The notebook/laptop computer is today’s essential business tool. But with even the best of technology, the mobile data in laptops is data at risk. And laptops with removable drives, thumb drives and portable data devices present their own set of security risks — any one can run out of your company doors with valuable IP/Product Design/Specifications/Data and even your customer database.
One recent study estimated that as much as 80 per cent of the business data that a company owns — customer files, product specifications, proposals, e-mail history files, contracts and financial information — is stored on notebook/laptop PCs. If your laptop/notebook breaks down, is stolen or hacked into, your productivity may be affected for weeks, and your company could even face significant financial loss. Multiply that by every laptop user in your organisation, and it’s a strong motivation to seek products with a reputation for reliability and security.
But the million dollar question is – Is your laptop really secure?
Chilling discovery
Recently, Princeton researchers revealed that disk encryption, the standard approach to protecting sensitive data on laptops, can be defeated by relatively simple methods. They demonstrated a method of chilling a Laptop memory chip to defeat three popular disk encryption products: BitLocker, which comes with Windows Vista; FileVault, which comes with MacOS X; and dm-crypt, used with Linux. The research team was led by J. Alex Halderman at Princeton.
The method, which cannot be carried out remotely, exploits a little-known vulnerability of the dynamic random access, or DRAM, chip. Those chips temporarily hold data, including the keys to modern data-scrambling algorithms. When the computer’s electrical power is shut off, the data, including the keys, is supposed to disappear. In a technical paper published on the Web site of Princeton’s Centre for Information Technology Policy, the group demonstrated that standard memory chips actually retain their data for seconds or even minutes after power is cut off.
When the chips were chilled using an inexpensive can of air, the data was frozen in place, permitting the researchers to easily read the keys — long strings of ones and zeroes — out of the chip’s memory. The Princeton researchers used special pattern-recognition software of their own to identify security keys among the millions or even billions of pieces of data on the memory chip.
This has proved that so-called Trusted Computing hardware, an industry standard approach heralded as significantly increasing the security of modern personal computers, does not appear to stop potential attacks.
Defences for software-based full disk encryption
Several possibilities for securing against this type of attack have been suggested by experts.
Change location of keys during runtime: This has no bearing on this issue since the DRAM is literally frozen at the time of the attack. Mounting this attack via a key search algorithm such as the one suggested by the Princeton researchers renders the location of the keys, and whether or not they are periodically moved, irrelevant.
Fragment keys into discontinuous pieces to increase obfuscation: Similar to changing the location of the keys, this suggestion has no effect on key recovery. While in use, the encryption key must be unified, and careful study of the encryption software prior to the attack will remove any difficulty the attacker might face. The purpose of encryption is to ensure that obfuscation such as this is unnecessary. While this may delay an attack, it will not prevent it. It will also slow down decryption during regular system use.
Use multiple keys for different parts of the disk This suggestion prevents the entire contents of the disk from being exposed at one time during a single attack. However, multiple encryption keys require additional authentication if they are to avoid exposure in the same attack instance. Although this suggestion is valid and is implemented in many Full Disk Encryption solutions, there is no reasonable presumption that the most sensitive data is not on the exposed partition.
Multiple keys used in sequence to decrypt the disk: This might delay an attack by adding an additional layer of complexity, but the DRAM attack would ensure that all keys are available to the attacker. Since the search algorithms employed by the author do not rely on decrypting plaintext to check for key integrity, the attacker will simply have a variety of keys to check in order to decrypt the data correctly.
Use longer encryption keys: As the contents of DRAM decay, more and more key data is lost. The more key data lost, the larger the searchable key space is and the less likely that an attacker can reconstruct the correct key required for decryption.
Utilising a longer decryption key means a larger searchable key space and makes it statistically more likely that a sufficient degradation of the key will take place during the same period of time that a shorter key might still be recoverable. Although it goes without saying that longer keys mean more security, this does not eliminate a potential DRAM attack since DRAM decay has a steep acceleration curve and most decay occurs in a relatively brief period of time. However, as a precaution, one can employ the largest available key lengths and use AES 256 algorithms for encrypting the Data Encryption and Key Encryption Key
Erase dram free space periodically during system run: This suggestion does not offer any real solution. The encryption keys must be available during normal use, and wiping DRAM does nothing if the keys are immediately replaced or moved to a location with similar vulnerabilities. There is also no guarantee that DRAM space happens to be wiped immediately prior to the theft and shutdown of the notebook.
Force a complete erasure of dram during shutdown, hibernate, or standby: This suggestion is valid in theory, but impractical in reality. Wiping out DRAM during standby is unfeasible because recovering from standby would be impossible. In the case of shutdown or hibernate mode, erasure of DRAM is advisable, but still does not eliminate the basic attack proposed by the Princeton authors. There is no guarantee that an attacker cannot completely cut power and prevent any erasure before it takes place.
Leave fake keys in dram which will erase the disk if implemented: This suggestion is an inconvenience at best. An attacker using this attack method is not attempting to decrypt the contents of the drive via the Full Disk Encryption program. Therefore, there is no way for the computer to recognise and execute any command indicated by the fake key. At best, this suggestion is obfuscation again and will slightly delay the attacker by forcing him to attempt decryption with more than one key.
Take steps to make boot code disassembly difficult: Aside from open-source implementations, all encryption software vendors take steps to ensure their software is difficult to disassemble in order to preserve their competitive advantage.
However, an attacker implementing this attack should be presumed to have the foresight and preparation time to obtain and sufficiently examine a copy of the drive owner’s software. The purpose of encryption is that data should be secure regardless of the amount of preparation or the length of time available for an attack.
Use a trusted platform module (tpm) in conjunction with full disk encryption (FDE): The use of a TPM chip in conjunction with FDE does nothing to eliminate the possibility of a DRAM attack since the TPM chip does not perform the drive decryption and the key must be copied into memory in order for decryption to take place.
Clear memory at boot time: Some computers can be configured to require that RAM be cleared at startup before loading any operating system. This would prevent an attacker from using the stolen laptop to perform the DRAM attack, but an attacker could still move the DRAM to a separate computer. Configuring laptops to clear RAM at power up, regardless, is recommended.
Block accessible ports: Eliminating the possibility of booting from separable media eliminates the possibility of using the stolen laptop to perform the DRAM attack (as above), but suffers from the same weakness. The DRAM can be moved to a separate computer or the hard drive can be entirely replaced during the DRAM attack.
Software-based defence inadequate
Although the likelihood of an attacker being able to successfully steal a laptop and implement an attack before the DRAM decays is low at best, software-based FDE is theoretically vulnerable to this attack. Potential fixes by software vendors cannot eliminate the possibility entirely. However, for those extremely security conscious individuals or enterprises, newer hardware encryption technology exists that eliminates many of the difficulties posed by this attack.
Recently, hard drive vendors such as Hitachi and Seagate released products that implement hardware-based Full Disk Encryption in their hard disk drives. Intel has also announced the implementation of a Trusted Platform Module (TPM) as well as Full Disk Encryption in its new chip set to be released in the third quarter of 2008. These newer technologies share a distinct advantage over software-based encryption in terms of DRAM attacks — the data encryption keys never enter into computer memory and are thus not vulnerable to this sort of attack.
Trusted Computing is a significant paradigm shift in the design of networked computing devices, and hardware support for it is quickly becoming commonplace. Many authors have observed the potential for this technology to offer significant and substantial benefits to grid, cloud, and other models of distributed computing, but so far relatively few of these have been realized. Much of the discussion of the field in the popular media has been dominated by discussion of a particular kind of multimedia rights management, and has been characterized by a certain degree of mis-information, and out-of-date material.
This tutorial aims to give a thorough overview of the motivation for this approach, the technical capabilities of the trusted computing technologies, and their connection to whole system virtualization. We will end with a more discursive exploration of the realistic potential for their prototyping and deployment in eScience applications.
- Three display options such as LED backlighting (WXGA), 1920 x 1200 pixel resolution, or WUXGA or WXGA LCD displays
-optional discrete NVIDIA graphics and DisplayPort out
-Intel turbo memory 2.0
-Hard drive, Hybrid, and Solid State disk drive options with eSATA jack
-Free fall sensors on all 7200 rpm drives
- UWB (Ultra-wide band), Bluetooth 2.1, mobile broadband connectivities -Integrated GPS
-Plenty of security options including finger print reader, TPM 1.2, smart card reader and contact-less smart cards and encrypted hard disks
-New 84WHr slice batteries for "all day" computing
-Optional camera and mic
-Back-lit keyboard option
- Three display options such as LED backlighting (WXGA), 1920 x 1200 pixel resolution, or WUXGA or WXGA LCD displays
-optional discrete NVIDIA graphics and DisplayPort out
-Intel turbo memory 2.0
-Hard drive, Hybrid, and Solid State disk drive options with eSATA jack
-Free fall sensors on all 7200 rpm drives
- UWB (Ultra-wide band), Bluetooth 2.1, mobile broadband connectivities -Integrated GPS
-Plenty of security options including finger print reader, TPM 1.2, smart card reader and contact-less smart cards and encrypted hard disks
-New 84WHr slice batteries for "all day" computing
-Optional camera and mic
-Back-lit keyboard option
Msg. 06658 of 06668 (This msg. is a reply to
06657 by
SheldonLevine)
Jump:
Sheldon,
Thanks for posting this.
I had looked, maybe a couple of years ago, at some preliminary Intel "LaGrande" instruction sets where this GESTSEC[SENTER} was described but have not seen anything on it since.
- - - - - The above is a reply to the following message:
Re: TPM architecture and/or Intel's Danbury technology ??
By: SheldonLevine in
WAVX DD Mon, 03 Mar 08 12:18 AM
Andy, my sincere apologies if you are already aware of this information.
>>>
Computer Scientists at Princeton University have shown some very easy and creative methods to hack cryptographic key material with physical access to an encrypted machine. Watch the video embedded below to find out how existing technology is really vulnerable against Cold Boot Attacks on Encryption Keys.
All you need is a Duster spray can, if that, to cool the DRAM and extract the keys. The paper published along with the video clearly outlines techniques for finding keys residing in memory.The really cool part is that this technique doesn't really hack into the encryption directly. Rather, it depends on scanning the encryption keys by accessing the contents of the RAM and then extracting the data either by directly tampering with the RAM or by simply booting the computer from a USB drive. You can also read the industry response and more details on these findings in the news.com article.
It is not all bad news ... Intel is planning on releasing a technology code named “Danbury” which drastically reduces exposure to the Cold boot attacks. Danbury uses dedicated platform hardware to provide full disk encryption and the actual data encryption keys are not kept in the DRAM. Although, Intermediate, or ‘wrapping’, keys used to unlock data encryption keys are stored in DRAM temporarily, when the user is physically present or while remote IT operation has control of the platform. These keys are subsequently deleted once no longer needed, thus reducing the exposure significantly.
I am also very happy to announce that Danbury SDK that can leveraged by software vendors to enhance encryption software will be made on the manageability developer community later this year. If you are interested to find out more about this technology or are interested in developing encryption software using this technology then feel free to leave a comment on this post.
<<< http://softwareblogs.intel.com/2008/02/28/use-duster-spray-can-to-hack-the-disk-encryption-keys/
I presently believe that the Danbury SDK will sit on top of the TXT Safer Mode Extensions (SMX) which is a low-level interface to the TPM.
<<< 1. Overview
Intel’s technology for safer computing, Intel® Trusted Execution Technology (Intel® TXT), defines platform-level enhancements that provide the building blocks for creating trusted platforms.
Whenever the word trust is used, there must be a definition of who is doing the trusting and what is being trusted. This enhanced platform helps to provide the authenticity of the controlling environment such that those wishing to rely on the platform can make an appropriate trust decision. The enhanced platform determines the identity of the controlling environment by accurately measuring the controlling software (see Section 1.1).
Another aspect of the trust decision is the ability of the platform to resist attempts to change the controlling environment. The enhanced platform will resist attempts by software processes to change the controlling environment or bypass the bounds set by
the controlling environment.
What is the controlling environment for this enhanced platform? The platform is a set of extensions designed to provide a measured and controlled launch of system software that will then establish a protected environment for itself and any additional
software that it may execute.
These extensions enhance two areas:
• The launching of the Measured Launched Environment (MLE)
• The protection of the MLE from potential corruption
The enhanced platform provides these launch and control interfaces using Safer Mode Extensions (SMX).
----
1.8 TPM Usage
Intel® TXT makes extensive use of the Trusted Platform Module (TPM) defined by the Trusted Computing Group (TCG) in the TCG TPM Specification, Version 1.2. The TPM provides a repository for measurements and the mechanisms to make use of the measurements. The system makes use of the measurements to both report the current platform configuration and to provide long-term protection of sensitive information.
The TPM stores measurements in Platform Configuration Registers (PCRs). PCRs provide a storage area that allows an unlimited number of measurements in a fixed amount of space. They provide this feature by an inherent property of cryptographic hashes. Outside entities never write directly to a PCR register, they “extend” PCR contents. The extend operation takes the current value of the PCR, appends the new value, performs a cryptographic hash on the combined value, and the hash result is the new PCR value. One of the properties of cryptographic hashes is that they are order dependent. This means hashing A then B produces a different result from hashing B then A. This ordering property allows the PCR contents to indicate the order of measurements.
Sending measurement values from the measuring agent to the TPM is a critical platform task. The Dynamic Root of Trust for Measurement (DRTM) requires specific messages to flow from the DRTM to the TPM. The Intel® TXT DRTM is the GETSEC[SENTER] instruction and the system ensures GETSEC[SENTER] has special messages to communicate to the TPM. These special messages take advantage of TPM localities 3 and 4 to protect the messages and inform the TPM that GETSEC[SENTER] is sending the messages.
<<< http://download.intel.com/technology/security/downloads/31516804.pdf
Msg. 06657 of 06668 (This msg. is a reply to
06650 by
awk)
Jump:
Danbury/TXT TPM interface
Andy, my sincere apologies if you are already aware of this information.
>>>
Computer Scientists at Princeton University have shown some very easy and creative methods to hack cryptographic key material with physical access to an encrypted machine. Watch the video embedded below to find out how existing technology is really vulnerable against Cold Boot Attacks on Encryption Keys.
All you need is a Duster spray can, if that, to cool the DRAM and extract the keys. The paper published along with the video clearly outlines techniques for finding keys residing in memory.The really cool part is that this technique doesn't really hack into the encryption directly. Rather, it depends on scanning the encryption keys by accessing the contents of the RAM and then extracting the data either by directly tampering with the RAM or by simply booting the computer from a USB drive. You can also read the industry response and more details on these findings in the news.com article.
It is not all bad news ... Intel is planning on releasing a technology code named “Danbury” which drastically reduces exposure to the Cold boot attacks. Danbury uses dedicated platform hardware to provide full disk encryption and the actual data encryption keys are not kept in the DRAM. Although, Intermediate, or ‘wrapping’, keys used to unlock data encryption keys are stored in DRAM temporarily, when the user is physically present or while remote IT operation has control of the platform. These keys are subsequently deleted once no longer needed, thus reducing the exposure significantly.
I am also very happy to announce that Danbury SDK that can leveraged by software vendors to enhance encryption software will be made on the manageability developer community later this year. If you are interested to find out more about this technology or are interested in developing encryption software using this technology then feel free to leave a comment on this post.
<<< http://softwareblogs.intel.com/2008/02/28/use-duster-spray-can-to-hack-the-disk-encryption-keys/
I presently believe that the Danbury SDK will sit on top of the TXT Safer Mode Extensions (SMX) which is a low-level interface to the TPM.
<<< 1. Overview
Intel’s technology for safer computing, Intel® Trusted Execution Technology (Intel® TXT), defines platform-level enhancements that provide the building blocks for creating trusted platforms.
Whenever the word trust is used, there must be a definition of who is doing the trusting and what is being trusted. This enhanced platform helps to provide the authenticity of the controlling environment such that those wishing to rely on the platform can make an appropriate trust decision. The enhanced platform determines the identity of the controlling environment by accurately measuring the controlling software (see Section 1.1).
Another aspect of the trust decision is the ability of the platform to resist attempts to change the controlling environment. The enhanced platform will resist attempts by software processes to change the controlling environment or bypass the bounds set by
the controlling environment.
What is the controlling environment for this enhanced platform? The platform is a set of extensions designed to provide a measured and controlled launch of system software that will then establish a protected environment for itself and any additional
software that it may execute.
These extensions enhance two areas:
• The launching of the Measured Launched Environment (MLE)
• The protection of the MLE from potential corruption
The enhanced platform provides these launch and control interfaces using Safer Mode Extensions (SMX).
----
1.8 TPM Usage
Intel® TXT makes extensive use of the Trusted Platform Module (TPM) defined by the Trusted Computing Group (TCG) in the TCG TPM Specification, Version 1.2. The TPM provides a repository for measurements and the mechanisms to make use of the measurements. The system makes use of the measurements to both report the current platform configuration and to provide long-term protection of sensitive information.
The TPM stores measurements in Platform Configuration Registers (PCRs). PCRs provide a storage area that allows an unlimited number of measurements in a fixed amount of space. They provide this feature by an inherent property of cryptographic hashes. Outside entities never write directly to a PCR register, they “extend” PCR contents. The extend operation takes the current value of the PCR, appends the new value, performs a cryptographic hash on the combined value, and the hash result is the new PCR value. One of the properties of cryptographic hashes is that they are order dependent. This means hashing A then B produces a different result from hashing B then A. This ordering property allows the PCR contents to indicate the order of measurements.
Sending measurement values from the measuring agent to the TPM is a critical platform task. The Dynamic Root of Trust for Measurement (DRTM) requires specific messages to flow from the DRTM to the TPM. The Intel® TXT DRTM is the GETSEC[SENTER] instruction and the system ensures GETSEC[SENTER] has special messages to communicate to the TPM. These special messages take advantage of TPM localities 3 and 4 to protect the messages and inform the TPM that GETSEC[SENTER] is sending the messages.
<<< http://download.intel.com/technology/security/downloads/31516804.pdf
It appears that "Danbury" adds a whole new dimension to the "interoperability" question. It appear that "Danbury" is a totally separate architectural platform from the TPM architecture that needs its own management tools. And it appears that Waves's EMBASSY tools are the only ones that can handle both architectural platforms..
I am not yet quite clear how this really will function, but it is clear to me now, that a vPro 5.0 with "Danbury" really consist of two distinct platforms to be managed: The "TPM system" and "Danbury"
Wave-Intel press release: Here Steven Sprague talks about two distinct platforms within the same system.
Steven Sprague says: "As trusted computing solutions evolve, cross-platform interoperability could represent an important opportunity," said Steven Sprague, president and CEO of Wave Systems. "We believe that the addition of hardware security that provides data-at-rest, strong authentication and management capabilities, built into the hardware, is an important step forward in supporting the growing need for security in the PC. We are keenly aware of the requirements for applications to interoperate among multiple secure platforms and are providing proof of concepts today to show how our applications can be adapted to a new generation of platforms from Intel. We are proud to be the first company demonstrating our flexible, interoperable, secure applications on the industry’s leading trusted platforms."
Assumption: In a way, "Danbury" functions similarly to Seagate's "DriveTrust" technology, in the sense that "Danbury" also incorporates some EMBASSY functionality. Also, most likely, the "Danbury" encryption keys are stored within the Intel chipset and never leave the chipset.
Question: Where does this leave Infineon and, moreover, where does it leave the rest of the PC OEMs?
Steven Sprague goes on to say: We are keenly aware of the requirements for applications to interoperate among multiple secure platforms and are providing proof of concepts today to show how our applications can be adapted to a new generation of platforms from Intel. We are proud to be the first company demonstrating our flexible, interoperable, secure applications on the industry’s leading trusted platforms."
Also check out the highlighted part of a "blog exchange" that I had with Intel's Todd Christ. He says:
Feb 11, 2008 11:36 AM Reply Todd Christ in response to: Andreas Kuhn Hi Andreas - Danbury won't have interaction with a TPM, but rather utilize an integrated mechanism to control security access.
Danbury will become part of the AMT 5.0 stack and much like other AMT releases - AMT 5.0 will be backward compatible with previous versions of AMT - but the older versions will not be scaleable to the newer platforms.
Wave to Demonstrate Capabilities for Data Protection and Trusted Platform Module Support for Next-Generation Intel vPro Technology at Intel Developer Forum
Wave highlights new Intel hardware technologies while enhancing Intel® Active Management Technology with Wave’s key management capabilities
Lee, MA and San Francisco, CA (Intel Developer Forum, Booth #415-20) –September 18, 2007 – Wave Systems Corp. (NASDAQ: WAVX; www.wave.com ), a leader in delivering trusted computing applications and services with advanced products, infrastructure and solutions across multiple trusted platforms, today announced it will demonstrate the capabilities of its EMBASSY® technology on a development Intel® vPro™ processor technology platform.
This 2008 platform incorporates a new, integrated chipset and Trusted Platform Module (TPM), along with a new data encryption technology codenamed "Danbury Technology."Wave will show how EMBASSY technology can be adapted for data-at-rest, strong authentication and key management. Wave offers the only interoperable solution based upon the Trusted Computing Group’s specifications for trusted platforms that include TPM secure storage solutions and secure infrastructures as defined by the TCG.
"Protecting stored data is critical for businesses today, and Intel vPro Danbury technology will make encrypting hard drive data more secure and manageable," said Tom Quillin, director of Intel's Digital Office Ecosystem Enabling. "Intel is pleased that Wave is rapidly embracing this secure platform initiative."
"As trusted computing solutions evolve, cross-platform interoperability could represent an important opportunity," said Steven Sprague, president and CEO of Wave Systems. "We believe that the addition of hardware security that provides data-at-rest, strong authentication and management capabilities, built into the hardware, is an important step forward in supporting the growing need for security in the PC. We are keenly aware of the requirements for applications to interoperate among multiple secure platforms and are providing proof of concepts today to show how our applications can be adapted to a new generation of platforms from Intel. We are proud to be the first company demonstrating our flexible, interoperable, secure applications on the industry’s leading trusted platforms."
Wave’s demonstrations will be located in the Intel vPro Zone Pavilion, Wave Booth #415-20 at the Moscone Center North. Customers may make appointments by contacting Brian Berger, Wave’s EVP Marketing & Sales, at bberger@wavesys.com.
Seminar | February 28 | 1-2 p.m. | Soda Hall, Wozniak Lounge
Speaker/Performer:
Clifford Neuman, University of Southern California
Trusted computing provides methods for software components to establish confidence in the code with which they communicate. Such technologies are often used to support digital rights management and other mechanisms that protect service providers and owners of content. The same underlying mechanisms, however, can be used to protect the users from untrustworthy service providers. Providing strong security for future systems requires a clearer understanding of the protection boundaries to be enforced.
While trusted Computing can help enforce such boundaries, little work has been done to help us understand the structure of such boundaries. This talk discusses ongoing work to develop trusted computing architectures that support multiple perspectives on trust.
For users, the most trusted components are their own systems; the software from service providers is less trusted. Information providers place greater confidence in vetted code that runs on designated trusted computing hardware. The trusted computing reference monitor mediates requirements and obligations for each software component providing mutual protection to all involved.
| 
