Recovering cryptographic keys with the cold boot attack

Transcription

1 Recovering cryptographic keys with the cold boot attack Nadia Heninger Princeton University April 20, 2010

2 Joint work with... Lest We Remember: Cold Boot Attacks on Encryption Keys with J. Alex Halderman, Seth D. Schoen, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Rick Astley, Jacob Appelbaum, and Edward W. Felten henceforth known as [HSHCPCFAF 08] Reconstructing RSA Private Keys from Random Key Bits with Hovav Shacham

3 Part 1: DRAM Remanence

4 The Persistence of Memory: Why? DRAM is an array of tiny capacitors. To write a bit, the capacitor is charged. 1(/2,&#):*;)<.52'&5&'( When power is on, the state is refreshed every 10 µs. Without 1:*;)A"55 power, they discharge to a ground state. BA2-2#&'.%C 9= = 9 >%&'")?=@!"#$%&'()*++$,-'&./+0 :"3%"+7 But >72')&3)6")4./H')%"3%"+7I this process 12'2)324"+)25,.+')&/+'2/'2/".$+5()6&'7.$')%"3%"+7 B:"24)2/4)%"6%&'"C takes seconds to minutes.

5 DRAM Decay Rates % Decay B Data B Fit D Data D Fit E Data E Fit F Data F Fit Seconds Without Power

6 The Persistence of Memory 5s. 30s. 1m. 5m.

7 Capturing Residual Data Delivering the Attack!"#$%"&$'()*+"),**-./ Residual data can be captured easily, with no special equipment Complication Booting a full OS overwrites large areas of RAM. e Attack Solution!"#$%"&$'()*+"),**-./ Boot a small low-level program to dump contents of memory. Implementations PXE Dump (9 KB) Delivering the Attack Delivering the Attack!"#$%"&$'()*+"),**-./!"#$%"&$'()*+"),**-./ EFI Dump (10 KB) USB Dump (22 KB)

8 Follow-up work BootJacker: Compromising Computers using Forced Restarts [Chan et al. 08] Uses memory remanence across reboots to completely revive an existing system, including: SSH connections SSL sessions VPN sessions encrypted hard disks For a good time, press Alt-SysRq-B

9 Slowing Decay by Cooling % to 0.2% decay after 1-5 min.

10

11 !"#$%&''(#) Even cooler Liquid Nitrogen -196 /01203%405)'6#$ *+,-.& < 0.1% decay after 1 hour (not necessary in practice) 7%89+:;%3#<=>%=?5#)%!"#$%&!"#$%&'&(()*+$,%$-*)'#,'&

12 Countermeasures (9*4:B/,$:2(#4:"0*5 Encrypt RAM on sleep/hibernate/screen lock Encrypt RAM all of the time TPM (can help attacker) CDDDEF

13 Part 2: Finding Cryptographic Keys

14 Looking for cryptographic keys Playing hide and seek with stored keys [Shamir, van Someren 99]

15 The reality of the entropy approach

16 Finding Keys: Use the structure of the key data. AES implementations typically precompute a sequence of round keys from the single 128 or 256-bit key. Round Key 1 Core Round Key 2. Generation of the 128-bit AES key schedule.

17 PKCS #1: RSA Cryptography Standard RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicexponent INTEGER -- e } RSAPrivateKey ::= SEQUENCE { version Version, modulus INTEGER, -- n publicexponent INTEGER, -- e privateexponent INTEGER, -- d prime1 INTEGER, -- p prime2 INTEGER, -- q exponent1 INTEGER, -- d mod (p-1) exponent2 INTEGER, -- d mod (q-1) coefficient INTEGER, -- (inverse of q) mod p otherprimeinfos OtherPrimeInfos OPTIONAL }

18 PKCS #1: BER-encoding (From a computer running Apache with OpenSSL.) d d e 77 ef 54 a SEQUENCE length: 605 bytes INTEGER length: 1 byte (version) INTEGER length: 129 bytes (n) INTEGER length: 3 bytes (e) INTEGER length: 128 bytes (d)...

19 Countermeasures: Avoid Standardization and Precomputation Don t store entire key schedules or data structures in memory Hurts performance. XOR key with regions of memory filled with random bits Can slow an attacker to some extent. Tradeoff between security and speed Encryption software still needs to efficiently use key. Computer still needs to use RAM.

20 A sad tale of countermeasures: Loop-AES Loop-AES has elaborate countermeasures against burn-in Stores 65 different key schedules together with inverted copies Key schedules are periodically swapped In the case of the cold-boot attack, this simplifies finding keys, and makes it easy to identify exactly which keys belong to Loop-AES.

21 Part 3: Recovering from bit errors

22

23 Problem Statement: unidirectional decay Remove all but a δ-fraction of the bits, chosen at random, from a (private) encryption key. (Flip a coin at each bit of the key. With probability δ, the attacker gets to see the bit s value.) How to efficiently reconstruct the key?

24 Correcting Errors in Cryptographic Keys: AES Use the structure of redundant key data to correct errors. Round Key 1 Core Round Key 2 Can retrieve an AES key from 30% of a key schedule in seconds. [HSHCPCFAF 08], An Improved Recovery Algorithm for Decayed AES Key Schedule Images [Tsow 09]

25 RSA Key recovery: Error models Lattice approaches: Redundancy: Large blocks of contiguous bits, no redundancy. [Coppersmith 96], [Boneh, Durfee, Frankel 98], [Blömer and May 03], [Herrmann and May 08] Non-contiguous bits, redundancy. [H., Shacham]

26 Notation and RSA review Public Key N = pq modulus e encryption exponent Private Key p, q large primes d = e 1 mod (p 1)(q 1) decryption exponent Encryption c = m e (mod N) Decryption m = c d (mod N) (for speed, decrypt using Chinese remainder theorem) d p = d (mod p 1) d q = d (mod q 1)

27 Interlude: Coppersmith-style RSA key reconstruction Theorem (Coppersmith/Howgrave-Graham) Let f (x) = x d f 0. N of unknown factorization. Can find all x 0 such that gcd(f (x 0 ), N) > N β x 0 < N β2 /d p x f (x) = p + x N = pq β = 1 2 Thus when x < N 1/4 (x < p 1/2 ) can find p in poly time.

28 Correcting Random Errors in RSA Keys Use the structure of redundant key data to correct errors. pq = N ed = 1 (mod (p 1)(q 1)) ed p = 1 (mod p 1) ed q = 1 (mod q 1) Can retrieve an RSA key from 27% of key data in seconds.

29 Step # 1: Relate key values We can write down the relationships between redundant key information as equations. pq = N (1) ed = 1 (mod (p 1)(q 1)) (2) ed p = 1 (mod p 1) (3) ed q = 1 (mod q 1) (4)

30 Step # 1: Relate key values over the integers We can write down the relationships between redundant key information as equations over the integers. pq = N (1) ed + k(p + q) = 1 + k(n 1) (2) ed p g(p 1) = 1 (3) ed q h(q 1) = 1 (4) (upper half of bits of d) k = e d 1 N + 1 (trick from [Boneh, Durfee, Frankel 98]) g 2 [k(n 1) + 1]g k 0 (mod e)

31 Step #2: Solve our equations iteratively Generate a tree of partial solutions, starting at bit 0. What s a tree node? A simultaneous assignment of bits [0... i] of p, q, d, d p, d q. It s easy to lift a solution mod 2 i to all equivalent solutions mod 2 i X How much branching at each level? ? No, 4 equations for 5 unknowns. 2? No, we can prune a solution when it conflicts with our known bits.

32 Results for different key redundancy If the attacker has partial knowledge of then recovery is efficient for... d, p, q, d p, d q δ > d, p, q δ > p, q δ > p Open problem fraction of key bits known.

33 Experimental validation of analysis Total number of solutions generated vs. fraction of known bits δ Total number of solutions len generated < 1 second to run! Fraction of known delta key bits δ (More than 1 million experiments.)

34 Part 4: Putting it all together.

35 Attacking disk encryption systems 1. Cut the power to the computer. 2. Reboot into a small memory extracting program. 3. Dump the data from RAM to a device of your choosing. 4. Find keys, fix any errors, decrypt hard drive. Works against: and others... Microsoft BitLocker Apple Filevault TrueCrypt Loop-AES dm-crypt

36 BitLocker, meet BitUnLocker.!"#$%&'()*+,-))$,"#$!".&'()*/ 0)1&23$*4$#&2,&5,56..7,46$&14$)8,4$$4'(9, Demonstration of fully automated attack: :&22)'$,;<",8*#=)+,*)>&&$+,428,>*&?3),5#.)3 Connect USB drive, reboot, and browse files

37 For video, paper, and source code, visit: citp.princeton.edu/memory

38