Cool!

This article is very interesting for two reasons. The first is:

A group led by a Princeton University computer security researcher has developed a simple method to steal encrypted information stored on computer hard disks.

The technique, which could undermine security software protecting critical data on computers, is as easy as chilling a computer memory chip with a blast of frigid air from a can of dust remover. Encryption software is widely used by companies and government agencies, notably in portable computers that are especially susceptible to theft.

The development, which was described on the group’s Web site Thursday, could also have implications for the protection of encrypted personal data from prosecutors.

The move, which cannot be carried out remotely, exploits a little-known vulnerability of the dynamic random access, or DRAM, chip. Those chips temporarily hold data, including the keys to modern data-scrambling algorithms. When the computer’s electrical power is shut off, the data, including the keys, is supposed to disappear.

In a technical paper that was published Thursday on the Web site of Princeton’s Center for Information Technology Policy, the group demonstrated that standard memory chips actually retain their data for seconds or even minutes after power is cut off.

When the chips were chilled using an inexpensive can of air, the data was frozen in place, permitting the researchers to easily read the keys — long strings of ones and zeros — out of the chip’s memory.

“Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power,” Edward W. Felten, a Princeton computer scientist, wrote in a Web posting. “Just put the chips back into a machine and you can read out their contents.”

That’s cool enough, but this is just as cool:

The issue of protecting information with disk encryption technology became prominent recently in a criminal case involving a Canadian citizen who late in 2006 was stopped by United States customs agents who said they had found child pornography on his computer.

When the agents tried to examine the machine later, they discovered that the data was protected by encryption. The suspect has refused to divulge his password. A federal agent testified in court that the only way to determine the password otherwise would be with a password guessing program, which could take years.

A federal magistrate ruled recently that forcing the suspect to disclose the password would be unconstitutional.

Not that a child pornographer may be able to get away with his crime but that you can password protect your data and the government can’t force you to potentially incriminate yourself.

4 thoughts on “Cool!

  1. a Canadian citizen who late in 2006 was stopped by United States customs agents who said they had found child pornography on his computer.

    When the agents tried to examine the machine later, they discovered that the data was protected by encryption.

    so just exactly how did they “find” anything illicit on that disk in the first place, then?

  2. I’ve found it interesting the number of people arrested here on our Disney anti-terror laws who, although found not guilty of terrorism, just happen to have child porn on their computer.

    Funny that. It’s almost as if…. Nah!

  3. I see this argument is going to flame up all over again. Last time it was unallocating blocks of memory without zeroing out the contents — there is a price tag for security, and it’s usually performance, and therefore productivity.

    I have to ask: why store keys in memory? Why not just keep them encrypted in a file, and have a time window of minimum duration where they keys are unencrypted? Probably convenience. Who wants to sit there entering passphrases all the time? I suppose the user could have a card containing the passphrases, but with physical access, it’s probably easier to steal that.

    It seems like an incredibly involved way to grab the information. If the prying eyes want to see the data, and they have physical access to the machine, why not just spy on the user’s keystrokes? Or better yet, just beat the secrets out of him with the steel cylinder full of compressed air. Anyway, it presumes physical access, which is an important part of the security process.

Comments are closed.