Full Disk Encryption – Breaking Hard Disk Encryption

Good article and more importantly a great discussion in the comments! the article is centered around on the topic of Hard Disk Encyption after a less significant announcement of a “new..” ElcomSoft Forensic Disk Decryptor can decrypt BitLocker, PGP, and TrueCrypt.

“If the PC being investigated is turned off, the encryption keys can be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.”

“most (if not all) encryption software hashes your password immediately, yielding a hex based result which is still easily searched by looking for strings.”

“You are not missing anything. Its a non issue for most. Just don’t use sleep.”

“OpenBSD’s malloc fills junk bytes into allocated and freed chunks via the J option. By default OpenBSD encrypts the swap (where hybernation state is kept), and has done so for many years.”

“DMA is just one such way of manipulating the memory beneath the CPU level there is also the Memory Managment Unit and the I/O mechanisms that rule the roost via the interupt mechanisms that run at what you might consider Ring -1. And these are what you might consider the upper layers of this gulf of insecurity. There are other tricks such as the actual CPU microcode or equivalent in all the other state machines.”

“Breaking Hard-Disk Encryption”
Bruce Schneier, 27 December 2012
http://www.schneier.com/blog/archives/2012/12/breaking_hard-d.html – last access 24 January 2013 – ( Article )

/cobramark3

January 24, 2013 | Categories: Analysis, Encryption, News | Tags: DDR3 Memory, DMA, DRAM, FDE, Hibernation files, IME, TPM | Comments Off on Full Disk Encryption – Breaking Hard Disk Encryption