Princeton researchers crack encryption with liquid nitrogen
Scientists at Princeton University have demonstrated how encryption keys can be retrieved from memory if the attacker has physical access to a computer which is switched on or in standby, by making use of a well known phenomenon – the relatively slow decay of DRAM data when power is removed.
DRAM memory cells consist of tiny capacitors that are charged or left uncharged to store the ones and zeros of binary data. The charge in the memory cells dissipates over time, so in normal use the data are regularly refreshed by reading and rewriting the memory content. The refresh rate is much higher than the minimum required, to make the stored data isn't corrupted. Memory circuits have very high impedances, so the charges representing the data aren't completely lost for a considerably longer time than the typical refresh interval – an effect known as remnance. Even after power is removed, the charges on the cells may remain intact enough to read the data for several minutes, depending on various environmental factors including temperature. In the Princeton experiments, by cooling the memory chips to a temperature of -50°C using compressed gas, 99 per cent of the memory contents were preserved for ten minutes. When the chips were immersed in liquid nitrogen the data survived for an hour with only a 0.17 per cent error rate. There are apparently "very predictable" non-uniform patterns of bit decay that can be used to reconstruct memory contents, but newer generations of DRAM have faster decay than older technologies.
The researchers recognised that, when attempting to recover the memory content, loading a full operating system would probably overwrite much of the wanted data, so they created small memory imaging utilities that can be loaded via USB sticks, Intel's Preboot Execution Environment (PXE) or the BIOS successor Extensible Firmware Interface (EFI). While the BIOS and imaging program overwrite small areas of memory, the researchers report that this doesn't cause a problem. As an alternative, cooling also permits a memory device to be transferred to a different machine for analysis.
The memory images can then be scanned for hard disk encryption keys. Since information may have been lost, the researchers have developed several recovery algorithms that, by combining known characteristics of cryptographic standards with data decay models, can be used to detect and restore encryption keys even in the presence of some errors.
Microsoft, Apple, TrueCrypt and the developers of the Linux kernel have been informed about the vulnerability, but the Princeton scientists see virtually no way of closing this hole. Notebooks containing critical data on encrypted hard disks can be protected by being switched off instead of put in standby, which completely erases the data after a short period of time.
The described attack vector is similar to the way in which the HotPlug forensic system operates. HotPlug connects a mains-operated computer to a mobile UPS while it is running so encryption keys are kept in memory for subsequent investigation.
- Lest We Remember: Cold Boot Attacks on Encryption Keys (PDF), research report by J.Alex Halderman et al.