Some of you may remember the Cold Boot Attack. It’s a general method, how almost all disk encryption schemes on PCs and Laptop can be circumvented. Usually, when a harddisk or just a partition is encrypted, the encryption software used, needs to store the keys in memory, as long as the filesystem is mounted. Three years ago, it was shown that this key can be extracted, just by removing the RAM module, and dumping it’s content on a second PC using a custom software. Alternatively, the system can be booted from a CD or USB-stick with a custom software, that dumps the content of the RAM. As long as the RAM has only been off for a few seconds, or cold down to a low temperature, it doesn’t loose the stored data completely, and the encryption keys can be recovered from that dump.
Today, a solution for this problem will be presented, that prevents the attack by never storing the encryption key in RAM. Instead, CPU registers are used, and because the encryption code runs in kernel space, it can ensure, that they are never stored in RAM.
This sounds like a good solution to me, except that it only prevents the encryption key from leaking. Of course, the actual data, that is decrypted and that applications on that system work with, can still be found in RAM, but I have no idea how this can be fixed easily.
See the talk: Day 3, 14:30, Saal 2