Your SlideShare is downloading. ×
Hackfest Cracking Crypto Rev 2
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Hackfest Cracking Crypto Rev 2


Published on

Presentation abotu the effects of the Princeton Coldboot attack including vulnerabilities in TrueCrypt and Bitlocker

Presentation abotu the effects of the Princeton Coldboot attack including vulnerabilities in TrueCrypt and Bitlocker

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Bryan Glancey • Global Encryption Subject Mater Expert Cracking Crypto Trend Micro Confidential 11/04/11
  • 2. Agenda Trend Micro Confidential 11/04/11 Introduction Background Methodology Applicability Conclusion
  • 3. Agenda Trend Micro Confidential 11/04/11 Introduction Background Methodology Applicability Conclusion
  • 4. Agenda Trend Micro Confidential 11/04/11 Introduction Background Methodology Applicability Conclusion
  • 5. Agenda Trend Micro Confidential 11/04/11 Introduction Background Methodology Applicability Conclusion
  • 6. Agenda Trend Micro Confidential 11/04/11 Introduction Background Methodology Applicability Conclusion
    • Cracking Crypto
    Trend Micro Confidential 11/04/11
  • 8. Introduction
    • Throughout this presentation we will be following an exploit against Cryptographic Software – to give you background on why…
    • Bryan E. Glancey, Jr.
      • One of the original US based team to form Pointsec Mobile Technologies
      • Founded Mobile Armor in 2002 to pursue Enterprise class Data-at-Rest Cryptography
      • Mobile Armor was acquired by Trend in February of 2011
      • Co-Founder & Chief Technology Officer of Mobile Armor
    Trend Micro Confidential 11/04/11
    • Cracking Crypto
    Trend Micro Confidential 11/04/11
  • 10. A call in the middle of the night Trend Micro Confidential 11/04/11
  • 11. Oh Oh Trend Micro Confidential 11/04/11
  • 12. What is it?
    • Hit the News in February 2008 – without Source code
    • Every major Customer called within 24 Hours
    • We HAD to understand it, recreate it, and then make sure we defended against it
    Trend Micro Confidential 11/04/11
  • 13. What had to be done?
    • We needed to review the paper
    • We had to understand the attack
    • We had to recreate the attack
    • We had to analyze the results
    • We had to see if our product was affected and find out why or why not
    • We had to advise our customers
    • We had to do it in less then a week
    Trend Micro Confidential 11/04/11
    • Cracking Crypto
    Trend Micro Confidential 11/04/11
  • 15. Step 1 : Understand the attack
    • Two parts:
      • Retrieving a memory image
        • This is the actual getting the keys part. The original team was studying the rememence in DRAM of the formerly stored data.
        • One of the impressive things the team did was write software to compensate for the memory degradation over time
      • Analyzing the memory image
        • Once the memory image was obtained, we needed to analyze that image to find the Encryption Key
        • This was the key to the attack for us
    Trend Micro Confidential 11/04/11
  • 16. Step 1: Figure out what was important
    • There was a lot of time / effort expended on the acquisition of the memory image.
    • The majority of the reports, presentations, and reviews focus on the ‘aircan’ attack of cooling DRAM to make it more persistent and take the memory image
    • Due to image degradation, the majority of cases of the attack assumed some percentage of degradation
    • We decided to pursue the hardest case – Direct memory imaging with a 0% degradation
    Trend Micro Confidential 11/04/11
  • 17. Step 2: How do you do it?
    • Physical capture of memory was obtained through the use of the windows debugging tool. Setup of this tools is detailed on . Physical setup required two computers, a target computer (the computer being attacked) and a host computer (from which the attacker is attacking).
    • The target system must have a full disk encryption software installed and running, and the user must be authenticated. In our recreation we used Mobile Armor’s DataArmor product version 3.0 service pack 4.
    Trend Micro Confidential 11/04/11
  • 18. (Spoilers) New methods for imaging
    • Disk volume images can be created using third-party tools, such as Guidance EnCase, Free EASIS Drive Cloning, or DD . Physical memory images can be created using Passware FireWire Memory Imager or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd. If the target computer with the BitLocker volume is powered off, encryption keys are not stored in its memory, but they could be possibly recovered from the hiberfil.sys file, which is automatically created when a system hibernates.
    Trend Micro Confidential 11/04/11
  • 19. A Needle (or a key) in a haystack
    • So now that we had the image, we had to find the key
    • We had to write a program to systematically search through memory and figure out what was a key and what wasn’t
    • (UPDATE) The Princeton team has since released their Software for this as well
    • (UPDATE) Both TrueCrypt and Bitlocker use static storage methods – so commercial tools now retrieve the keys instantly
    Trend Micro Confidential 11/04/11
  • 20. The Guts of searching for keys
    • The method of finding the AES key amidst all of the other extraneous data in memory is using one of the functional characteristics of AES itself, namely Key expansion. Key expansion is the mechanism through which you take the symmetric encryption key and expand it into a workable format for both encryption and decryption – as well as several iterations, or rounds. AES is not a Feistel Cipher, meaning that encryption and decryption are not equivalent functions, which necessitates the separate tables for encryption and decryption of data. Since this key is typically used constantly in the case of full disk encryption , the Key expansion is stored in memory and used to encrypt the data being written to the disk and decrypt the data being read off the disk. This was the mechanism of attack utilized by the Princeton researchers. In order to find the key expansion in memory (and subsequently in the memory dump file captured in the attack) the Keyfind program reads a specific length of data which corresponds to the key length of the algorithm. The Length of the data is 32 bits for 256-bit, 24 bits for 192-bit or 16 bits for 128 bit. This data from the memory dump is then assumed to be the encryption key, and Key Expansion is performed upon it. The resultant Key Expansion is then compared against the ‘nextchunk’ of data from the memory dump to see if it matches. The pattern matching of the key to the key expansion is what allows the decrease in time to finding the key stored in RAM. IT is, however, dependent upon the pattern found in memory matching the pre-computed Key expansion exactly.
    Trend Micro Confidential 11/04/11
  • 21. What caused the issue?
    • Vendors had either stored their encryption keys (Key expansions)
      • In the same place every time
      • As one predictable string
    • What could you do to prevent this?
      • Split keys into multiple parts
      • Randomize your location in memory
      • Store several Dummy keys (fakes) – Key Expansions
      • Camouflage Keys to make harder to detect
    Trend Micro Confidential 11/04/11
    • Cracking Crypto
    Trend Micro Confidential 11/04/11
  • 23. What is affected by this
    • Any software application that uses Cryptography is potentially vulnerable
    • Some popular programs:
    • Bitlocker
    • TrueCrypt
    • PGP
    • loopAES
    • Others?
    Trend Micro Confidential 11/04/11
  • 24. Potential Malware?
    • Malware could be designed to search for Key Expansion in a running system
    • Capture of the Key Expansion would result in compromise and recoverability of an encrypted system
    • Keyfind application is readily available
    • Perfect for creating a targeted attack against a known Disk Encryption user
    Trend Micro Confidential 11/04/11
    • Cracking Crypto
    Trend Micro Confidential 11/04/11
  • 26. Press Release of results
    • ST. LOUIS, Feb. 25 /PRNewswire/ -- In response to last week's Princeton University Report on full disk encryption security flaws, Mobile Armor, the leader in data protection solutions, today said its DataArmor(TM) product has long included safeguards to prevent the types of exploits detailed in the report. The Princeton Report found that through the use of simple tools thieves could capture the encryption keys from systems running disk encryption software from Microsoft, Apple, and TrueCrypt. "While the DataArmor product provides similar functionality to the studied products, our solution goes far beyond the basics and is engineered to protect against the vulnerabilities cited in the Princeton Report," said Bryan Glancey, chief technology officer of Mobile Armor.
    Trend Micro Confidential 11/04/11
  • 27. So, it’s been two years.. All fixed?
    • NO
    • Need ask questions from vendors (and open source developers) about what they are doing to protect Encryption keys
    • As always, when looking at any security tool, search for vulnerabilities prior to purchase
    Trend Micro Confidential 11/04/11
  • 28. Where have things gone from here
    • Commonly available keyfind source code
    • Several vendors have decided not to fix
    • Commercial and Open source software has included the Key find concepts
    Trend Micro Confidential 11/04/11
  • 29. Attack Technic is now commercially available
    • Example: Passware Forensic
    • Able to remove the key and decrypt
      • Bitlocker
      • TrueCrypt
    • Passware Hard disk Decryptor for TrueCrypt and Bitlocker
    Trend Micro Confidential 11/04/11
  • 30. What does this mean to me?
    • Cryptographic applications are subject to attacks on Key Expansion
    • Keys can be retrieved for Memory images, Disk images, or malware capture
    • Need to make sure Cryptographic keys are always protected
    Trend Micro Confidential 11/04/11
  • 31. THANK YOU! Trend Micro Confidential 11/04/11