RSSCryptographic key recovery from Linux memory dumps
I stumbled across this paper from the 2007 Chaos Communication Camp which describes a method for extracting the cryptographic keys used by either dm-crypt or cryptoloop.
Technically, the cryptographic keys need to reside in memory while your encrypted disk is in use, so, obviously, if an attacker has access to your physical RAM, they will be able to obtain these keys and decrypt the volume at any future point in time. There were a couple of less-than-obvious takeaways, however.
The first is that there are a multitude of avenues for accessing a machine's memory. Anyone able to obtain root access could access /dev/mem remotely, but many systems (especially laptops) will actually write the memory's contents to disk during extended hibernation. Virtualization software, such as VMWare, will do exactly the same when the virtual machine is suspended. Finally (and this was news to me), the Firewire standard provides devices DMA access. You could imagine a device specifically designed for the purpose of connecting to a running machine. It would copy the machine's ram to a small hard disk, a "finished" LED would light up, and the attacker would pocket it and exit the building. The operating system wouldn't even know that anything had happened.
The second big takeaway is that it's relatively simple to search for these keys in a full memory dump. The method is slightly different for dm-crypt than it is for cryptoloop, but it basically involves a pattern search for certain characteristics in the C data scructure that holds the key. There are a couple of scripts included in the appendix for those of you who'd like to try this out.
If you use disk encryption on a laptop to protect your data from theft while you are traveling, take note. Disable hibernation mode to prevent RAM from being written to disk and do not leave your machine running while unattended, even if logged out.
Cryptographic key recovery from Linux memory dumps - Link (pdf)
Posted by Jason Striegel |
Aug 4, 2007 08:45 PM
Cryptography, Linux |
Permalink
| Comments (2)
Recent Entries
- Minty soldering jig
- Selecting row number in MySQL
- iPhone 3G software unlock
- Python on Android
- Controlling Sony camcorders with the Arduino
- Gradient text effect in CSS
- Retro gaming emulators that include (legal) ROMs?
- Das DereLicht - ham radio transmitter from a CFL bulb
- Using Google App Engine as a personal CDN
- Route-me - Open Source mapping library for iPhone
Comments
Newest comments listed first.
| Posted by: Crash on December 11, 2007 at 9:31 AM |
very very scary stuff. would the firewire memory-copy device also be possible over USB? maybe disabling firewire unless needed would be a good idea.
would the firewire memory-copy device also be feasible in windows?
| Posted by: Set the OF Password on January 30, 2008 at 1:29 AM |
You can protect the Firewire-Port when you set the OpenFirmware PWD on the Mac. Although it now uses EFI, the OF-PWD is still the name of the item.
Here is the official Apple-Link:
http://docs.info.apple.com/article.html?artnum=106482
Bloggers
Welcome to the Hacks Blog!
Brian Jepson
Jason Striegel
Phillip Torrone
Categories
- Ajax
- Amazon
- Android
- AppleTV
- arduino
- Astronomy
- Baseball
- BlackBerry
- Blogging
- Body
- Cars
- Cryptography
- Data
- Design
- Education
- Electronics
- Energy
- Events
- Excel
- Excerpts
- Firefox
- Flash
- Flickr
- Flying Things
- Food
- Gaming
- Gmail
- Google Earth
- Google Maps
- Government
- Greasemonkey
- Hacks Series
- Hackszine Podcast
- Halo
- Hardware
- Home
- Home Theater
- iPhone
- iPod
- IRC
- iTunes
- Java
- Kindle
- Knoppix
- Language
- LEGO
- Life
- Lifehacker
- Linux
- Linux Desktop
- Linux Multimedia
- Linux Server
- Mac
- Mapping
- Math
- Microsoft Office
- Mind
- Mind Performance
- Mobile Phones
- Music
- MySpace
- MySQL
- NetFlix
- Network Security
- olpc
- Online Investing
- OpenOffice
- Outdoor
- Parenting
- PCs
- PDAs
- Perl
- Philosophy
- Photography
- PHP
- Pleo
- Podcast
- Podcasting
- Productivity
- PSP
- Retro Computing
- Retro Gaming
- Science
- Screencasts
- Security
- Shopping
- Skype
- Smart Home
- Software Engineering
- Sports
- SQL
- Statistics
- Survival
- TiVo
- Transportation
- Travel
- Ubuntu
- User Interface
- Video
- Virtualization
- Visual Studio
- VoIP
- Web
- Web Site Measurement
- Windows
- Windows Server
- Wireless
- Word
- World
- Xbox
- Yahoo!
- YouTube
Archives
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
Recent Posts
- Minty soldering jig
- Selecting row number in MySQL
- iPhone 3G software unlock
- Python on Android
- Controlling Sony camcorders with the Arduino
- Gradient text effect in CSS
- Retro gaming emulators that include (legal) ROMs?
- Das DereLicht - ham radio transmitter from a CFL bulb
- Using Google App Engine as a personal CDN
- Route-me - Open Source mapping library for iPhone
www.flickr.com
|
Leave a comment