leak away. All you have to do to recover the keys is switch the machine off, pull the memory chips where the keys are stored and put the chips into another machine or a specially made hardware reading device. After this you can dump the areas of memory where the keys are thought to be stored and scan for them at your leisure. This attack has  been shown to work and it is fairly easy. This means that if you lose your laptop you cannot rely on the data remaining secure even if you've encrypted it.

To make the data safe the new method of encryption doesn't store the keys in RAM but in CPU registers. The CPU is a much more difficult item of hardware to attack using a "Cold Boot" like technique.

In the case of the x86 implementation of the algorithm the performance counter registers were "re-purposed" to store the 128 bit key. This sounds easy but there are many practical difficulties - for example what do you do about multi-core CPUs that all need access to an encrypted volume? What if you need to work with multiple encrypted volumes? The solution to most of the problems is not to store the original encryption key but a random key used to further encrypt the encryption key which can then be stored in RAM.

The actual implementation details are tough. The whole thing had to be written in assembler to ensure that the unencrypted keys were never present in RAM and  zeroing all registers after encryption - to provide the "Loop Amnesia" properties needed to make the encryption secure. The algorithm is called "amnesia" because the intent is to make sure that the encryption key never gets into RAM and is erased or "forgotten" at the end of each encryption loop.

The whole algorithm has been implemented for AES on Linux and it has been tested against standard AES and no-encryption and found to take roughly twice as long to process data - which is probably worth it for the extra security.

The paper explaining the ideas also goes into detail about possible attacks on the Loop Amnesia method and while it makes "interesting" reading it concludes that it should be secure.  There is a standard debug port on a CPU and this does give access to registers but this is not normally brought out to pin connections in the case of the x86 and when it is it can be disabled permanently.  However, you cannot rule out a more sophisticated hardware attack on the CPU that can inject code that dumps the contents of the registers - but the purpose of security is to make an attack difficult not impossible.

Further reading

Security Through Amnesia: A Software-Based Solution to the Cold Boot Attack on Disk Encryption.

 

Banner


Opaque Systems Introduces Gateway GenAI Solution
14/03/2024

Opaque Systems has announced an early access program for Opaque Gateway, software designed to address data privacy, security, and sovereignty concerns in managing GenAI implementations.



TypeScript 5.4 Adds NoInfer Type
12/03/2024

TypeScript 5.4 has been released, with the addition of a NoInfer utility type alongside preserved narrowing in closures following last assignments. 


More News

Last Updated ( Sunday, 01 May 2011 )