Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
On 10/9/07, Alex Schuster [EMAIL PROTECTED] wrote: according to the speaker, most of the RAM may even survives for as long as 30 seconds after powering off! At least on a ThinkPad T30 notebook (stated [..] Another thing is Firewire, or hot-pluggable PCI cards (and everything else which accesses RAM via DMA). This allows to read the RAM of the running system by simply plugging in a firewire device. So, resetting the system and booting another one, or plugging in a firewire device, allows to get a memory dump. Scary, huh? On the scary note, I've recently stumbled on this paper by Peter Gutmann, from the IBM T.J.Watson Research Center, published in 2001 at a Usenix conference: Data Remanence in Semiconductor Devices [1]. Not much reassuring either ~_-. [1] http://www.usenix.org/events/sec01/gutmann.html Liviu -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
Liviu Andronic writes: So, my eternal question, is it realistic for the lost RAM data to be recovered? That is, after system shutdown, does the data still physically reside on the RAM and can someone with a decent technology and know-how recover it? In other words, is this a serious breach in any encrypted system? I am pressy sure there was a posting here aw hile ago by someone who did not lioke LUKS encryption, and he argued with a link to a speech at the CCC camp, a hacker convention. But I cannot find it any more. I found a blog entry about it, but it is in German only [1]. In short, it states that even after a reset RAM is quite intact, because it is not being initialized at system start any more in these days. And, according to the speaker, most of the RAM may even survives for as long as 30 seconds after powering off! At least on a ThinkPad T30 notebook (stated in the presentation, the second attached file in [2]). Quite surprising to me. Another thing is Firewire, or hot-pluggable PCI cards (and everything else which accesses RAM via DMA). This allows to read the RAM of the running system by simply plugging in a firewire device. So, resetting the system and booting another one, or plugging in a firewire device, allows to get a memory dump. Scary, huh? [1] http://stefan.ploing.de/2007-08-10-ccc-camp-2-tag [2] https://events.ccc.de/camp/2007/Fahrplan/events/2002.en.html Alex -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
Liviu Andronic schrieb: On 10/5/07, Daniel Pielmeier [EMAIL PROTECTED] wrote: There is an option in baselayout's rc file to erase the swap at shutdown. Take a look at /etc/conf.d/rc under RC_SWAP_ERASE. As far as I understand, this is far from secure. You want at least some degree of security, you need cryptography. See: http://gentoo-wiki.com/SWAP_ERASE_on_halt . I don't use it myself, just thought it may be helpful. I have checked newer baselayout versions for this option before and i wondered why it wasn't there, so now i know the reason. Thanks! -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
Hi, On Thu, 4 Oct 2007 20:33:40 +0200 Liviu Andronic [EMAIL PROTECTED] wrote: On 10/4/07, Alan McKinnon [EMAIL PROTECTED] wrote: On Thursday 04 October 2007, Hans-Werner Hilse wrote: However, it makes sense to clean up memory after having critical data in it -- e.g. a reboot doesn't necessarily clean up RAM. Yes, this is very true BUT On 10/4/07, Alan McKinnon [EMAIL PROTECTED] wrote: Pray tell, how does RAM manage to retain data when the power is off? ...and... On 10/4/07, Volker Armin Hemmann [EMAIL PROTECTED] wrote: In practice, after power is cut, everything in ram is lost. So, my eternal question, is it realistic for the lost RAM data to be recovered? That is, after system shutdown, does the data still physically reside on the RAM and can someone with a decent technology and know-how recover it? In other words, is this a serious breach in any encrypted system? No, it isn't. Well, I didn't had the full circuit design of today's DRAMs in mind, and yes, since there's the resistor, the capacitor will lose its load (very) soon (/me scratches his head, wasn't there something asymptotically in that graph? But in any way, it would be a difference of very few electrons on the sides of the capacitor) -- that's not a security breach. But: We are talking about _powering_ _off_ the DRAM. You are talking about shutting down. That might be two different things and completely depend on hardware design. Make shure that RAM's gonna get powered off and you're save. So pulling the plug should give you a warm good feeling in that regard. Doing a sudo halt, however, _might_ have other consequences and we cannot make a general assumption on that. Even pulling the plug might have problems: There's such thing as battery-buffered RAM (although I think they've used it mainly in the pre-Flash era). The thing is: You never can guarantee security, that's absolutely impossible (well, of course you can, but you would automatically be wrong). You can do all your best, but that's about it. Having security is a thing you can falsify, but never verify, since theorys can't be verified without dogmas (and there are no accepted dogmas that would help here). -hwh -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
Hans-Werner Hilse wrote: The thing is: You never can guarantee security, that's absolutely impossible (well, of course you can, but you would automatically be wrong). Well, you can put your machine in a closet and never turn it on, ever :) Then physical theft is the only possibility, but who's going to miss a machine that's never used? ;) -- Randy Barlow http://electronsweatshop.com -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
On 10/5/07, Hans-Werner Hilse [EMAIL PROTECTED] wrote: So, my eternal question, is it realistic for the lost RAM data to be recovered? That is, after system shutdown, does the data still physically reside on the RAM and can someone with a decent technology and know-how recover it? In other words, is this a serious breach in any encrypted system? No, it isn't. Well, I didn't had the full circuit design of today's DRAMs in mind, and yes, since there's the resistor, the capacitor will lose its load (very) soon (/me scratches his head, wasn't there something asymptotically in that graph? But in any way, it would be a difference of very few electrons on the sides of the capacitor) -- that's not a security breach. But: We are talking about _powering_ _off_ the DRAM. You are talking about shutting down. That might be two different things and completely depend on hardware design. Make shure that RAM's gonna get powered off and you're save. So pulling the plug should give you a warm good feeling in that regard. Doing a sudo halt, however, _might_ have other consequences and we cannot make a general assumption on that. Even pulling the plug might have problems: There's such thing as battery-buffered RAM (although I think they've used it mainly in the pre-Flash era). The thing is: You never can guarantee security, that's absolutely impossible (well, of course you can, but you would automatically be wrong). You can do all your best, but that's about it. Having security is a thing you can falsify, but never verify, since theorys can't be verified without dogmas (and there are no accepted dogmas that would help here). Thank you for your answer, Hans. This is more or less the information that I was looking for. So, on a laptop, after halt-ing the system, one should make sure to remove the battery and also pull the plug from the outlet. As far as I understand, this should more or less take care of the data stored in the RAM, _or_ give you the feeling that you did your best. If one enjoys being paranoid, one may also run smem on system shutdown. All this, of course, needs to be in combination with _at least_ an encrypted swap and tmpfs mounted on /tmp. One last reserve that I have towards this scheme is the information in the man page of smem (part of the secure-delete package, suite of utilities written by van Hauser from THC [ http://freeworld.thc.org/releases.php ]): smem is designed to delete data which may lie still in your memory (RAM) in a secure manner which can not be recovered by thiefs, law enforcement or other threats. Note that with the new SDRAMs, data will not wither away but will be kept static - it is easy to extract the necessary information! The wipe algorythm is based on the paper Secure Deletion of Data from Magnetic and Solid-State Memory presented at the 6th Usenix Security Symposium by Peter Gutmann, one of the leading civilian cryptographers. This is either a very efficient advertising campaign for his utility, or he actually knows what he is talking about. For one part, the paper [ http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html ] dedicates two chapters to the data kept in the RAM. However, considering that the paper is dated 1996, and the secure-delete man page was last updated in 2003, there is also the possibility that this information is outdated. Again, thanks all for their input. Regards, Liviu -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
Volker Armin Hemmann schrieb: In practice, after power is cut, everything in ram is lost. But not the stuff in swap I don't know if this was mentioned already but it is probably useful. There is an option in baselayout's rc file to erase the swap at shutdown. Take a look at /etc/conf.d/rc under RC_SWAP_ERASE. Regards, Daniel -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
Hello, On 10/5/07, Daniel Pielmeier [EMAIL PROTECTED] wrote: There is an option in baselayout's rc file to erase the swap at shutdown. Take a look at /etc/conf.d/rc under RC_SWAP_ERASE. As far as I understand, this is far from secure. You want at least some degree of security, you need cryptography. See: http://gentoo-wiki.com/SWAP_ERASE_on_halt . Regards, Liviu -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
On Thursday 04 October 2007, Liviu Andronic wrote: And later on: Now one problem is left. Even with normal RAM a well funded organisation can get the contents after the system is powered off. With the modern SDRAM it's even worse, where the data stays on the RAM permanently until new data is written. Pray tell, how does RAM manage to retain data when the power is off? It's either six transistors or one transistor and a cap per cell = not persistent. I don't know of any magic persistent RAM that's fast enough for use as main RAM. Flash disks are of course another story but you do appear to be talking about system RAM alan -- Optimists say the glass is half full, Pessimists say the glass is half empty, Developers say wtf is the glass twice as big as it needs to be? Alan McKinnon alan at linuxholdings dot co dot za +27 82, double three seven, one nine three five -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
Hi, On Thu, 4 Oct 2007 15:47:53 +0200 Alan McKinnon [EMAIL PROTECTED] wrote: On Thursday 04 October 2007, Liviu Andronic wrote: And later on: Now one problem is left. Even with normal RAM a well funded organisation can get the contents after the system is powered off. With the modern SDRAM it's even worse, where the data stays on the RAM permanently until new data is written. Pray tell, how does RAM manage to retain data when the power is off? It's either six transistors or one transistor and a cap per cell = not persistent. In theory, for the one transistor and one cap case, you have a loaded cap that will take forever losing its load, won't it? But in practice, I think, that's not realistic. I don't know of any magic persistent RAM that's fast enough for use as main RAM. Flash disks are of course another story but you do appear to be talking about system RAM There actually are new RAM types being made for solid-state storage. But this is in a proof-of-concept stage, I think. Maybe Liviu's professor had those magnetic drum memory units in mind when saying that? Anyway, cleaning memory on a power-off shut down doesn't make much sense. However, it makes sense to clean up memory after having critical data in it -- e.g. a reboot doesn't necessarily clean up RAM. And I'm not sure if some mainboards even keep the RAM powered in certain situations -- at least, they can as long as the power is not really switched off (e.g. machine only in ATX soft-off mode). -hwh -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
On Donnerstag, 4. Oktober 2007, Hans-Werner Hilse wrote: Hi, On Thu, 4 Oct 2007 15:47:53 +0200 Alan McKinnon [EMAIL PROTECTED] wrote: On Thursday 04 October 2007, Liviu Andronic wrote: And later on: Now one problem is left. Even with normal RAM a well funded organisation can get the contents after the system is powered off. With the modern SDRAM it's even worse, where the data stays on the RAM permanently until new data is written. Pray tell, how does RAM manage to retain data when the power is off? It's either six transistors or one transistor and a cap per cell = not persistent. In theory, for the one transistor and one cap case, you have a loaded cap that will take forever losing its load, won't it? But in practice, I think, that's not realistic. in practice, the ram has to refreshed every few cycles (on reason why it is slow) because it is loosing its load so fast. In practice, after power is cut, everything in ram is lost. But not the stuff in swap -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
On 10/4/07, Volker Armin Hemmann [EMAIL PROTECTED] wrote: in practice, the ram has to refreshed every few cycles (on reason why it is slow) because it is loosing its load so fast. In practice, after power is cut, everything in ram is lost. But not the stuff in swap Considering that swap is encrypted, is it realistic for this lost RAM data to be recovered? Again, take the case of a well funded organization. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
On Thursday 04 October 2007, Hans-Werner Hilse wrote: Hi, On Thu, 4 Oct 2007 15:47:53 +0200 Alan McKinnon [EMAIL PROTECTED] wrote: On Thursday 04 October 2007, Liviu Andronic wrote: And later on: Now one problem is left. Even with normal RAM a well funded organisation can get the contents after the system is powered off. With the modern SDRAM it's even worse, where the data stays on the RAM permanently until new data is written. Pray tell, how does RAM manage to retain data when the power is off? It's either six transistors or one transistor and a cap per cell = not persistent. In theory, for the one transistor and one cap case, you have a loaded cap that will take forever losing its load, won't it? But in practice, I think, that's not realistic. Definitely not realistic - the cap is on the order of a fraction of a pF and needs to be refreshed every 50-100mS or so. Once the power is off, the cap sees a (relatively) low impedance sink and discharges rather quickly I don't know of any magic persistent RAM that's fast enough for use as main RAM. Flash disks are of course another story but you do appear to be talking about system RAM There actually are new RAM types being made for solid-state storage. But this is in a proof-of-concept stage, I think. side note I for one anxiously await the arrival of solid-state disks. I have customers who simply *cannot* do backups as the backup takes longer than the available window! Disk speed is a very limiting factor Maybe Liviu's professor had those magnetic drum memory units in mind when saying that? In all honesty, I've heard some very very strange things from the mouths of professors over the years. We don;t really know what this person said or intended Anyway, cleaning memory on a power-off shut down doesn't make much sense. However, it makes sense to clean up memory after having critical data in it -- e.g. a reboot doesn't necessarily clean up RAM. And I'm not sure if some mainboards even keep the RAM powered in certain situations -- at least, they can as long as the power is not really switched off (e.g. machine only in ATX soft-off mode). Yes, this is very true alan -- Optimists say the glass is half full, Pessimists say the glass is half empty, Developers say wtf is the glass twice as big as it needs to be? Alan McKinnon alan at linuxholdings dot co dot za +27 82, double three seven, one nine three five -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
On Donnerstag, 4. Oktober 2007, Liviu Andronic wrote: On 10/4/07, Volker Armin Hemmann [EMAIL PROTECTED] wrote: in practice, the ram has to refreshed every few cycles (on reason why it is slow) because it is loosing its load so fast. In practice, after power is cut, everything in ram is lost. But not the stuff in swap Considering that swap is encrypted, is it realistic for this lost RAM data to be recovered? Again, take the case of a well funded organization. that depends on the encryption. Some algorithms are easy to break. Some are not, some will be broken as soon as we get quantum-computers ;) -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
On 10/4/07, Volker Armin Hemmann [EMAIL PROTECTED] wrote: Considering that swap is encrypted, is it realistic for this lost RAM data to be recovered? Again, take the case of a well funded organization. that depends on the encryption. Some algorithms are easy to break. Some are not, some will be broken as soon as we get quantum-computers ;) I'm basing myself mainly on: http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS#Encrypting_swap_for_installation and http://en.wikipedia.org/wiki/AES_process#Rounds_one_and_two for the cipher's choice, and for the method used on: http://www.gentoo.org/proj/en/hardened/disk-cryptography.xml I have settled down to the following: -c blowfish -h sha256 for swap and -c serpent -h sha256 for the sensitive data partitions (/home, etc.). in combination with a strong password. How encrypted does this sound? For today, at least.. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
On 10/4/07, Alan McKinnon [EMAIL PROTECTED] wrote: On Thursday 04 October 2007, Hans-Werner Hilse wrote: [..] However, it makes sense to clean up memory after having critical data in it -- e.g. a reboot doesn't necessarily clean up RAM. [..] Yes, this is very true BUT On 10/4/07, Alan McKinnon [EMAIL PROTECTED] wrote: Pray tell, how does RAM manage to retain data when the power is off? ...and... On 10/4/07, Volker Armin Hemmann [EMAIL PROTECTED] wrote: In practice, after power is cut, everything in ram is lost. So, my eternal question, is it realistic for the lost RAM data to be recovered? That is, after system shutdown, does the data still physically reside on the RAM and can someone with a decent technology and know-how recover it? In other words, is this a serious breach in any encrypted system? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
Hans-Werner Hilse wrote: In theory, for the one transistor and one cap case, you have a loaded cap that will take forever losing its load, won't it? But in practice, I think, that's not realistic. It's actually not theory vs. practice. Even in theory, it's not just a cap, it's a cap and a resistor. So you have a time constant, tau = R*C. Since the capacitance is very small (picofarads) and we're not talking large resistance either, you end up with a very small time constant and that cap leaks its charge very quickly (which is why the RAM needs to be refreshed and powered). -- R -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?
On Thursday 04 October 2007, Volker Armin Hemmann wrote: On Donnerstag, 4. Oktober 2007, Liviu Andronic wrote: On 10/4/07, Volker Armin Hemmann [EMAIL PROTECTED] wrote: in practice, the ram has to refreshed every few cycles (on reason why it is slow) because it is loosing its load so fast. In practice, after power is cut, everything in ram is lost. But not the stuff in swap Considering that swap is encrypted, is it realistic for this lost RAM data to be recovered? Again, take the case of a well funded organization. that depends on the encryption. Some algorithms are easy to break. Some are not, some will be broken as soon as we get quantum-computers ;) Are we missing the obvious? The easiest think to 'break' is the weakest link in the chain. In such a *hypothetical* case that would be the person who is in possession of the passphrase. I would expect that such a person would be invariably labeled a hacker and condemned to eternity . . . Cracking the encryption algorithm by computation would only be necessary if the said person was not able to disclose the key due to absence, or due to an inability to recover from the vegetative (or worse) state that the questioning methods may have inadvertently induced. :P -- Regards, Mick signature.asc Description: This is a digitally signed message part.