Re: the cold-boot attack - a paper tiger?

[Jari Ruusu <jariruusu@xxxxxxxxxxxxxxxxxxxxx>]

Phil wrote:
> --- Richard Zidlicky <rz@xxxxxxxxxxxxxx> wrote:
> > .. perfectly feasible
> > with much of todays stock hardware. On multicore
> > systems all you need is
> > a nonpreemptible kernel thread holding part of the
> > key in its CPU registers.
> > That way you do not have the keys in main memory or
> > they can be in main memory
> > but encrypted. The thread would also do the disk
> > encryption so if designed
> > carefully there would never be sufficient
> > information in main memory
> > to recover any data.
> 
> Sounds like a solution. How hard would that be to
> implement in loop-aes (is Jari reading?)

I'm reading... but not convinced.

Another half-solution:
http://www.mail-archive.com/cryptography@xxxxxxxxxxxx/msg08939.html

IMO, it is best to not give adversary full access to computer that still has
encryption keys in non-tamper-proof DRAM.

> 1. Which kernels sanitize pipe buffers in the way Jari
> is saying?

Mainline kernels don't.

Here is a patch for 2.4 branch:
--- linux-2.4.36.4/fs/pipe.c	2003-08-25 20:48:23.000000000 +0300
+++ linux-2.4.36.4r1/fs/pipe.c	2008-05-13 21:11:45.000000000 +0300
@@ -304,6 +304,7 @@
 	if (!PIPE_READERS(*inode) && !PIPE_WRITERS(*inode)) {
 		struct pipe_inode_info *info = inode->i_pipe;
 		inode->i_pipe = NULL;
+		memset(info->base, 0, PAGE_SIZE); /* for better security */
 		free_page((unsigned long) info->base);
 		kfree(info);
 	} else {

-- 
Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/