[FDE] Scary......

Olivier Loones oloones at gmail.com
Fri Feb 22 10:23:37 MST 2008 

Maybe a ram cleaner ?

I just found this
http://www.zdnet.fr/telecharger/windows/fiche/0,39021313,39046500s,00.htmbut
soon new tools will coming or be implemented in FDE solution.


2008/2/22, Garrett M. Groff <groffg at gmgdesign.com>:
>
> Upon actually reading the paper, I answered my own question. The attack
> works regardless of BitLocker's mode if the computer is on or in standby,
> and works in "basic mode" (BitLocker+TPM in transparent operation mode)
> even
> if computer is off (since booting it up will cause the TPM to
> automatically
> release the key if no boot components have changed), but will not work if
> computer is in hibernation or in an off state and not in basic mode.
>
> Very interesting paper. The attack exploits hardware, so I suspect we'll
> need a hardware solution for this problem.
>
>
> - G
>
>
>
> ----- Original Message -----
> From: "Dave Jevans" <djevans at ironkey.com>
> To: <fde at www.xml-dev.com>
>
> Cc: "Garrett M. Groff" <groffg at gmgdesign.com>
> Sent: Friday, February 22, 2008 12:17 AM
> Subject: Re: [FDE] Scary......
>
>
> > This attack WOULD work, as it is preserving the AES keys in DRAM after
> the
> > authentication has been completed.
> >
> >
> > At 6:28 PM -0500 2/21/08, Garrett M. Groff wrote:
> >>Regarding the following statement:
> >>"It's a pretty exotic attack if you're using authentication (ie not
> >>Bitlocker in TPM mode, or some autoboot mode)."
> >>
> >>That is only an issue when using BitLocker's "transparent operation
> mode,"
> >>right? I.e., when using BitLocker+TPM and requiring that a PIN or USB
> key
> >>be
> >>entered/present, this hardware-based attack doesn't work. Correct?
> >>
> >>
> >>----- Original Message -----
> >>From: "SafeBoot Simon" <hunt.simon at gmail.com>
> >>To: <fde at www.xml-dev.com>
> >>Sent: Thursday, February 21, 2008 5:38 PM
> >>Subject: Re: [FDE] Scary......
> >>
> >>
> >>It's a pretty exotic attack if you're using authentication (ie not
> >>Bitlocker in TPM mode, or some autoboot mode).
> >>
> >>You'd have to attack a FDE protected machine that was on, or was on
> >>only a very short time ago (minutes). Most data exposure comes from
> >>people stealing drives or machines from cars etc which are long off.
> >>
> >>This is also not that new (though it seems to be creating a lot of
> >>panic today) - it's an attack considered for many years.
> >>
> >>And of course with FDE, the simple act of zeroing all copies of the
> >>key from memory on shutdown would resolve the "just off" scenario,
> >>though nothing except something like Danbury or Seagate FDE solves the
> >>"stolen while on" situation - but in that case, there are many good,
> >>but perhaps more exotic attacks, like the firewire memory download, or
> >>any potential network attack points.
> >>
> >>
> >>On Feb 21, 3:19 pm, "Ali, Saqib" <docbook.... at gmail.com> wrote:
> >>>  http://citp.princeton.edu/memory/
> >>>
> >>>  However, hardware based encrypted drives like Seagate FDE would
> easily
> >>>  deter these type of attacks.
> >>>  _______________________________________________
> >>>  FDE mailing list
> >>>  F... at www.xml-dev.comhttp://www.xml-dev.com/mailman/listinfo/fde
> >>
> >>_______________________________________________
> >>FDE mailing list
> >>FDE at www.xml-dev.com
> >>http://www.xml-dev.com/mailman/listinfo/fde
> >>
> >>_______________________________________________
> >>FDE mailing list
> >>FDE at www.xml-dev.com
> >>http://www.xml-dev.com/mailman/listinfo/fde
> >
> >
>
> _______________________________________________
> FDE mailing list
> FDE at www.xml-dev.com
> http://www.xml-dev.com/mailman/listinfo/fde
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.xml-dev.com/pipermail/fde/attachments/20080222/63779ab0/attachment.html

More information about the FDE mailing list