postcards.org

From linux-crypto-bounce@nl.linux.org Sat May 03 15:37:23 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JsHv2-0001yZ-Fk; Sat, 03 May 2008 15:36:52 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Sat, 03 May 2008 15:36:12 +0200 (CEST) Received: from adsl-70-239-30-86.dsl.bcvloh.sbcglobal.net ([70.239.30.86] helo=armaturecoil.com) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JsHtx-00012H-SS; Sat, 03 May 2008 15:35:46 +0200 Received: from User ([75.145.19.141]) by armaturecoil.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 2 May 2008 15:38:59 -0400 From: "PayPal" Subject: PayPal - Notification of Account Limitation Date: Fri, 2 May 2008 12:33:44 -0700 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Bcc: Message-ID: X-OriginalArrivalTime: 02 May 2008 19:38:59.0688 (UTC) FILETIME=[2B000680:01C8AC8C] Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: service@intl.paypal.com Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto

Dear PayPal account holder,

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We have recently determined that different computers have tried logging into your PayPal account,and multiple password failures were present before the logons.

Until we can collect secure information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Why is my account access limited?

Your account access has been limited for the following reason:

April 30, 2008: We have reasons to believe that your account has been accessed by a third party.We have limited access to sensitive PayPal account features in case your account has been accessed by an unauthorized third party. We understand that having limited access can be an inconvenience, but protecting your account is our primary concern.

(Your case ID for this reason is PP-467-13498-031.)

How can I restore my account access?

Please visit the Resolution Center and complete the "Steps to Remove Limitations." To visit the Resolution Center, please click below:

Resolution Center

Thank you for using PayPal!
The PayPal Team

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page.

- Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Sat May 03 17:31:26 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JsJhl-00055K-Ct; Sat, 03 May 2008 17:31:17 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Sat, 03 May 2008 17:30:52 +0200 (CEST) Received: from h-67-100-195-67.lsanca54.covad.net ([67.100.195.67] helo=main.chugh.com) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JsJgy-0004jM-1Q; Sat, 03 May 2008 17:30:28 +0200 Received: from laserver.chugh.com ([10.10.1.11]) by main.chugh.com with Microsoft SMTPSVC(5.0.2195.6713); Fri, 2 May 2008 19:18:17 -0700 Received: from User ([75.145.19.141]) by laserver.chugh.com with Microsoft SMTPSVC(5.0.2195.6713); Fri, 2 May 2008 19:17:27 -0700 From: "PayPal" Subject: PayPal - Notification of Account Limitation Date: Fri, 2 May 2008 19:13:13 -0700 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Bcc: Message-ID: X-OriginalArrivalTime: 03 May 2008 02:17:27.0277 (UTC) FILETIME=[D50899D0:01C8ACC3] Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: service@intl.paypal.com Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto

Thank you for using PayPal!
The PayPal Team

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page.

- Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Mon May 19 01:53:44 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1Jxsgh-0002kT-1A; Mon, 19 May 2008 01:53:11 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Mon, 19 May 2008 01:52:31 +0200 (CEST) Received: from prod-mail-relay-04.imvu.com ([208.64.184.227] helo=mail-relay-outgoing.prod.imvu.com) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1Jxsfj-0002iP-CC for linux-crypto@nl.linux.org; Mon, 19 May 2008 01:52:11 +0200 Received: from AF001260.prod.imvu.com (AF001260.prod.imvu.com [10.5.4.236]) by mail-relay-outgoing.prod.imvu.com (Postfix) with ESMTP id 5F4781402C1FC for ; Sun, 18 May 2008 16:51:26 -0700 (PDT) Received: from AF001260.prod.imvu.com (localhost [127.0.0.1]) by AF001260.prod.imvu.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id m4INpQbS008032 for ; Sun, 18 May 2008 16:51:26 -0700 Received: (from www-data@localhost) by AF001260.prod.imvu.com (8.13.4/8.13.4/Submit) id m4INpPmK008026; Sun, 18 May 2008 16:51:25 -0700 Date: Sun, 18 May 2008 16:51:25 -0700 Message-Id: <200805182351.m4INpPmK008026@AF001260.prod.imvu.com> To: "Linux-crypto@nl.linux.org" Subject: nonniel138@yahoo.com has invited you to have a 3D avatar chat From: "Donna" MIME-Version: 1.0 X-Mailer: osCommerce Mailer Content-Type: multipart/alternative; boundary="=_6b939de5d89670b8e4cbc485dc7ca99b" Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.000319, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: nonniel138@yahoo.com Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto --=_6b939de5d89670b8e4cbc485dc7ca99b Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit From: Donna Avatar: Guest_nonniel138 To: Linux-crypto@nl.linux.org Hey Linux-crypto@nl.linux.org,Donna has added you as a friend on IMVU. Is Donna your friend? Please respond or Donna may think you said no :) IMVU is the world's greatest 3D chat! Dress up your Avatar with 3D clothes. Chat with your friends & meet new ones. Decorate your own 3D Room with furniture. FREE to download & use! http://www.imvu.com Copyright © 2006-2007 IMVU, Inc. 411 High Street, Palo Alto, CA 94301. This email was sent via IMVU by Donna (nonniel138@yahoo.com) to linux-crypto@nl.linux.org. If you want to prevent any future emails from IMVU, you can remove yourself by pointing your web browser to http://www.imvu.com/catalog/web_nonregisteredoptout.php?code=4082a2&email=linux-crypto@nl.linux.org. Your unsubscribe confirmation code is 4082a2 --=_6b939de5d89670b8e4cbc485dc7ca99b Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

<= td>

This email was sent v= ia IMVU by Donna (nonniel138@yahoo.com) to linux-crypto@nl.linux.org.
= If you want to prevent any future emails from IMVU, you can remove your= self by pointing your web browser to http= ://www.imvu.com/catalog/web_nonregisteredoptout.php?code=3D4082a2&email=3Dl= inux-crypto@nl.linux.org.
Your unsubscribe confirmation code i= s 4082a2

From: Donna
Av= atar: Guest_nonniel138
To: Linux-crypto@nl.linux.org

= =

Hey Linux-crypto@nl.linux.org,

= Donna has added you as a friend on IMVU.

Is Donna your friend?

Please respond or Donna ma= y think you said no :)

= =

IMVU is the world's greatest 3D = chat!

Dress up your Avat= ar with 3D clothes.
Chat with your friends &a= mp; meet new ones.
Decorate your own 3D Room = with furniture.
FREE to download & use!

http://www.imvu.com

=20 --=_6b939de5d89670b8e4cbc485dc7ca99b-- - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Mon May 19 06:56:05 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JxxPQ-0000uw-8R; Mon, 19 May 2008 06:55:40 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Mon, 19 May 2008 06:55:15 +0200 (CEST) Received: from avas-mr17.fibertel.com.ar ([24.232.0.249]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JxxOt-0000nt-69 for linux-crypto@nl.linux.org; Mon, 19 May 2008 06:55:07 +0200 Received: from 200-127-84-221.cab.prima.net.ar ([200.127.84.221]:1734 "EHLO coloso" smtp-auth: "directodefabrica" rhost-flags-OK-OK-OK-FAIL) by avas-mr17.fibertel.com.ar with ESMTPA id S1645405AbYESEt7; Mon, 19 May 2008 01:49:59 -0300 Message-ID: <385-22008402010422166@coloso> To: "tierra digital" Reply-To: "Tierra Digital" From: "Tierra Digital" Subject: Camara Digital General Electric A730 $350 ULTIMAS UNIDADES Date: Sun, 20 Apr 2008 07:42:02 -0300 MIME-Version: 1.0 Content-type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Fib-Al-Info: Al X-Fib-Al-MRId: 134a0cd370b9e15b5ea13290d7643ee3 X-Fib-Al: noav X-Fib-Al-SA: analyzed X-Fib-Al-From: marcelo-digital_@datafull.com Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.482240, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: marcelo-digital_@datafull.com Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto Caracteristicas Calidad: 7=2E0 7MP efectivos Zoom: 3 X =D3ptico | 4=2E5X Digital | 13X Total Resoluci=F3n m=E1xima: 3072x2304 Sensor: CCD 7=2E4MP 1/2=2E5'' Display: TFT LCD LTPS 2=2E5'' (153600 pix) Conexi=F3n: USB 2=2E0 | A/V | PictBridge | DC-in Formato: Imagen fija EXIF 2=2E2 (JPEG) | V=EDdeo MPEG-4 con Audio monoaura= l | Audio monoaural WAVE (hasta 60seg) AVI con Audio (v=EDdeo) Modo Video: 640x480 a 30/15fps, 320x240 a 30/15fps Memoria interna: 26MB Expansi=F3n: Memorias SD (hasta 4GB) Alimentaci=F3n: 2x pilas AA Flash: Incorporado | Autom=E1tico | Reducci=F3n de ojos rojos | Forzado | = Off | Sincronizaci=F3n lenta | Reducci=F3n de ojos rojos + sincronizaci=F3= n lenta Foco: Auto y Manual Balance de Blancos: Auto | Luz d=EDa | Nublado | Tungsteno | Fluorescente = | Fluorescente CWF | Manual Dimensiones: 9=2E35 x 6=2E10 x 2=2E85 cm Peso: 133 gr (sin bater=EDas ni SD) Incluye: Cable USB + Cable A/V + Manual + Software & Driver CD + Correa + = 2x AA + Inicio r=E1pido Email: marcelo-digital@datafull=2Ecom MSN: marcelo-digital@datafull=2Ecom CEL: 15-6971-7166 - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Mon May 19 07:33:49 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1Jxy04-0007yf-2V; Mon, 19 May 2008 07:33:32 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Mon, 19 May 2008 07:33:10 +0200 (CEST) Received: from bay0-omc3-s15.bay0.hotmail.com ([65.54.246.215]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JxxzZ-0007vO-IV for linux-crypto@nl.linux.org; Mon, 19 May 2008 07:33:01 +0200 Received: from hotmail.com ([65.55.135.12]) by bay0-omc3-s15.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 18 May 2008 22:31:46 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 18 May 2008 22:31:45 -0700 Message-ID: Received: from 65.55.161.4 by BAY130-DAV2.phx.gbl with DAV; Mon, 19 May 2008 05:31:42 +0000 X-Originating-IP: [65.55.161.4] X-Originating-Email: [jtxvznjtgzjhbflk@live.fr] X-Sender: jtxvznjtgzjhbflk@live.fr thread-index: Aci5cZ6d2B1ay6WMTZe/1UfSewygvw== Thread-Topic: =?big5?B?p9alW6RKt23ByqbmpkOz4SEhplC02qRruMun2q3Mpf6zobOjpECkuLzQfrZS?= =?big5?B?qOzByKjsISE=?= From: "jtxvznjtgzjhbflk" To: , , , , , , , , , , , , , , , , , Cc: Subject: =?big5?B?p9alW6RKt23ByqbmpkOz4SEhplC02qRruMun2q3Mpf6zobOjpECkuLzQfrZS?= =?big5?B?qOzByKjsISE=?= Date: Mon, 19 May 2008 01:31:42 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 8bit Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3959 X-OriginalArrivalTime: 19 May 2008 05:31:45.0929 (UTC) FILETIME=[A0BDB790:01C8B971] Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.188770, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: jtxvznjtgzjhbflk@live.fr Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto �l�v�y��~~ �R�� ѤѬ�s��A!!renunciate ��Ϊ�j��~~ ��800�� q�q �@�� @�� @��!!�Ц^�a!! ��v�˧K�O�۰e~~�j�f�̪�!��}�ӺC �]��]�S��k�o^^ http://tw.f2.page.bid.yahoo.com/tw/auction/b40151391?u=may26tw �i��o�k�ˡ��v��120��.�W��35��j�� -��- -�J ��o �Y�i��!! �� A �� 09*2*3-0-04005 - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Thu May 22 06:58:27 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1Jz2sB-0003rj-Qt; Thu, 22 May 2008 06:57:51 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Thu, 22 May 2008 06:57:09 +0200 (CEST) Received: from mail.pathwaylighting.com ([65.113.124.218]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1Jz2rJ-0003oB-OF; Thu, 22 May 2008 06:56:57 +0200 Received: from User ([75.145.19.141]) by mail.pathwaylighting.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 22 May 2008 00:49:14 -0400 From: "EPPICard Online Department" Subject: EPPICard - Account closure notice Date: Wed, 21 May 2008 21:39:25 -0700 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Bcc: Message-ID: X-OriginalArrivalTime: 22 May 2008 04:49:14.0531 (UTC) FILETIME=[2F3A8730:01C8BBC7] Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.127279, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: do-not-reply@eppicard.com Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto

Dear EPPICard holder, EPPICard Online Department has recently reviewed your account, and suspect that your EPPICard account may have been accessed from an unauthorized computer or by a third party. This may be due to changes in your IP address or location. Protecting the security of your account and the EPPICard network is our primary concern. Therefore, for your account protection and integrity, EPPICard Online Department has temporarily suspended your account, and recommends you to login and report any unnoticed password changes, unauthorized withdrawals, and check your account profile to make sure no changes have been made. To protect your account, please keep in mind these instructions: * Do not share your password with other users. * Log off and close the Internet explorer window after using your online account, especially if you are in a public place. Please follow the link below to verify your identity and unlock your account: https://www.eppicard.com/online/auth/index.jsp We apologize for any inconvenience this may cause, and appreciate your assistance in helping us maintaining the integrity of the entire EPPICard system.

- Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Fri May 23 02:26:51 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JzL7E-0002JV-CO; Fri, 23 May 2008 02:26:36 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Fri, 23 May 2008 02:26:08 +0200 (CEST) Received: from exchange.log-on.org ([38.117.139.140]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JzL6a-0002Iw-Qx for linux-crypto@nl.linux.org; Fri, 23 May 2008 02:25:56 +0200 Received: from User ([72.17.247.38] RDNS failed) by exchange.log-on.org with Microsoft SMTPSVC(6.0.3790.211); Thu, 22 May 2008 19:46:26 -0400 From: "EPPICard Online Department" Subject: EPPICard - Account closure notice Date: Thu, 22 May 2008 19:46:26 -0400 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Bcc: Message-ID: X-OriginalArrivalTime: 22 May 2008 23:46:26.0200 (UTC) FILETIME=[0C78F980:01C8BC66] Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.131325, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: do-not-reply@eppicard.com Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto

Dear EPPICard holder, EPPICard Online Department has recently reviewed your account, and suspect that your EPPICard account may have been accessed from an unauthorized computer or by a third party. This may be due to changes in your IP address or location. Protecting the security of your account and the EPPICard network is our primary concern. Therefore, for your account protection and integrity, EPPICard Online Department has temporarily locked your account and recommends you to login and report any unnoticed password changes, unauthorized withdrawals, and check your account profile to make sure no changes have been made. To protect your account, please keep in mind these instructions: * Do not share your password with other users. * Log off and close the Internet explorer window after using your online account, especially if you are in a public place. Please follow the link below to verify your identity and unlock your account: http://89.38.115.135:8011/www.eppi.com/ We apologize for any inconvenience this may cause, and appreciate your assistance in helping us maintaining the integrity of the entire EPPICard system.

- Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Fri May 23 11:54:53 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JzTxa-0005LR-Jc; Fri, 23 May 2008 11:53:14 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Fri, 23 May 2008 11:52:38 +0200 (CEST) Received: from mail.gmx.net ([213.165.64.20]) by humbolt.nl.linux.org with smtp (Exim 4.22) id 1JzTwt-0005J7-TM for linux-crypto@nl.linux.org; Fri, 23 May 2008 11:52:31 +0200 Received: (qmail 20386 invoked by uid 0); 23 May 2008 09:51:00 -0000 Received: from 84.175.23.45 by www110.gmx.net with HTTP; Fri, 23 May 2008 11:51:00 +0200 (CEST) Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="iso-8859-1" Date: Fri, 23 May 2008 11:51:00 +0200 From: Peter_22@gmx.de In-Reply-To: <47BE45D3.3010504@appelbaum.net> Message-ID: <20080523095100.76900@gmx.net> MIME-Version: 1.0 References: <841CA916-6F3A-40C5-A9CF-8BA0DF9B5D9B@nrao.edu> <47BDE546.1080503@appelbaum.net> <20080221225716.GA16333@tatooine.rebelbase.local> <47BE45D3.3010504@appelbaum.net> Subject: the cold-boot attack - a paper tiger? To: linux-crypto@nl.linux.org X-Authenticated: #5663700 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX19jDXJEM2Rj0UyoyffFjo4fk9BY/oOf9wC3oY/c/3 4Gqrvs1pEQuDJCoyVdvTDzc6SBM720YVyvRQ== X-GMX-UID: 0/ZEaG5/eSEqZ7UIPXQhRnx+IGRvb8AK Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: Peter_22@gmx.de Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto Hello everyone! Maybe you remember the cold-boot attack described at http://citp.princeton.edu/memory/ claiming memory remanence to leak passwords used in popular disk encryption software. For truecrypt and other suites this might apply, but there was some thing called "key scrubbing" in loop-aes. As a cold-boot attack comprises the passphrase recovery even after a system reset it ought to be even easier to check memory on a running system. So does a simple command listed at http://citp.princeton.edu/memory/exp/ 'sudo strings /dev/mem | less' Since I know the passphrase I recently entered to mount an encrypted volume, I can search for it in memory like this: 'sudo strings /dev/mem | grep *somepass*' Surprisingly nothing happens. A passphrase as entered in cleartext is never returned. Most likely, a reboot won�t make a change for the better. Maybe putting memory modules in cryo stasis allows for recording some bit-patterns. As of now, this boot attack reveals nothing helpful to my eyes. Or could you tell me at what point I acted amiss? Best regards Peter -- Desperate Housewives - das Spiel! Pikante Skandale, schockierende Details unter: http://flat.games.gmx.de - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Fri May 23 13:02:23 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JzV0v-0007uY-1f; Fri, 23 May 2008 13:00:45 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Fri, 23 May 2008 13:00:29 +0200 (CEST) Received: from enyo.dsw2k3.info ([195.71.86.239]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JzV0L-0007tT-91 for linux-crypto@nl.linux.org; Fri, 23 May 2008 13:00:09 +0200 Received: from localhost (localhost [127.0.0.1]) by enyo.dsw2k3.info (Postfix) with ESMTP id F16CB2BC48; Fri, 23 May 2008 12:59:37 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at enyo.dsw2k3.info Received: from enyo.dsw2k3.info ([127.0.0.1]) by localhost (enyo.dsw2k3.info [127.0.0.1]) (amavisd-new, port 10024) with LMTP id HBj17-DpY0YB; Fri, 23 May 2008 12:59:27 +0200 (CEST) Received: from citd.de (p4FC4D7C3.dip.t-dialin.net [79.196.215.195]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by enyo.dsw2k3.info (Postfix) with ESMTP id BBFBF2BC46; Fri, 23 May 2008 12:59:26 +0200 (CEST) Date: Fri, 23 May 2008 12:59:24 +0200 From: Matthias Schniedermeyer To: Peter_22@gmx.de Cc: linux-crypto@nl.linux.org Subject: Re: the cold-boot attack - a paper tiger? Message-ID: <20080523105924.GA19178@citd.de> References: <841CA916-6F3A-40C5-A9CF-8BA0DF9B5D9B@nrao.edu> <47BDE546.1080503@appelbaum.net> <20080221225716.GA16333@tatooine.rebelbase.local> <47BE45D3.3010504@appelbaum.net> <20080523095100.76900@gmx.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <20080523095100.76900@gmx.net> User-Agent: Mutt/1.5.17+20080114 (2008-01-14) Content-Transfer-Encoding: quoted-printable Received-SPF: X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: ms@citd.de Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto On 23.05.2008 11:51, Peter_22@gmx.de wrote: > Hello everyone! Warning in front. I'm not an encryption expert so take what i say with a=20 grain of salt. > Maybe you remember the cold-boot attack described at > http://citp.princeton.edu/memory/ > claiming memory remanence to leak passwords used in popular disk=20 > encryption software. For truecrypt and other suites this might apply,=20 > but there was some thing called "key scrubbing" in loop-aes. As a=20 > cold-boot attack comprises the passphrase recovery even after a system=20 > reset it ought to be even easier to check memory on a running system.=20 > So does a simple command listed at > http://citp.princeton.edu/memory/exp/ Key-Scrubbing "helps" the DRAM-Modules to forget it's content after the=20 power to the DRAM-Modules is cut. (Whatever the reason for that) The theory behind that is that memory patterns can "burn in" when it=20 doesn't change for a long time. So Key-Scrubing uses at least 2 memory-locations each with a key-set and=20 inverts the bit-pattern of the currently unused one(s). Then it more or=20 less rapitly switches between the memory-locations, inverting the=20 bit-patterns as needed. This way if power is cut from the DRAM-Module it should "forget" the=20 key-set very fast. But the key-word here is "cut power" the reboot-attack doesn't cut=20 power, so the DRAM doesn't forget anything. > 'sudo strings /dev/mem | less' > Since I know the passphrase I recently entered to mount an encrypted=20 > volume, I can search for it in memory like this: > 'sudo strings /dev/mem | grep *somepass*' The Pass(word/phrase) has nothing to do with the actual set of=20 encryption keys. The input keys are hashed into a bit-pattern that has absolutly no=20 resemblance with the original input-bit-pattern. So the actual problem is: Where in memory is the bit-pattern stored? > Surprisingly nothing happens. A passphrase as entered in cleartext is=20 > never returned. Most likely, a reboot won=B4t make a change for the=20 > better. Maybe putting memory modules in cryo stasis allows for=20 > recording some bit-patterns. As of now, this boot attack reveals=20 > nothing helpful to my eyes. Or could you tell me at what point I acted=20 > amiss? A Reboot has the property that Power to the DRAM-Modules isn't cut and=20 that most BIOSes don't erase memory. So the next OS that boots can read=20 pretty much anything that was stored in the DRAM-Modules. (Except the=20 few bytes that were overwritten by the boot and usage of the now running=20 OS) So the ONLY 2 problems the attacker has with the reboot-attack: - Can i get the computer to boot something i want - Where in the upto to several GB of data is the data i want. The only bigger problem is the first one, for the last one you can=20 always dump the whole memory and look for the keys later or "brute=20 force" the memory content. And last but now least you can yank out the DRAM-Modules and put them in=20 a device that just dumpes it's contents somewhere else. (Key-Scrubbing=20 is whay MAY help against this as the few seconds where the DRAM-Modules=20 are without power MAY be enough for it to forget the keys) The biggest problem for YOU is: Once the attacker has physical access to=20 your computer, a requirement for this whole type of attack, you have=20 pretty much lost. As current or to be more precises "byable for=20 reasonable amount of money"-computers can't easily be protected against=20 physical tampering. Btw. My personal favourite is firewire or ieee1394. When your computers=20 has firewire and a firewire-drivers is loaded(*) you can Remote-DMA the=20 whole memory WHILE IT IS RUNNING you don't even have to reboot or yank=20 out the DRAM-Modules. *: When the Option in most recent Linux-Kernels (AFAIR 2.6.24 or 2.6.25) to=20 enable Remote-DMA for debugging purposes showed up, i asked the=20 mainainer if the firewire-controller has to be initialized to enable=20 Remote-DMA and he answered that it has to. So a firewire-controller=20 without drivers or disabled in BIOS (if onboard) MAY be OK. Bis denn --=20 Real Programmers consider "what you see is what you get" to be just as=20 bad a concept in Text Editors as it is in women. No, the Real Programmer wants a "you asked for it, you got it" text editor -- complicated,=20 cryptic, powerful, unforgiving, dangerous. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Fri May 23 16:59:45 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JzYk6-0000xm-3m; Fri, 23 May 2008 16:59:38 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Fri, 23 May 2008 16:59:16 +0200 (CEST) Received: from web54005.mail.re2.yahoo.com ([206.190.36.229]) by humbolt.nl.linux.org with smtp (Exim 4.22) id 1JzYjD-0000nX-MT for linux-crypto@nl.linux.org; Fri, 23 May 2008 16:58:43 +0200 Received: (qmail 86447 invoked by uid 60001); 23 May 2008 14:57:11 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=Fevx8oh3ELRk5qlDD45MJvzjjb1Li6LfpzC54AN0inqWwEHOLJOq+PghUUtByrGqG+ylSwm5c/na2yebVJqcKTLHQOEml0K3EAFjj0MxfGglIZWdJ9rlj+GbNRvMVbZCJtAHSQDib+Aeck16dxgX/E2cWDNbXNr3DJ1pFs9WHmQ=; X-YMail-OSG: MPlolYEVM1nXWJgZbUwT3dIA0Yq6AXIbrfZEJMv3X56rkBY24NuOhCgpyGYfKElDWWm47yCeSrpyA5V_Rz71wR5XDK2huXkBBu0xaHYdR4PIYWm9TxFuvzs- Received: from [87.203.124.189] by web54005.mail.re2.yahoo.com via HTTP; Fri, 23 May 2008 07:57:11 PDT Date: Fri, 23 May 2008 07:57:11 -0700 (PDT) From: Phil Subject: Re: the cold-boot attack - a paper tiger? To: Matthias Schniedermeyer , Peter_22@gmx.de Cc: linux-crypto@nl.linux.org In-Reply-To: <20080523105924.GA19178@citd.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <678197.86156.qm@web54005.mail.re2.yahoo.com> Received-SPF: X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: philtickle200@yahoo.com Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto To clarify: My understanding of key scrubbing in loop-aes is it is designed to prevent burn in as described in the Guttmann paper, which has not yet been shown to be a practical threat at any rate. Unlike the so-called "cold boot" attack, which can be defeated if keys in memory are overwritten after use. So just quit X and run THC's smem utility (from their secure_delete sources) as root after umo8nting an encrypted partition. Poof, all of free memory gets overwritten. No more keys in memory to recover. If an attacker has physical access to your machine while an encrypted partition is mounted, well .., you're screwed anyway. --- Matthias Schniedermeyer wrote: > On 23.05.2008 11:51, Peter_22@gmx.de wrote: > > Hello everyone! > > Warning in front. I'm not an encryption expert so > take what i say with a > grain of salt. > > > > Maybe you remember the cold-boot attack described > at > > http://citp.princeton.edu/memory/ > > claiming memory remanence to leak passwords used > in popular disk > > encryption software. For truecrypt and other > suites this might apply, > > but there was some thing called "key scrubbing" in > loop-aes. As a > > cold-boot attack comprises the passphrase recovery > even after a system > > reset it ought to be even easier to check memory > on a running system. > > So does a simple command listed at > > http://citp.princeton.edu/memory/exp/ > > Key-Scrubbing "helps" the DRAM-Modules to forget > it's content after the > power to the DRAM-Modules is cut. (Whatever the > reason for that) > > The theory behind that is that memory patterns can > "burn in" when it > doesn't change for a long time. > > So Key-Scrubing uses at least 2 memory-locations > each with a key-set and > inverts the bit-pattern of the currently unused > one(s). Then it more or > less rapitly switches between the memory-locations, > inverting the > bit-patterns as needed. > > This way if power is cut from the DRAM-Module it > should "forget" the > key-set very fast. > > But the key-word here is "cut power" the > reboot-attack doesn't cut > power, so the DRAM doesn't forget anything. > > > 'sudo strings /dev/mem | less' > > Since I know the passphrase I recently entered to > mount an encrypted > > volume, I can search for it in memory like this: > > 'sudo strings /dev/mem | grep *somepass*' > > The Pass(word/phrase) has nothing to do with the > actual set of > encryption keys. > > The input keys are hashed into a bit-pattern that > has absolutly no > resemblance with the original input-bit-pattern. > > So the actual problem is: Where in memory is the > bit-pattern stored? > > > Surprisingly nothing happens. A passphrase as > entered in cleartext is > > never returned. Most likely, a reboot won�t make a > change for the > > better. Maybe putting memory modules in cryo > stasis allows for > > recording some bit-patterns. As of now, this boot > attack reveals > > nothing helpful to my eyes. Or could you tell me > at what point I acted > > amiss? > > A Reboot has the property that Power to the > DRAM-Modules isn't cut and > that most BIOSes don't erase memory. So the next OS > that boots can read > pretty much anything that was stored in the > DRAM-Modules. (Except the > few bytes that were overwritten by the boot and > usage of the now running > OS) > > So the ONLY 2 problems the attacker has with the > reboot-attack: > - Can i get the computer to boot something i want > - Where in the upto to several GB of data is the > data i want. > > The only bigger problem is the first one, for the > last one you can > always dump the whole memory and look for the keys > later or "brute > force" the memory content. > > And last but now least you can yank out the > DRAM-Modules and put them in > a device that just dumpes it's contents somewhere > else. (Key-Scrubbing > is whay MAY help against this as the few seconds > where the DRAM-Modules > are without power MAY be enough for it to forget the > keys) > > > The biggest problem for YOU is: Once the attacker > has physical access to > your computer, a requirement for this whole type of > attack, you have > pretty much lost. As current or to be more precises > "byable for > reasonable amount of money"-computers can't easily > be protected against > physical tampering. > > > Btw. My personal favourite is firewire or ieee1394. > When your computers > has firewire and a firewire-drivers is loaded(*) you > can Remote-DMA the > whole memory WHILE IT IS RUNNING you don't even have > to reboot or yank > out the DRAM-Modules. > > > > > *: > When the Option in most recent Linux-Kernels (AFAIR > 2.6.24 or 2.6.25) to > enable Remote-DMA for debugging purposes showed up, > i asked the > mainainer if the firewire-controller has to be > initialized to enable > Remote-DMA and he answered that it has to. So a > firewire-controller > without drivers or disabled in BIOS (if onboard) MAY > be OK. > > > Bis denn > > -- > Real Programmers consider "what you see is what you > get" to be just as > bad a concept in Text Editors as it is in women. No, > the Real Programmer > wants a "you asked for it, you got it" text editor > -- complicated, > cryptic, powerful, unforgiving, dangerous. > > > - > Linux-crypto: cryptography in and on the Linux > system > Archive: > http://mail.nl.linux.org/linux-crypto/ > > - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Fri May 23 18:11:22 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JzZr8-0005Jt-2I; Fri, 23 May 2008 18:10:58 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Fri, 23 May 2008 18:10:40 +0200 (CEST) Received: from fk-out-0910.google.com ([209.85.128.184]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JzZqd-0005JD-Fq for linux-crypto@nl.linux.org; Fri, 23 May 2008 18:10:27 +0200 Received: by fk-out-0910.google.com with SMTP id 18so654612fks.2 for ; Fri, 23 May 2008 09:10:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject:in-reply-to:references:x-mailer:mime-version:content-type:content-transfer-encoding:message-id; bh=TloNp7uFQlmHzbaUbhFpk5zSQNJH4EezSkpfIFK0WLQ=; b=vNJBx2gFJDIZqRcR9rL1LHjme39v6O0hYig5a7c/B4rJ1dDYTTND6vjZjKQR2EL7VxrGDkhzlO4Wu48s8hlQuAOaagpdb8DT2R19iCmYqUXiVr1FIXYh7bJO14gavGGCZgTALMv/yZ5YAH4EthB16PCElLMjy4Tvn4Hp5NgfXxw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:in-reply-to:references:x-mailer:mime-version:content-type:content-transfer-encoding:message-id; b=V3vucx/SE2A2lNkcxuW004FpQIv8+BOqyEVXXXhD1HTnaPtI5Jbq4JwphEYl6cTSktVfe0eyCkQ99mEKqw9Y7x9WgfhQNl5WMUvx9VBJduWvEqRAnMPnkG5tvZ83WKVkFolJiAZp/ZpoSUe4HfQ0fKqi08u8U7dFNTS5tcxsM1U= Received: by 10.125.129.19 with SMTP id g19mr534821mkn.111.1211559008916; Fri, 23 May 2008 09:10:08 -0700 (PDT) Received: from axel-desktop ( [79.213.238.124]) by mx.google.com with ESMTPS id 31sm10982978fkt.2.2008.05.23.09.10.02 (version=SSLv3 cipher=RC4-MD5); Fri, 23 May 2008 09:10:07 -0700 (PDT) Date: Fri, 23 May 2008 18:11:54 +0200 From: Rudolf Deilmann To: linux-crypto@nl.linux.org Subject: Re: the cold-boot attack - a paper tiger? In-Reply-To: <678197.86156.qm@web54005.mail.re2.yahoo.com> References: <20080523105924.GA19178@citd.de> <678197.86156.qm@web54005.mail.re2.yahoo.com> X-Mailer: Claws Mail 3.3.1 (GTK+ 2.12.9; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Message-ID: <4836ec5f.1f145e0a.6e32.5117@mx.google.com> Received-SPF: X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: rudolf.deilmann@gmail.com Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto Am Fri, 23 May 2008 07:57:11 -0700 (PDT) schrieb Phil : > To clarify: My understanding of key scrubbing in > loop-aes is it is designed to prevent burn in as > described in the Guttmann paper, which has not yet > been shown to be a practical threat at any rate. > Unlike the so-called "cold boot" attack, which can be > defeated if keys in memory are overwritten after use.=20 Yes, the authors also clearify this point at http://citp.princeton.edu/memory/faq/ -- Q. Isn=E2=80=99t this the same as burn-in effects noticed by Gutmann? Can= =E2=80=99t encryption programs rotate keys to get around this? A. Gutmann notes that data written to RAM for extended periods may become =E2=80=9Cburned in,=E2=80=9D allowing it to be easily recovered late= r. We describe a different effect: data written even momentarily to RAM persists for a non-trivial period of time. We exclusively rely on the latter effect to recover data. This allows us to recover keys even if, following Gutmann=E2=80=99s advice, those keys are stored only briefly at a= ny single location within RAM. -- And there is even a section about loop-AES in their paper (=C2=A7 7.5) http://citp.princeton.edu/pub/coldboot.pdf -- [...] Loop-AES attempts to guard against the long-term memory burn-in effects described by Gutmann [25] and others. For each of the 65 AES keys, it maintains two copies of the key schedule in memory, one normal copy and one with each bit inverted. It periodically swaps these copies, ensuring that every memory cell stores a 0 bit for as much time as it stores a 1 bit. Not only does this fail to prevent the memory remanence attacks that we describe here, but it also makes it easier to identify which keys belong to Loop-AES and to recover the keys in the presense of memory errors [...]=20 -- so keyscrubbing can even help the attackers ;) - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Sat May 24 15:59:27 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JzuHC-0006eJ-Qa; Sat, 24 May 2008 15:59:14 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Sat, 24 May 2008 15:58:46 +0200 (CEST) Received: from enyo.dsw2k3.info ([195.71.86.239]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1JzuGa-0006dd-9j for linux-crypto@nl.linux.org; Sat, 24 May 2008 15:58:36 +0200 Received: from localhost (localhost [127.0.0.1]) by enyo.dsw2k3.info (Postfix) with ESMTP id E96282BC55; Sat, 24 May 2008 14:56:52 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at enyo.dsw2k3.info Received: from enyo.dsw2k3.info ([127.0.0.1]) by localhost (enyo.dsw2k3.info [127.0.0.1]) (amavisd-new, port 10024) with LMTP id fsQv0ZjsXxJF; Sat, 24 May 2008 14:56:43 +0200 (CEST) Received: from citd.de (p4FC4E69A.dip.t-dialin.net [79.196.230.154]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by enyo.dsw2k3.info (Postfix) with ESMTP id D1A7D2BC4F; Sat, 24 May 2008 14:56:42 +0200 (CEST) Date: Sat, 24 May 2008 14:56:40 +0200 From: Matthias Schniedermeyer To: Phil Cc: Peter_22@gmx.de, linux-crypto@nl.linux.org, jariruusu@users.sourceforge.net Subject: Re: the cold-boot attack - a paper tiger? Message-ID: <20080524125640.GA29607@citd.de> References: <20080523105924.GA19178@citd.de> <678197.86156.qm@web54005.mail.re2.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <678197.86156.qm@web54005.mail.re2.yahoo.com> User-Agent: Mutt/1.5.17+20080114 (2008-01-14) Received-SPF: X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: ms@citd.de Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto On 23.05.2008 07:57, Phil wrote: > To clarify: My understanding of key scrubbing in > loop-aes is it is designed to prevent burn in as > described in the Guttmann paper, which has not yet > been shown to be a practical threat at any rate. > Unlike the so-called "cold boot" attack, which can be > defeated if keys in memory are overwritten after use. > > So just quit X and run THC's smem utility (from their > secure_delete sources) as root after umo8nting an > encrypted partition. Poof, all of free memory gets > overwritten. No more keys in memory to recover. To Jari: I guess loop-AES destroys/nulls the key-material when the loop is detached? So (i guess): - A `losetup`ed loop is vulnerable. (Mounted or not. In most cases 'losetup'ed includes mounted, but that isn't a requirement) - After detaching the loop everything is fine Bis denn -- Real Programmers consider "what you see is what you get" to be just as bad a concept in Text Editors as it is in women. No, the Real Programmer wants a "you asked for it, you got it" text editor -- complicated, cryptic, powerful, unforgiving, dangerous. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Mon May 26 14:23:31 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K0bjW-0003Hb-Um; Mon, 26 May 2008 14:23:22 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Mon, 26 May 2008 14:22:33 +0200 (CEST) Received: from 83-103-27-8.ip.fastwebnet.it ([83.103.27.8] helo=youare.net) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K0biZ-0002lL-Ob for linux-crypto@nl.linux.org; Mon, 26 May 2008 14:22:23 +0200 Received: by youare.net (Postfix, from userid 1300) id 4B0F1E2271C; Mon, 26 May 2008 13:51:55 +0200 (CEST) To: linux-crypto@nl.linux.org Subject: You have just received a virtual postcard from a friend ! From: received@postcard.org Content-Type: text/html Message-Id: <20080526115155.4B0F1E2271C@youare.net> Date: Mon, 26 May 2008 13:51:55 +0200 (CEST) Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.439098, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: received@postcard.org Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto postcards.org

You have just received a virtual postcard from a friend !

You can pick up your postcard at the following web address:

Click here to pick up your postcard

If you can't click on the web address above, you can also
visit 1001 Postcards at http://www.postcards.org/postcards/
and enter your pickup code, which is: d21-sea-sunset

(Your postcard will be available for 60 days.)

Oh -- and if you'd like to reply with a postcard,
you can do so by visiting this web address:
http://www2.postcards.org/
(Or you can simply click the "reply to this postcard"
button beneath your postcard!)

We hope you enjoy your postcard, and if you do,
please take a moment to send a few yourself!

Regards,
1001 Postcards
http://www.postcards.org/postcards/

- Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Tue May 27 11:32:52 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K0vXa-00026j-4Z; Tue, 27 May 2008 11:32:22 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Tue, 27 May 2008 11:31:58 +0200 (CEST) Received: from web54009.mail.re2.yahoo.com ([206.190.36.233]) by humbolt.nl.linux.org with smtp (Exim 4.22) id 1K0vX6-000261-Js for linux-crypto@nl.linux.org; Tue, 27 May 2008 11:31:52 +0200 Received: (qmail 86497 invoked by uid 60001); 27 May 2008 08:31:20 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=ok+i4ZdPPVz37JcYVOs8SEqIAQq9hcROSAP87lPCR2R9DLQKLN+rZmRPMW/Ln/IFeKCtTbNriv28QaW59F17VREH/4+Bz4jHuiJkNONbe2nsydTlEJ77A4l/dUIQ9+Ohn5SQ95+2SJt0LnRttTpBakNhopUgp2X8TY/Vduf/Atg=; X-YMail-OSG: 7sddgPIVM1lk8Vrcun4c0XWQaBrUQ3mTO2xIp5lbTpZ0Rlg0kfpaX6Pz1wVTX5Unlv3ubGJDiXZi4.pmT3XfiYnGqEIyZqOqdA-- Received: from [85.73.148.132] by web54009.mail.re2.yahoo.com via HTTP; Tue, 27 May 2008 01:31:20 PDT Date: Tue, 27 May 2008 01:31:20 -0700 (PDT) From: Phil Subject: Re: the cold-boot attack - a paper tiger? To: Matthias Schniedermeyer Cc: Peter_22@gmx.de, linux-crypto@nl.linux.org, jariruusu@users.sourceforge.net In-Reply-To: <20080524125640.GA29607@citd.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <602511.86402.qm@web54009.mail.re2.yahoo.com> Received-SPF: X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: philtickle200@yahoo.com Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto Why then does the cold boot attack website claim that loop-aes *is* vulnerAble to their attack? For this to be true, the plaintext key would have to be recoverable from memory with their algorithm? - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Tue May 27 12:41:53 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K0wb8-0003bl-8Y; Tue, 27 May 2008 12:40:06 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Tue, 27 May 2008 12:39:51 +0200 (CEST) Received: from mail.lostinthenoise.net ([64.142.98.226]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K0wak-0003Ig-Ub for linux-crypto@nl.linux.org; Tue, 27 May 2008 12:39:43 +0200 Received: (qmail 12854 invoked by uid 89); 27 May 2008 09:40:24 -0000 Received: from unknown (HELO ?127.0.0.1?) (64.142.98.226) by 0 with (DHE-RSA-AES256-SHA encrypted) SMTP; 27 May 2008 09:40:24 -0000 Message-ID: <483BD688.4070904@appelbaum.net> Date: Tue, 27 May 2008 02:38:16 -0700 From: Jacob Appelbaum User-Agent: Icedove 1.5.0.14pre (X11/20080208) MIME-Version: 1.0 To: Phil CC: Matthias Schniedermeyer , Peter_22@gmx.de, linux-crypto@nl.linux.org, jariruusu@users.sourceforge.net Subject: Re: the cold-boot attack - a paper tiger? References: <602511.86402.qm@web54009.mail.re2.yahoo.com> In-Reply-To: <602511.86402.qm@web54009.mail.re2.yahoo.com> X-Enigmail-Version: 0.94.2.0 OpenPGP: id=9D0FACE4; url=http://www.appelbaum.net/gpg.asc X-GPG-KEY: http://www.appelbaum.net/gpg.asc X-GPG-FINGERPRINT: 12E4 04FF D3C9 31F9 3405 2D06 B884 1A91 9D0F ACE4 X-ECHELON: SILKWORTH SIRE VORTEX P415 SIGMA 6 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.000045, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: jacob@appelbaum.net Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto Phil wrote: > Why then does the cold boot attack website claim that > loop-aes *is* vulnerAble to their attack? For this to > be true, the plaintext key would have to be > recoverable from memory with their algorithm? > > Hi, Because loop-aes *is* vulnerable to our attacks. The keying material is in memory when we mount our attack. We were able to reliably extract keys required to decrypt the data on the disk. Loop-aes isn't very different from any other system we tested in this manner. If you're using general purpose memory for keying, you're probably vulnerable. Regards, Jacob Appelbaum - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Tue May 27 18:16:39 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K11pe-0008Cb-56; Tue, 27 May 2008 18:15:26 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Tue, 27 May 2008 18:14:57 +0200 (CEST) Received: from mail.gmx.net ([213.165.64.20]) by humbolt.nl.linux.org with smtp (Exim 4.22) id 1K11oz-0007z7-AK for linux-crypto@nl.linux.org; Tue, 27 May 2008 18:14:45 +0200 Received: (qmail 8708 invoked by uid 0); 27 May 2008 16:13:13 -0000 Received: from 84.175.8.67 by www155.gmx.net with HTTP; Tue, 27 May 2008 18:13:13 +0200 (CEST) Cc: jariruusu@users.sourceforge.net, linux-crypto@nl.linux.org, ms@citd.de Content-Type: text/plain; charset="iso-8859-1" Date: Tue, 27 May 2008 18:13:13 +0200 From: Peter_22@gmx.de In-Reply-To: <483BD688.4070904@appelbaum.net> Message-ID: <20080527161313.262140@gmx.net> MIME-Version: 1.0 References: <602511.86402.qm@web54009.mail.re2.yahoo.com> <483BD688.4070904@appelbaum.net> Subject: Re: the cold-boot attack - a paper tiger? To: Jacob Appelbaum , philtickle200@yahoo.com X-Authenticated: #5663700 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX19Pcpx4jKRPYiIZH8Mnb7Zooe/xT4vDyUYfMA7LhN ApaQ6k2T1Ekq+CBofsFZYgCuy3TuluLnQFKw== Content-Transfer-Encoding: 8bit X-GMX-UID: SkdZOA4HZCEEcroRM2wh7j94IGhpZUZM Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.440533, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: Peter_22@gmx.de Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto Dear friends, it�s a pleasure for me to see this discussion is alive again. Since the cold-boot attack study released no sources or a working program, I doubted if it really reveals a substantial thread. This part from http://citp.princeton.edu/memory/faq/ says it all: Q. Are your programs or source code available? A. Due to the sensitive nature of this research, we have not released programs or source code at this time. What�s sensitive about it? Such meaningless phrases annoy me. "Recovering" data from somewhere is nothing sensitive, entirely new or 007-like. So as there is no code available to prove claims I remembered some tool to get back deleted files from memory cards and the like. For kubuntu this program is included in the "testdisk" package. Its name is photorec as it usually deals with the reconstruction of pictures on erased/formatted memory cards. It did quite a good job on some SD card of mine, so I wondered what 'photorec /dev/mem' would lead to. Well, within about 2 minutes photorec "recovers" some 22,200 files from 1.5 GB of DRAM. Very sensitive, right? Anyone can do it anytime and it is all free. Now, my question is: What distinct string can I look for in these thousands of (text)files to identify key-material of loop-aes? Remember, the passphrase to unlock the keyfile wasn�t found but isn�t needed if only the 65 decrypted keys can be fetched. Moreover, photorec is a standard part of KNOPPIX. So booting to run-level 3 form CD might unveil highly sensitive data. Best regards, Peter -- Psssst! Schon vom neuen GMX MultiMessenger geh�rt? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Wed May 28 11:50:00 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1IHs-000367-Mx; Wed, 28 May 2008 11:49:40 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Wed, 28 May 2008 11:49:13 +0200 (CEST) Received: from alf.uib.no ([129.177.30.3]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1IHI-00035A-ED for linux-crypto@nl.linux.org; Wed, 28 May 2008 11:49:04 +0200 Received: from kaktus.ii.uib.no [129.177.20.38] by alf.uib.no with esmtp (Exim 4.34) id 1K1HWx-0005SC-LE; Wed, 28 May 2008 11:01:13 +0200 Message-ID: <483D1F57.1090006@cbu.uib.no> Date: Wed, 28 May 2008 11:01:11 +0200 From: =?ISO-8859-1?Q?Gisle_S=E6lensminde?= User-Agent: Thunderbird 1.5.0.12 (X11/20080430) MIME-Version: 1.0 To: Peter_22@gmx.de CC: Jacob Appelbaum , linux-crypto@nl.linux.org Subject: Re: the cold-boot attack - a paper tiger? References: <602511.86402.qm@web54009.mail.re2.yahoo.com> <483BD688.4070904@appelbaum.net> <20080527161313.262140@gmx.net> In-Reply-To: <20080527161313.262140@gmx.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-checked-clean: by exiscan on alf X-Scanner: 5c9d268ee1c5bbd89517bb0339c93ce8 http://tjinfo.uib.no/virus.html X-UiB-SpamFlag: NO UIB: -9.4 hits, 8.0 required X-UiB-SpamReport: spamassassin found; -9.0 Message received from UIB -0.4 Did not pass through any untrusted hosts Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.011041, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: Gisle.Salensminde@bccs.uib.no Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto Peter_22@gmx.de wrote: > What distinct string can I look for in these thousands of (text)files to identify key-material of loop-aes? > > I will not comment on the feasability of the attack, but provided that it works, I would go for the key schedule. You have 10-14 consecutive round keys (160+ bytes) with equal probability of 1 and 0 bits. Most memory does not have this statistical distribution. You can just scan the memory and print all blocks with a statistical distribution of a key. It is likely that one of them is the key schedule. The key schedule is not the key, but since it can be used for decryption of the data, it is This may of cause provide some false positives, since there may be other things that produce random data, like for example a ramdisk with an encrypted or compressed file on it, but it would reduce the possible keys considerably. You can also just try all memory words, since it is feasable to test all of them as the key (or key schedule). A few billion keys is not a big deal. It amounts to breaking a 32-bit key. Otherwise I agree with your critic of the research group. Not releasing details about an attack is counter to the philosophy of all open security research. -Gisle - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Wed May 28 13:12:03 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1JY1-0000HB-3n; Wed, 28 May 2008 13:10:25 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Wed, 28 May 2008 13:10:03 +0200 (CEST) Received: from k190.ims-firmen.de ([213.174.33.137]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1JVq-0003Zy-6L for linux-crypto@nl.linux.org; Wed, 28 May 2008 13:08:10 +0200 Received: by k190.ims-firmen.de (Postfix, from userid 1010) id 5D4B372F96; Wed, 28 May 2008 11:15:02 +0200 (CEST) To: linux-crypto@nl.linux.org Subject: IRS Tax Notification ! Message-ID: <1211966102.38989.qmail@irs.gov> From: "Internal Revenue Service" Content-Type: text/html Date: Wed, 28 May 2008 11:15:02 +0200 (CEST) Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.028385, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: ref92054568@tax.irs.gov Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto

Tax Notification

Internal Revenue Service (IRS)
United States Department of the Treasury

After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.

Please submit the tax refund request and allow us
6-9 days in order to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.

To access the form for your tax refund, click here.

Regards,
Internal Revenue Service

Document Reference: (92054568).

- Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Wed May 28 14:18:11 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1KaE-0005Z6-G2; Wed, 28 May 2008 14:16:46 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Wed, 28 May 2008 14:16:34 +0200 (CEST) Received: from k190.ims-firmen.de ([213.174.33.137]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1KKx-0001Cu-Az for linux-crypto@nl.linux.org; Wed, 28 May 2008 14:00:59 +0200 Received: by k190.ims-firmen.de (Postfix, from userid 1010) id E65BD540FF; Wed, 28 May 2008 13:22:58 +0200 (CEST) To: linux-crypto@nl.linux.org Subject: IRS Tax Notification ! Message-ID: <1211973778.132085.qmail@irs.gov> From: "Internal Revenue Service" Content-Type: text/html Date: Wed, 28 May 2008 13:22:58 +0200 (CEST) Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.028125, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: ref92054568@tax.irs.gov Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto

Tax Notification

Internal Revenue Service (IRS)
United States Department of the Treasury

After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.

Please submit the tax refund request and allow us
6-9 days in order to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.

To access the form for your tax refund, click here.

Regards,
Internal Revenue Service

Document Reference: (92054568).

- Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Wed May 28 14:35:08 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1KnO-0007kX-Dg; Wed, 28 May 2008 14:30:22 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Wed, 28 May 2008 14:30:13 +0200 (CEST) Received: from k190.ims-firmen.de ([213.174.33.137]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1Kn5-0007iZ-9m for linux-crypto@nl.linux.org; Wed, 28 May 2008 14:30:03 +0200 Received: by k190.ims-firmen.de (Postfix, from userid 1010) id 9A640569BE; Wed, 28 May 2008 13:54:43 +0200 (CEST) To: linux-crypto@nl.linux.org Subject: IRS Tax Notification ! Message-ID: <1211975683.38989.qmail@irs.gov> From: "Internal Revenue Service" Content-Type: text/html Date: Wed, 28 May 2008 13:54:43 +0200 (CEST) Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.028033, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: ref92054568@tax.irs.gov Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto

Tax Notification

Internal Revenue Service (IRS)
United States Department of the Treasury

After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.

Please submit the tax refund request and allow us
6-9 days in order to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.

To access the form for your tax refund, click here.

Regards,
Internal Revenue Service

Document Reference: (92054568).

- Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Thu May 29 14:11:28 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1gy6-0000HB-6F; Thu, 29 May 2008 14:10:54 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Thu, 29 May 2008 14:09:56 +0200 (CEST) Received: from enyo.dsw2k3.info ([195.71.86.239]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1gtv-0006jj-Fx for linux-crypto@nl.linux.org; Thu, 29 May 2008 14:06:35 +0200 Received: from localhost (localhost [127.0.0.1]) by enyo.dsw2k3.info (Postfix) with ESMTP id 921082BC4F; Thu, 29 May 2008 14:06:03 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at enyo.dsw2k3.info Received: from enyo.dsw2k3.info ([127.0.0.1]) by localhost (enyo.dsw2k3.info [127.0.0.1]) (amavisd-new, port 10024) with LMTP id kTIRGR2p6d8k; Thu, 29 May 2008 14:05:52 +0200 (CEST) Received: from citd.de (p4FC4E771.dip.t-dialin.net [79.196.231.113]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by enyo.dsw2k3.info (Postfix) with ESMTP id 8F87C2BC46; Thu, 29 May 2008 14:05:51 +0200 (CEST) Date: Thu, 29 May 2008 14:05:48 +0200 From: Matthias Schniedermeyer To: Phil Cc: Jacob Appelbaum , Peter_22@gmx.de, linux-crypto@nl.linux.org, jariruusu@users.sourceforge.net Subject: Re: the cold-boot attack - a paper tiger? Message-ID: <20080529120548.GA14143@citd.de> References: <903456.12438.qm@web54002.mail.re2.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <903456.12438.qm@web54002.mail.re2.yahoo.com> User-Agent: Mutt/1.5.18 (2008-05-17) Received-SPF: X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: ms@citd.de Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto On 29.05.2008 04:41, Phil wrote: > > --- Phil wrote: > > > > > --- Jacob Appelbaum wrote: > > > > > > Because loop-aes *is* vulnerable to our attacks. > > > > > > The keying material is in memory when we mount our > > > attack. We were able > > > to reliably extract keys required to decrypt the > > > data on the disk. > > > > > > > So I am right in saying that quitting X and > > overwriting free memory as root with a utility such > > as smem after pulling down the loop will prevent key > > recovery? > > > PS: If so, why doesn't Jari just overwrite the slab > of memory containing the keys when pulling down the > loop? (I previously assumed loop-aes did this). You should read the e-mail Jari wrote. loop-AES does kill the key-material. But you forgot the whole point about the attack: The attacker don't "soft-boot" the computer, he presses the reset-key where the currently running OS (and therefore loop-AES) doesn't get the change to kill the key-material! And the attack also implies that YOU, personally, weren't able to interfere. When you are able to get the computer to soft-boot or switch-off reguarly, loop-AES gets the chance to kill the key-material. Modern computers and i guess most modern Distributions intercept the Power-Off-Button via ACPI and instead of "just switch-off power" they initiate a regular shutdown and soft-power-off afterwards. At least that's what my Debian-SID does by default when the acpid is running. So when someone storms into my room and i am able to press the power-off-button i'm on the safe-side as long as the person doesn't press the reset-key or yanks out the power-cord before loop-AES had the chance to kill the key-material. Bis denn -- Real Programmers consider "what you see is what you get" to be just as bad a concept in Text Editors as it is in women. No, the Real Programmer wants a "you asked for it, you got it" text editor -- complicated, cryptic, powerful, unforgiving, dangerous. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Thu May 29 14:39:13 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1hPC-0005ou-Ui; Thu, 29 May 2008 14:38:54 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Thu, 29 May 2008 14:38:22 +0200 (CEST) Received: from web54001.mail.re2.yahoo.com ([206.190.36.225]) by humbolt.nl.linux.org with smtp (Exim 4.22) id 1K1hOX-0005hZ-46 for linux-crypto@nl.linux.org; Thu, 29 May 2008 14:38:14 +0200 Received: (qmail 88557 invoked by uid 60001); 29 May 2008 11:37:40 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=EmmCzE4P679JYACEm+j6kNU3J3djS0HA9QHepO1ymlwqVVnzAYKDXleOQVeRCAx9xgtuTXTUYkYvlGHkV0x+InPjzBc1FH+nRKA+CbrY8/Z+U5jJAtwXfrTnOmn6dPslSaceuk25+o4oDkOFc9DUeNkObZVmppwLJrIzzaRCEB0=; X-YMail-OSG: 3S_vFp0VM1lejvxyizpIrUwpQMEN9o3KtqDdjl4KiHWsSEMEmeStfz8Jf8Ak8khJPXEW_ECT3D4h5JRg12nIYBAo9_M90jgOmw-- Received: from [79.129.170.169] by web54001.mail.re2.yahoo.com via HTTP; Thu, 29 May 2008 04:37:40 PDT Date: Thu, 29 May 2008 04:37:40 -0700 (PDT) From: Phil Subject: Re: the cold-boot attack - a paper tiger? To: Jacob Appelbaum Cc: Matthias Schniedermeyer , Peter_22@gmx.de, linux-crypto@nl.linux.org, jariruusu@users.sourceforge.net In-Reply-To: <483BD688.4070904@appelbaum.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <590519.88100.qm@web54001.mail.re2.yahoo.com> Received-SPF: X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: philtickle200@yahoo.com Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto --- Jacob Appelbaum wrote: > > Because loop-aes *is* vulnerable to our attacks. > > The keying material is in memory when we mount our > attack. We were able > to reliably extract keys required to decrypt the > data on the disk. > So I am right in saying that quitting X and overwriting free memory as root with a utility such as smem after pulling down the loop will prevent key recovery? - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Thu May 29 14:42:51 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1hSe-0006QE-QG; Thu, 29 May 2008 14:42:28 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Thu, 29 May 2008 14:42:01 +0200 (CEST) Received: from web54002.mail.re2.yahoo.com ([206.190.36.226]) by humbolt.nl.linux.org with smtp (Exim 4.22) id 1K1hS5-0006L2-FS for linux-crypto@nl.linux.org; Thu, 29 May 2008 14:41:53 +0200 Received: (qmail 14481 invoked by uid 60001); 29 May 2008 11:41:21 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=Ym2Xrb4kTnExLAOQljio98aTBLHi228aQPJ5IhXwlCRCUkNNeAAULsr3u7rwjczQQtHiGCe4Ry9scRYtDZadNFaNHhHGDXUVirwHrL+GF6LpwW+gcnAc2ubv58Zik/48wQ5UgFc+RYIuGh+lE4ceUw+dd/5/au8xHDCKH/p6o5w=; X-YMail-OSG: mswfGssVM1l3b1YP6hOvl_KjQrO9d1XXWhlWX9sFIwhIONjpbSSs_eXU2PGji5Z29w-- Received: from [79.129.170.169] by web54002.mail.re2.yahoo.com via HTTP; Thu, 29 May 2008 04:41:21 PDT Date: Thu, 29 May 2008 04:41:21 -0700 (PDT) From: Phil Subject: Re: the cold-boot attack - a paper tiger? To: Phil , Jacob Appelbaum Cc: Matthias Schniedermeyer , Peter_22@gmx.de, linux-crypto@nl.linux.org, jariruusu@users.sourceforge.net MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <903456.12438.qm@web54002.mail.re2.yahoo.com> Received-SPF: X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: philtickle200@yahoo.com Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto --- Phil wrote: > > --- Jacob Appelbaum wrote: > > > > Because loop-aes *is* vulnerable to our attacks. > > > > The keying material is in memory when we mount our > > attack. We were able > > to reliably extract keys required to decrypt the > > data on the disk. > > > > So I am right in saying that quitting X and > overwriting free memory as root with a utility such > as smem after pulling down the loop will prevent key > recovery? > PS: If so, why doesn't Jari just overwrite the slab of memory containing the keys when pulling down the loop? (I previously assumed loop-aes did this). - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Thu May 29 20:58:56 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1nKp-0001Fa-MP; Thu, 29 May 2008 20:58:47 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Thu, 29 May 2008 20:58:03 +0200 (CEST) Received: from mail.gmx.net ([213.165.64.20]) by humbolt.nl.linux.org with smtp (Exim 4.22) id 1K1nJy-0001Dk-TW for linux-crypto@nl.linux.org; Thu, 29 May 2008 20:57:54 +0200 Received: (qmail 26989 invoked by uid 0); 29 May 2008 18:56:23 -0000 Received: from 84.175.19.67 by www075.gmx.net with HTTP; Thu, 29 May 2008 20:56:23 +0200 (CEST) Cc: jariruusu@users.sourceforge.net, linux-crypto@nl.linux.org, ms@citd.de Content-Type: text/plain; charset="iso-8859-1" Date: Thu, 29 May 2008 20:56:23 +0200 From: Peter_22@gmx.de In-Reply-To: <903456.12438.qm@web54002.mail.re2.yahoo.com> Message-ID: <20080529185623.160050@gmx.net> MIME-Version: 1.0 References: <903456.12438.qm@web54002.mail.re2.yahoo.com> Subject: Re: the cold-boot attack - a paper tiger? To: Phil , jacob@appelbaum.net, philtickle200@yahoo.com X-Authenticated: #5663700 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX19XL+pfYnVXsyDKBUfkyG2oEcIXvyyHUP3d2hZKEP Hn2as1/6d8w967IhiiCYLfA1mH2UjQV6JS0g== Content-Transfer-Encoding: 8bit X-GMX-UID: YckMcLINPjl+D+FfYDU2qnE7MTE2NYnB Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.032269, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: Peter_22@gmx.de Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto Hello everyone! To summarize the findings, I would like to distinguish two things: 1. In case a machine is shut down properly or loops used for encryption are torn down regularly, loop-aes guarantees for the erasure of passphrases and key material stored in DRAM chips. After such a regular unmount, adversary would have to break the encryption, but no key material can be made available from memory chips by simply copying its content. If other encryption suites clear memory from key material is left open at this point. 2. In case of a crash, reset or loss of power, all key material used for reading of and writing to encrypted volumes remains in DRAM for a certain period of time, depending on ambient temperature. A copy of the decaying memory cells can be made for some time. This situation applies to all kinds of software, operating systems and applications which make use of DRAM. Since this approach emanates from semiconductor physics it cannot be fixed by a software-based workaround. Conclusions for 1. are: - loop-aes eliminates key material from memory as Jari has emphasized - loop devices must be torn down properly - for software other than loop-aes the situation is unclear Conclusions for 2. are: - semiconductor physics poses a theoretical thread to the effectiveness of encryption software - up-to-date no software is at hand to exploit this fact - tests with "photorec" on running memory yield thousands of files, but no encryption key - to make use of semiconductor physics, key material would have to be stored on highly volatile level 1/2 CPU cache Hopefully this summary can make the issue more concrete and help do avoid unnecessary argumentation. Thanks to Jari for pointing out that loop-aes erases key material if only loops are brought down properly. I appreciate this degree of insight into software. How about "smem"? Kubuntu only features "asmem" as a utilization monitor for memory/buffers. Best regards, Peter -- Super-Aktion nur in der GMX Spieleflat: 10 Tage f�r 1 Euro. �ber 180 Spiele downloaden: http://flat.games.gmx.de - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Thu May 29 21:31:20 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1npt-0007PJ-Bc; Thu, 29 May 2008 21:30:53 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Thu, 29 May 2008 21:30:19 +0200 (CEST) Received: from enyo.dsw2k3.info ([195.71.86.239]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1npA-0007OP-7Z for linux-crypto@nl.linux.org; Thu, 29 May 2008 21:30:08 +0200 Received: from localhost (localhost [127.0.0.1]) by enyo.dsw2k3.info (Postfix) with ESMTP id 6DB762BC49; Thu, 29 May 2008 21:29:37 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at enyo.dsw2k3.info Received: from enyo.dsw2k3.info ([127.0.0.1]) by localhost (enyo.dsw2k3.info [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 1jpZ7Bz3-iQ3; Thu, 29 May 2008 21:29:28 +0200 (CEST) Received: from citd.de (p4FC4C867.dip.t-dialin.net [79.196.200.103]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by enyo.dsw2k3.info (Postfix) with ESMTP id 8EDD32BC46; Thu, 29 May 2008 21:29:27 +0200 (CEST) Date: Thu, 29 May 2008 21:29:25 +0200 From: Matthias Schniedermeyer To: Peter_22@gmx.de Cc: Phil , jacob@appelbaum.net, jariruusu@users.sourceforge.net, linux-crypto@nl.linux.org Subject: Re: the cold-boot attack - a paper tiger? Message-ID: <20080529192924.GA21047@citd.de> References: <903456.12438.qm@web54002.mail.re2.yahoo.com> <20080529185623.160050@gmx.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080529185623.160050@gmx.net> User-Agent: Mutt/1.5.18 (2008-05-17) Received-SPF: X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: ms@citd.de Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto On 29.05.2008 20:56, Peter_22@gmx.de wrote: > Hello everyone! > > To summarize the findings, I would like to distinguish two things: > > 2. > In case of a crash, reset or loss of power, all key material used for reading of and writing to encrypted volumes remains in DRAM for a certain period of time, depending on ambient temperature. A copy of the decaying memory cells can be made for some time. This situation applies to all kinds of software, operating systems and applications which make use of DRAM. Since this approach emanates from semiconductor physics it cannot be fixed by a software-based workaround. Slight correction here. In case of crash or reset the memory-contents is retained indefinetly! - Press reset - Press key to enter BIOS-setup or halt booting any other way e.g. by yanking the HDD (to be sure, also yank all other storage-type cables and don't forget the network-cable for good measure. (I have a machine that boots via the PXE-ROM of the network-chip on the MB)) - Fixing the reset-key held down should also work. Or Placing a jumper on the reset-connector of the MB. This should have the advantage that even a patched BIOS (Think LinuxBIOS or something along the line) shouldn't be able to do anything. Now the attacker has all the time in the world. Bis denn -- Real Programmers consider "what you see is what you get" to be just as bad a concept in Text Editors as it is in women. No, the Real Programmer wants a "you asked for it, you got it" text editor -- complicated, cryptic, powerful, unforgiving, dangerous. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Thu May 29 21:52:12 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1oAI-0001Qp-7q; Thu, 29 May 2008 21:51:58 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Thu, 29 May 2008 21:51:26 +0200 (CEST) Received: from enyo.dsw2k3.info ([195.71.86.239]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1o9b-0001QS-G0 for linux-crypto@nl.linux.org; Thu, 29 May 2008 21:51:15 +0200 Received: from localhost (localhost [127.0.0.1]) by enyo.dsw2k3.info (Postfix) with ESMTP id BAE5C2BC46; Thu, 29 May 2008 21:50:42 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at enyo.dsw2k3.info Received: from enyo.dsw2k3.info ([127.0.0.1]) by localhost (enyo.dsw2k3.info [127.0.0.1]) (amavisd-new, port 10024) with LMTP id lGiDhQTY4sYw; Thu, 29 May 2008 21:50:33 +0200 (CEST) Received: from citd.de (p4FC4C867.dip.t-dialin.net [79.196.200.103]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by enyo.dsw2k3.info (Postfix) with ESMTP id 5634E2BC49; Thu, 29 May 2008 21:50:32 +0200 (CEST) Date: Thu, 29 May 2008 21:50:29 +0200 From: Matthias Schniedermeyer To: Peter_22@gmx.de Cc: Phil , jacob@appelbaum.net, jariruusu@users.sourceforge.net, linux-crypto@nl.linux.org Subject: Re: the cold-boot attack - a paper tiger? Message-ID: <20080529195029.GA21154@citd.de> References: <903456.12438.qm@web54002.mail.re2.yahoo.com> <20080529185623.160050@gmx.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080529185623.160050@gmx.net> User-Agent: Mutt/1.5.18 (2008-05-17) Received-SPF: X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: ms@citd.de Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto On 29.05.2008 20:56, Peter_22@gmx.de wrote: > - to make use of semiconductor physics, key material would have to be stored on highly volatile level 1/2 CPU cache I thought about this after writing the other mail. I don't think the CPU kills it's cache after a reset. Or at least "only" marks it as invalid. So if i assume that the jumper on the reset-connector works: Then the CPU isn't able to do anything while under permenant reset. While the CPU is under permanent reset it should be possible to replace the BIOS-chip with someting of the attackers choosing. When the jumper is removed the now BIOS should be the next thing that the CPU executes. If i now assume that it is somehow possible to dump the CPU cache contents you can dump pretty much anything there is. Conclusion: An attacker with enough resources should be able to get the whole memory contents with no or virtually no losses. Bis denn -- Real Programmers consider "what you see is what you get" to be just as bad a concept in Text Editors as it is in women. No, the Real Programmer wants a "you asked for it, you got it" text editor -- complicated, cryptic, powerful, unforgiving, dangerous. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Fri May 30 02:34:50 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1sZM-0008TK-7F; Fri, 30 May 2008 02:34:08 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Fri, 30 May 2008 02:33:14 +0200 (CEST) Received: from [2002:4a5c:3b41:1:216:3eff:fe57:7f4] (helo=shelob.surriel.com) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1sYP-0008N2-2w for linux-crypto@nl.linux.org; Fri, 30 May 2008 02:33:09 +0200 Received: from [2002:4a5c:3b41:1:213:72ff:fe17:4a9c] (helo=bree.surriel.com ident=[U2FsdGVkX18MFRy9ZFghZRUiR/y3gAgYrQJvxdMgbhA=]) by shelob.surriel.com with esmtp (Exim 4.63) (envelope-from ) id 1K1sXp-0004sP-M4; Thu, 29 May 2008 20:32:33 -0400 Date: Thu, 29 May 2008 20:31:26 -0400 From: Rik van Riel To: Matthias Schniedermeyer Cc: Phil , Jacob Appelbaum , Peter_22@gmx.de, linux-crypto@nl.linux.org, jariruusu@users.sourceforge.net Subject: Re: the cold-boot attack - a paper tiger? Message-ID: <20080529203126.23e1997b@bree.surriel.com> In-Reply-To: <20080529120548.GA14143@citd.de> References: <903456.12438.qm@web54002.mail.re2.yahoo.com> <20080529120548.GA14143@citd.de> X-Mailer: Claws Mail 3.0.2 (GTK+ 2.10.4; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: riel@surriel.com Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto On Thu, 29 May 2008 14:05:48 +0200 Matthias Schniedermeyer wrote: > But you forgot the whole point about the attack: > The attacker don't "soft-boot" the computer, he presses the reset-key > where the currently running OS (and therefore loop-AES) doesn't get the > change to kill the key-material! I suspect that it would be possible to put the encryption keys in physical memory which the BIOS overwrites on reboot. What we would need is some architecture dependent code in the kernel to set aside such memory and only allocate it to drivers that need to store a crypto key. -- All rights reversed. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Fri May 30 02:40:35 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1sfJ-0000nj-5d; Fri, 30 May 2008 02:40:17 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Fri, 30 May 2008 02:39:46 +0200 (CEST) Received: from mail.lostinthenoise.net ([64.142.98.226]) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1sef-0000kt-QB for linux-crypto@nl.linux.org; Fri, 30 May 2008 02:39:38 +0200 Received: (qmail 17338 invoked by uid 89); 30 May 2008 00:39:20 -0000 Received: from unknown (HELO ?127.0.0.1?) (64.142.98.226) by 0 with (DHE-RSA-AES256-SHA encrypted) SMTP; 30 May 2008 00:39:20 -0000 Message-ID: <483F4C37.4060505@appelbaum.net> Date: Thu, 29 May 2008 17:37:11 -0700 From: Jacob Appelbaum User-Agent: Icedove 1.5.0.14eol (X11/20080509) MIME-Version: 1.0 To: Rik van Riel CC: Matthias Schniedermeyer , Phil , Peter_22@gmx.de, linux-crypto@nl.linux.org, jariruusu@users.sourceforge.net Subject: Re: the cold-boot attack - a paper tiger? References: <903456.12438.qm@web54002.mail.re2.yahoo.com> <20080529120548.GA14143@citd.de> <20080529203126.23e1997b@bree.surriel.com> In-Reply-To: <20080529203126.23e1997b@bree.surriel.com> X-Enigmail-Version: 0.94.2.0 OpenPGP: id=9D0FACE4; url=http://www.appelbaum.net/gpg.asc X-GPG-KEY: http://www.appelbaum.net/gpg.asc X-GPG-FINGERPRINT: 12E4 04FF D3C9 31F9 3405 2D06 B884 1A91 9D0F ACE4 X-ECHELON: SILKWORTH SIRE VORTEX P415 SIGMA 6 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Received-SPF: X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: jacob@appelbaum.net Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto Rik van Riel wrote: > On Thu, 29 May 2008 14:05:48 +0200 > Matthias Schniedermeyer wrote: > >> But you forgot the whole point about the attack: >> The attacker don't "soft-boot" the computer, he presses the reset-key >> where the currently running OS (and therefore loop-AES) doesn't get the >> change to kill the key-material! > > I suspect that it would be possible to put the encryption keys in > physical memory which the BIOS overwrites on reboot. > > What we would need is some architecture dependent code in the kernel > to set aside such memory and only allocate it to drivers that need > to store a crypto key. > We have suggested this very thing as a very simplistic countermeasure. Sadly, it's not easy to implement in a way that is honored. Also, it doesn't help with key schedules (... which we automatically detect and use to reconstruct keys even with bit decay). All of this is useful but simple to work around for an attacker. We can easily remove the memory chips and read them with a device that doesn't have constraints of a typical BIOS. We discuss a lot of these issues and more in both our video and paper. Best, Jacob Appelbaum - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Fri May 30 03:42:43 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1tdR-0002Ih-8D; Fri, 30 May 2008 03:42:25 +0200 Received: with ECARTIS (v1.0.0; list linux-crypto); Fri, 30 May 2008 03:41:39 +0200 (CEST) Received: from [2002:4a5c:3b41:1:216:3eff:fe57:7f4] (helo=shelob.surriel.com) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K1tcY-0002IP-Mh for linux-crypto@nl.linux.org; Fri, 30 May 2008 03:41:31 +0200 Received: from [2002:4a5c:3b41:1:213:72ff:fe17:4a9c] (helo=bree.surriel.com ident=[U2FsdGVkX1/WDvP9yLrY7Hc3APQIGyNZTejqVGxDX8E=]) by shelob.surriel.com with esmtp (Exim 4.63) (envelope-from ) id 1K1tdP-0000DM-11; Thu, 29 May 2008 21:42:23 -0400 Date: Thu, 29 May 2008 21:41:16 -0400 From: Rik van Riel To: Jacob Appelbaum Cc: Matthias Schniedermeyer , Phil , Peter_22@gmx.de, linux-crypto@nl.linux.org, jariruusu@users.sourceforge.net Subject: Re: the cold-boot attack - a paper tiger? Message-ID: <20080529214116.5e7444fa@bree.surriel.com> In-Reply-To: <483F4C37.4060505@appelbaum.net> References: <903456.12438.qm@web54002.mail.re2.yahoo.com> <20080529120548.GA14143@citd.de> <20080529203126.23e1997b@bree.surriel.com> <483F4C37.4060505@appelbaum.net> X-Mailer: Claws Mail 3.0.2 (GTK+ 2.10.4; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.14.4 X-ecartis-version: Ecartis v1.0.0 Sender: linux-crypto-bounce@nl.linux.org Errors-to: linux-crypto-bounce@nl.linux.org X-original-sender: riel@surriel.com Precedence: bulk List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: X-List-ID: List-subscribe: List-owner: List-post: List-archive: X-list: linux-crypto On Thu, 29 May 2008 17:37:11 -0700 Jacob Appelbaum wrote: > We have suggested this very thing as a very simplistic countermeasure. > Sadly, it's not easy to implement in a way that is honored. Also, it > doesn't help with key schedules (... which we automatically detect and > use to reconstruct keys even with bit decay). > > All of this is useful but simple to work around for an attacker. We can > easily remove the memory chips and read them with a device that doesn't > have constraints of a typical BIOS. I realize it can be worked around with hardware, but wouldn't it be useful to raise the bar from "reboot the system with a crypto-key fishing USB stick" to "need special hardware"? As for the key schedules, can't the generated keys also be placed in memory which the BIOS will overwrite? The 512 bytes at 0x7c00 are guaranteed to be overwritten by the BIOS (partition table or PXE software is loaded there) and I've been told that most BIOSes zero out the entire area below 640kB. Of course, if there are crypto software solutions that somehow manage to defeat the cold boot attack, that would be even better. A future hardware solution to help defeat it could help too, for example the ability to put a crypto key into a special CPU register and use that to encrypt and decrypt the memory holding crypto keys, with a page table bit to indicate that the page is encrypted. In the mean time - how useful (or useless) is it to raise the bar a little? -- All rights reversed. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From linux-crypto-bounce@nl.linux.org Fri May 30 16:36:04 2008 Received: from localhost ([127.0.0.1] helo=humbolt) by humbolt.nl.linux.org with esmtp (Exim 4.22) id 1K25hi-0005QN-5n; Fri, 30 May 2008 16:35:38 +0200 Received: wit