[mdlug] Dick encryption

[Jeff Hanson]

On Fri, Feb 22, 2008 at 10:53 AM, Garry Stahl <tesral at comcast.net> wrote:
> http://www.networkworld.com/news/2008/022108-disk-encryption-cracked.html?page=1
>
>  Network World article pointing out that who controls the physical
>  computer, controls the data in it.  There is a method to crack disk
>  encryption.  It ain't easy, and you would have to have it ready, but it
>  is possible.

The security implications of loading the decryption keys into DRAM is
something I though of myself a while ago.  I hadn't realized that the
data retention was that long without power or that cooling them could
increase the data lifetime.  My theory was that it would be possible
to read the memory bus while the system was active and pick up the
keys that way.  According to the report you can chill the DRAM and
just put it in another system for reading which makes encryption about
as useful as a chastity belt.  I disagree with Steven Sprague about
the effectiveness of hardware-based encryption devices as they also
have to load the key making them just as vulnerable.  The only
advantage they offer is a more complicated architecture that would
have to be reverse engineered first so that an attacker would know
where to look before attempting to find the key (obfuscation).  I was
thinking that storing the key in a CPU register would be better as the
complexity and small feature size would make it a lot harder to
extract.  OpenBSD, IIRC, randomizes memory locations so theoretically
it would be more difficult to find a key (again obfuscation).  I think
the Linux solution is to have the kernel wipe entire memory space
before halting or suspending.