14 DAY TRIAL // The concept behind Cold-Boot attacks on encryption keys stored in the computer's DRAM is not new. The implications of physical memory attacks, in the context of Windows Vista BitLocker Drive Encryption, were discussed at Hack in the Box 2006 by Douglas MacIver, Penetration Engineer, Microsoft Penetration Team. Although the Cold-Boot attack was a strategy all too familiar among the members of the security industry and of the security team over at Redmond, a demonstration of the encryption keys cracks, put together by Princeton researchers, brought the concept to reality, retrieving cryptographic key material from frozen (literally) DRAM.
But not only Vista's BitLocker technology is susceptible to Cold-Boot attacks, FileVault, dm-crypt, and TrueCrypt encryption keys are also stored in physical memory and can be retrieved by an attacker with physical access and the right algorithms designed for finding cryptographic keys in memory images. Robert Hensing, Technical Lead - Microsoft Product Support Services, stressed the fact that an eventual attacker needs to freeze the physical system memory as fast as possible in order to ensure that the RAM will retain the contents. And even if this happens, there is a certain level of decay of the gost image stored in RAM.
"I'd like to take a step back and, from a BitLocker perspective, detail some of the assumptions that have to be made for this attack to be successful: physical access to the machine; the user's laptop would likely have to be in sleep mode, rather than hibernate mode or powered off; the user would have chosen not to implement multi-factor pre-boot authentication and the person who finds/steals the laptop must be knowledgeable and interested enough to execute this attack on the laptop they just stole. I would posit that the opportunistic laptop thief is somewhat unlikely to carry a separate laptop on which they will have installed tools that allow them to reconstruct cryptographic keys - or for that matter have a can of compressed air handy," argued Microsoft senior product manager for Windows Vista security Russell Humphries.
With Windows Vista SP1, Microsoft has enhanced the protection level offered by BitLocker, in the sense that users are now enabled not only to enter a PIN or insert a USB stick with a secret key, but do both in order to make the operating system boot or resume from hibernate mode. "Quality security research helps our customers and the industry in general raise the security bar, and I applaud it; but let's also keep in mind that technologies like BitLocker provide a very valuable service to users and helps them protect data on their PCs. BitLocker's range of deployment options, ranging from single-factor authentication with sleep mode to TPM+PIN+USB with hibernation only, allow customers to find the right balance of security and convenience for their data," Humphries added.