Security boffins unveil BitUnlocker

JohnK

Anyone had a read off this? Seems some researchers were able to pull encryption keys from RAM even after the machine had been turned off

http://www.theregister.co.uk/2008/02/22/eff_unbitlocker/
http://citp.princeton.edu/memory/

mick.fr

Official Microsoft response to this:

"The claims detailed in the Princeton paper are not vulnerabilities, per-se, but simply detail the fact that contents that remain in a computer’s memory can be accessed by a determined 3rd party if the system is running.

BitLocker is an effective solution to help safe guard personal and private data on mobile PCs and provides a number of protection options that meet different end-user needs.
Like all full volume encryption products BitLocker has a key-in memory when the system is running in order to encrypt/decrypt data, on the fly, for the drive/s in use.

If a system is in ‘Sleep mode’ it is, in effect, still running. We recognize users want advice with regards to BitLocker and have published best practice guidance in the Data Encryption Toolkit:

http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/analysis/4e6ce820-fcac-495a-9f23-73d65d846638.mspx

In it we discuss the balance of security and usability and detail that the most secure method to use BitLocker is hibernate mode and with multi-factor authentication.”

Capt'n Midnight

mick.fr wrote:

Official Microsoft response to this:

"The claims detailed in the Princeton paper are not vulnerabilities, per-se, but simply detail the fact that contents that remain in a computer’s memory can be accessed by a determined 3rd party if the system is running.

I could not find that official response on their site.

Found it here though - but they seem ignorant of what GCHQ was doing in the early 70's so I would not call them authoritive.
http://itspot.wordpress.com/2008/02/21/disk-encryption-can-you-trust-it/

If the feds didn’t know about these techniques already–remember, they were years ahead of everyone else in inventing public key cryptography–today will be a very good day for Homeland Security.

Capt'n Midnight

Do any OS's clear down RAM on a suspend to disk ?
Does this mean that the password is "availble" to be attacked in hiberfil.sys ?

you can put a resume passord in the BIOS, but it's bloody annoying and they could freeze and whip out the ram , maybe get a low spec laptop that has onboard RAM and don't add a dimm to it.

Sounds like you need this stuff
So BIOS passwords
Full POST check
No suspend or hibernate
Motherboard with non removable RAM

Anyone know what was setup on the New York laptop ?


http://citp.princeton.edu/memory/exp/ a test for the effect
but interesting that ECC ram is cleared - a simple solution to beat people who won't be taking the machine apart. Or setting the BIOS to do a full POST

and that thinkpad looks old

mick.fr

Capt'n Midnight wrote: »

Do any OS's clear down RAM on a suspend to disk ?
Does this mean that the password is "availble" to be attacked in hiberfil.sys ?

No this is encrypted too.

mick.fr

At least the best way to protect a laptop, is not to have any data on it.
More and more companies are doing so, users have no access to drives, only the desktop, no access to the command prompt etc. They only work remotely to access a web server and have a very limited access to files, as it almost does not exist as such in the company.