Cold Boot Attacks Research Articles

New partial key exposure attacks on RSA with additive exponent blinding

Partial key exposure attacks present a significant threat to RSA-type cryptosystems. These attacks factorize the RSA modulus by utilizing partial knowledge of the decryption exponent, which is typically revealed by side-channel attacks, cold boot attacks, etc. In practice, the RSA implementations typically employ countermeasures to resist physical attacks, such as additive exponent blinding d′=d+rφ(N)\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$d' = d + r \\varphi (N)$$\\end{document} with unknown random blinding factor r. Although there are a couple of partial key exposure attacks on blinding RSA, these attacks require a considerable amount of leakage and fail to work when e is up to full size. In this paper, we propose new partial key exposure attacks on RSA with additive exponent blinding, focusing on leakage scenarios where the Most Significant Bits (MSBs) or Least Significant Bits (LSBs) of d′\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$d'$$\\end{document} are revealed. For the case where e is small, we first recover partial information of p by solving the quadratic congruence equation, and then find the small roots of the integer equation to recover entire private key. Our method relaxes the attack requirements, for instance, we reduce the amount of MSBs for a successful attack from 75 to 25% when e≈N0.25\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$e \\approx N^{0.25}$$\\end{document} and r≈N0\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$r\\approx N^{0}$$\\end{document}. Furthermore, we propose new attacks using the unique algebraic relationship in blinding RSA, which extend the attack to the case where e is of full size.

RegKey: A Register-based Implementation of ECC Signature Algorithms Against One-shot Memory Disclosure

To ensure the security of cryptographic algorithm implementations, several cryptographic key protection schemes have been proposed to prevent various memory disclosure attacks. Among them, the register-based solutions do not rely on special hardware features and offer better applicability. However, due to the size limitation of register resources, the performance of register-based solutions is much worse than conventional cryptosystem implementations without security enhancements. This paper presents RegKey, an efficient register-based implementation of ECC (elliptic curve cryptography) signature algorithms. Different from other schemes that protect the whole cryptographic operations, RegKey only uses CPU registers to execute simple but critical operations, significantly reducing the usage of register resources and performance overheads. To achieve this goal, RegKey splits the ECC signing into two parts, (1) complex elliptic curve group operations on non-sensitive data in main memory as normal implementations, and (2) simple prime field operations on sensitive data inside CPU registers. RegKey guarantees the plaintext private key and random number used for signing only appear in registers to effectively resist one-shot memory disclosure attacks such as cold-boot attacks and warm-boot attacks, which are usually launched by physically accessing the victim machine to acquire partial or even entire memory data but only once. Compared with existing cryptographic key protection schemes, the performance of RegKey is greatly improved. Regkey is applicable to different platforms because it does not rely on special CPU hardware features. Since RegKey focuses on one-shot memory disclosure instead of persistent software-based attacks, it works as a choice suitable for embedded devices or offline machines where physical attacks are the main threat.

On recovering block cipher secret keys in the cold boot attack setting

AbstractThis paper presents a general strategy to recover a block cipher secret key in the cold boot attack setting. More precisely, we propose a key-recovery method that combines key enumeration algorithms and Grover’s quantum algorithm to recover a block cipher secret key after an attacker has procured a noisy version of it via a cold boot attack. We also show how to implement the quantum component of our algorithm for several block ciphers such as AES, PRESENT and GIFT, and LowMC. Additionally, since evaluating the third-round post-quantum candidates of the National Institute of Standards and Technology (NIST) post-quantum standardization process against different attack vectors is of great importance for their overall assessment, we show the feasibility of performing our hybrid attack on Picnic, a post-quantum signature algorithm being an alternate candidate in the NIST post-quantum standardization competition. According to our results, our method may recover the Picnic private key for all Picnic parameter sets, tolerating up to 40% of noise for some of the parameter sets. Furthermore, we provide a detailed analysis of our method by giving the cost of its resources, its running time, and its success rate for various enumerations.

Cold Boot Attack on Encrypted Containers for Forensic Investigations

Cold Boot Attack on Encrypted Containers for Forensic Investigations

SuperVAULT: Superparamagnetic Volatile Auxiliary Tamper-Proof Storage

Memory security has recently come into the spotlight as attackers have stepped up their efforts to gain illicit access to sensitive data or cause denial-of-memory-service via a variety of avenues like cold boot attacks, bus snooping, and physical probing or tampering. In this paper, we propose SuperVAULT, a novel secure storage solution for protecting secret data/keys by exploiting the superparamagnetic regime of nanomagnets. Through materials and dimensional engineering of the magnetic tunnel junction (MTJ) free layer, the energy barrier of spintransfer torque magnetoresistive random access memory (STTMRAM) cells can be designed to lie in the range of the thermal energy (kBT ). Such superparamagnetic MTJ (s-MTJ) cells, with an O(10 ns) retention time, need to be refreshed frequently. In the absence of data refresh (under attack conditions), the data they hold is thermally corrupted to a random state after an arbitrary but short amount of time. We leverage this property to devise a secure memory primitive and showcase its potential against cold boot and Boolean satisfiability (SAT) attacks. Further, the overheads for s-MTJ-based STT-MRAMs is shown to be promising for on-chip implementations.

Ultra-fast data sanitization of SRAM by back-biasing to resist a cold boot attack

Although SRAM is a well-established type of volatile memory, data remanence has been observed at low temperature even for a power-off state, and thus it is vulnerable to a physical cold boot attack. To address this, an ultra-fast data sanitization method within 5 ns is demonstrated with physics-based simulations for avoidance of the cold boot attack to SRAM. Back-bias, which can control device parameters of CMOS, such as threshold voltage and leakage current, was utilized for the ultra-fast data sanitization. It is applicable to temporary erasing with data recoverability against a low-level attack as well as permanent erasing with data irrecoverability against a high-level attack.

Data Sanitization of SRAM by Thermal Distortion

Thermal distortion of a memory state is demonstrated for data sanitization of static random access memory (SRAM). Data stored in SRAM are believed to be deleted when power is turned off. However, it has been reported that the data can remain for a certain time even in powered- OFF SRAM, especially in a low-temperature environment. When a cold boot attack is attempted at low temperature, the stored data in SRAM are secured by thermal distortion at induced high temperature. For an experimental demonstration of data sanitization, heat is intentionally applied to a commercial SRAM chip, which is connected with a Raspberry pi board to write and read data. Supportive circuit and thermal simulations are performed to analyze electrical and thermal characteristics during heat treatment.

Mimosa: Protecting Private Keys Against Memory Disclosure Attacks Using Hardware Transactional Memory

Cryptography is essential for computer and network security. When cryptosystems are deployed in computing or communication systems, it is extremely critical to protect the cryptographic keys. In practice, keys are loaded into the memory as plaintext during cryptographic computations. Therefore, the keys are subject to memory disclosure attacks that read unauthorized data from RAM. Such attacks could be performed through software exploitations, such as OpenSSL Heartbleed, even when the integrity of the victim system's binaries is maintained. They could also be done through physical methods, such as cold-boot attacks, even if the system is free of software vulnerabilities. This paper presents Mimosa, to protect RSA private keys against both software-based and physical memory disclosure attacks. Mimosa uses hardware transactional memory (HTM) to ensure that (a) whenever a malicious thread other than Mimosa attempts to read the plaintext private key, the transaction aborts and all sensitive data are automatically cleared with hardware, due to the strong atomicity guarantee of HTM; and (b) all sensitive data, including private keys and intermediate states, appear as plaintext only within CPU-bound caches, and are never loaded to RAM chips. To the best of our knowledge, Mimosa is the first solution to use transactional memory to protect sensitive data against memory attacks. However, the fragility of TSX transactions introduces extra cache-clogging denial-of-service (DoS) threats, and attackers could sharply degrade the performance by concurrent memory-intensive tasks. To mitigate the DoS threats, we further partition an RSA private-key computation into multiple transactional parts by analyzing the distribution of aborts, while (sensitive) intermediate results are still protected across transactional parts. Through extensive experiments, we show that Mimosa effectively protects cryptographic keys against attacks that attempt to read sensitive data in memory, and introduces only a small performance overhead, even with concurrent cache-clogging workloads.

Amnesiac DRAM: A Proactive Defense Mechanism Against Cold Boot Attacks

DRAMs in modern computers or hand-held devices store private or often security-sensitive data. Unfortunately, one known attack vector, called a cold boot attack, remains threatening and easy-to-exploit, especially when attackers have physical access to the device. It exploits the fundamental property of current DRAMs: remanence effects that retain the stored contents for a certain period of time even after powering off. To magnify the remanence effect, cold boot attacks typically freeze the victim DRAM, thereby providing a chance to detach, move, and reattach it to an attacker's computer. Once power is on, attackers can steal all the security-critical information from the victim's DRAM, such as a master decryption key for an encrypted disk storage. Two types of defenses were proposed in the past: 1) CPU-bound cryptography, where keys are stored in CPU registers and caches instead of in DRAMs, and 2) full or partial memory encryption, where sensitive data are stored encrypted. However, both methods impose non-negligible performance or energy overheads to the running systems, and worse, significantly increase the hardware and software manufacturing costs. We found that these proposed solutions attempted to address the cold boot attacks passively: either by avoiding or by indirectly addressing the root cause of the problem, the remanence effect. In this article, we propose and evaluate a proactive defense mechanism, Amnesiac DRAM, that comprehensively prevents the cold boot attacks. The key idea is to discard the contents in the DRAM when attackers attempt to retrieve (i.e., power on) them from the stolen DRAM. When Amnesiac DRAM senses a physical separation, it locks itself and deletes all the remaining contents, making it amnesiac. The Amnesiac DRAM causes neither performance nor energy overhead in ordinary operations (e.g., load and store) and can be easily implemented with negligible area overhead in commodity DRAM architectures.

One key to rule them all: Recovering the master key from RAM to break Android's file-based encryption

As known for a decade, cold boot attacks can break software-based disk encryption when an attacker has physical access to a powered-on device, including Android smartphones. Raw memory images can be obtained by resetting a device and rebooting it with a malicious boot loader, or—on systems where this is not possible due to secure boot or restrictive BIOS settings—by a physical transplantation of RAM modules into a system under the control of the attacker. Based on the memory images of a device, different key recovery algorithms have been proposed in the past to break Full Disk Encryption (FDE), including BitLocker, dm-crypt, and also Android's FDE. With Google's switch from FDE to File-based Encryption (FBE) as the standard encryption method for recent Android devices, however, existing tools have been rendered ineffective. To close this gap, and to re-enable the forensic analysis of encrypted Android disks, given a raw memory image, we present a new key recovery method tailored for FBE. Furthermore, we extend The Sleuth Kit (TSK) to automatically decrypt file names and file contents when working on FBE-enabled EXT4 images, as well as the Plaso framework to extract events from encrypted EXT4 partitions. Last but not least, we argue that the recovery of master keys from FBE partitions was particularly easy due to a flaw in the key derivation method by Google.

Continuous leakage-resilient certificate-based signcryption scheme and application in cloud computing

Leakage of private information, e.g. the secret keys, has become a serious threat to the security of computing systems. It has become a common requirement that real-world security applications should withstand various leakage attacks, such as side-channel attacks, cold-boot attacks, etc. For example, the above leakage attacks are very common in cloud computing nowadays. Hence, we need a novel method to protect the security of data storage and authorization even if a certain amount of leakage information with respect to the secret state can be obtained by any adversary. In order to achieve the above goal, in this paper, we introduce a continuous leakage-resilient certificate-based signcryption (CBS) scheme, and we prove that our proposed scheme achieves the chosen-ciphertext attacks (CCA) security based on the discrete logarithm assumption and the decisional Diffie-Hellman assumption. Our proposed scheme not only has the ability to resist the continuous leakage attacks, but also enjoys very low computational overheads. Moreover, two concrete continuous leakage-resilient data storage and authorization protocols are generated from the above continuous leakage-resilient CBS scheme: one has a single key generation center and the other generates the keys in a distributed form. Therefore, our protocols with continuous leakage resilience are particularly suitable for data storage and authorization in cloud computing system.

Cold Boot Attacks on the Supersingular Isogeny Key Encapsulation (SIKE) Mechanism

This research paper evaluates the feasibility of cold boot attacks on the Supersingular Isogeny Key Encapsulation (SIKE) mechanism. This key encapsulation mechanism has been included in the list of alternate candidates of the third round of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography Standardization Process. To the best of our knowledge, this is the first time this scheme is assessed in the cold boot attacks setting. In particular, our evaluation is focused on the reference implementation of this scheme. Furthermore, we present a dedicated key-recovery algorithm for SIKE in this setting and show that the key recovery algorithm works for all the parameter sets recommended for this scheme. Moreover, we compute the success rates of our key recovery algorithm through simulations and show the key recovery algorithm may reconstruct the SIKE secret key for any SIKE parameters for a fixed and small α=0.001 (the probability of a 0 to 1 bit-flipping) and varying values for β (the probability of a 1 to 0 bit-flipping) in the set {0.001,0.01,…,0.1}. Additionally, we show how to integrate a quantum key enumeration algorithm with our key-recovery algorithm to improve its overall performance.

Cold Boot Attacks on LUOV

This research article assesses the feasibility of cold boot attacks on the lifted unbalanced oil and Vinegar (LUOV) scheme, a variant of the UOV signature scheme. This scheme is a member of the family of asymmetric cryptographic primitives based on multivariable polynomials over a finite field K and has been submitted as candidate to the ongoing National Institute of Standards and Technology (NIST) standardisation process of post-quantum signature schemes. To the best of our knowledge, this is the first time that this scheme is evaluated in this setting. To perform our assessment of the scheme in this setting, we review two implementations of this scheme, the reference implementation and the libpqcrypto implementation, to learn the most common in-memory private key formats and next develop a key recovery algorithm exploiting the structure of this scheme. Since the LUOV’s key generation algorithm generates its private components and public components from a 256-bit seed, the key recovery algorithm works for all the parameter sets recommended for this scheme. Additionally, we tested the effectiveness and performance of the key recovery algorithm through simulations and found the key recovery algorithm may retrieve the private seed when α = 0.001 (probability that a 0 bit of the original secret key will flip to a 1 bit) and β (probability that a 1 bit of the original private key will flip to a 0 bit) in the range { 0.001 , 0.01 , 0.02 , … , 0.15 } by enumerating approximately 2 40 candidates.

A Comprehensive Study of the Key Enumeration Problem

In this paper, we will study the key enumeration problem, which is connected to the key recovery problem posed in the cold boot attack setting. In this setting, an attacker with physical access to a computer may obtain noisy data of a cryptographic secret key of a cryptographic scheme from main memory via this data remanence attack. Therefore, the attacker would need a key-recovery algorithm to reconstruct the secret key from its noisy version. We will first describe this attack setting and then pose the problem of key recovery in a general way and establish a connection between the key recovery problem and the key enumeration problem. The latter problem has already been studied in the side-channel attack literature, where, for example, the attacker might procure scoring information for each byte of an Advanced Encryption Standard (AES) key from a side-channel attack and then want to efficiently enumerate and test a large number of complete 16-byte candidates until the correct key is found. After establishing such a connection between the key recovery problem and the key enumeration problem, we will present a comprehensive review of the most outstanding key enumeration algorithms to tackle the latter problem, for example, an optimal key enumeration algorithm (OKEA) and several nonoptimal key enumeration algorithms. Also, we will propose variants to some of them and make a comparison of them, highlighting their strengths and weaknesses.

Continuous Leakage-Resilient Identity-Based Encryption with Tight Security

Abstract In the actual applications, an adversary can break the security of cryptography scheme through various leakage attacks (e.g. side-channel attacks, cold-boot attacks, etc.), even the continuous leakage attacks. That is, a practical cryptography scheme must maintain its claimed security in the continuous leakage setting. However, the previous constructions on the leakage-resilient identity-based encryption (IBE) scheme could tolerate a leakage that is bounded, and cannot resist the continuous leakage attacks. In order to further achieve the better security, a novel method to build the continuous leakage-resilient IBE scheme with tight security is presented in this paper, and the scheme’s security is proved, in the standard model, based on a stronger security assumption that depends on the number of queries made by the adversary. In addition, our proposal has several advantages over previous such constructions, e.g. shorter public parameters, higher communication efficiency, tight security, etc.

Building a Trustworthy Execution Environment to Defeat Exploits from both Cyber Space and Physical Space for ARM

The rapid evolution of Internet-of-Things (IoT) technologies has led to an emerging need to make them smarter. However, the smartness comes at the cost of multi-vector security exploits. From cyber space, a compromised operating system could access all the data in a cloud-aware IoT device. From physical space, cold-boot attacks and DMA attacks impose a great threat to the unattended devices. In this paper, we propose TrustShadow that provides a comprehensively protected execution environment for unmodified application running on ARM-based IoT devices. To defeat cyber attacks, TrustShadow takes advantage of ARM TrustZone technology and partitions resources into the secure and normal worlds. In the secure world, TrustShadow constructs a trusted execution environment for security-critical applications. This trusted environment is maintained by a lightweight runtime system. The runtime system does not provide system services itself. Rather, it forwards them to the untrusted normal-world OS, and verifies the returns. The runtime system further employs a page based encryption mechanism to ensure that all the data segments of a security-critical application appear in ciphertext in DRAM chip. When an encrypted data page is accessed, it is transparently decrypted to a page in the internal RAM, which is immune to physical exploits.

Copker: A Cryptographic Engine Against Cold-Boot Attacks

Cryptosystems are essential for computer and communication security, e.g., RSA or ECDSA in PGP Email clients and AES in full disk encryption. In practice, the cryptographic keys are loaded and stored in RAM as plain-text, and therefore vulnerable to cold-boot attacks exploiting the remanence effect of RAM chips to directly read memory data. To tackle this problem, we propose Copker , a cryptographic engine that implements asymmetric cryptosystems entirely within the CPU, without storing any plain-text sensitive data in RAM. Copker supports the popular asymmetric cryptosystems (i.e., RSA and ECDSA), and deterministic random bit generators (DRBGs) used in ECDSA signing. In its active mode, Copker stores kilobytes of sensitive data, including the private key, the DRBG seed and intermediate states, only in on-chip CPU caches (and registers). Decryption/signing operations are performed without storing any sensitive information in RAM. In the suspend mode, Copker stores symmetrically-encrypted private keys and DRBG seeds in memory, while employs existing solutions to keep the key-encryption key securely in CPU registers. Hence, Copker releases the system resources in the suspend mode. We implement Copker with the support of multiple private keys. With security analyses and intensive experiments, we demonstrate that Copker provides cryptographic services that are secure against cold-boot attacks and introduce reasonable overhead.

Cold Boot Attacks on Ring and Module LWE Keys Under the NTT

In this work, we consider the ring- and module- variants of the LWE problem and investigate cold boot attacks on cryptographic schemes based on these problems, wherein an attacker is faced with the problem of recovering a scheme’s secret key from a noisy version of that key. The leakage resilience of cryptography based on the learning with errors (LWE) problem has been studied before, but there are only limited results considering the parameters observed in cold boot attack scenarios. There are two main encodings for storing ring- and module-LWE keys, and, as we show, the performance of cold boot attacks can be highly sensitive to the exact encoding used. The first encoding stores polynomial coefficients directly in memory. The second encoding performs a number theoretic transform (NTT) before storing the key, a commonly used method leading to more efficient implementations. We first give estimates for a cold boot attack complexity on the first encoding method based on standard algorithms; this analysis confirms that this encoding method is vulnerable to cold boot attacks only at very low bit-flip rates. We then show that, for the second encoding method, the structure introduced by using an NTT is exploitable in the cold boot setting: we develop a bespoke attack strategy that is much cheaper than our estimates for the first encoding when considering module-LWE keys. For example, at a 1% bit-flip rate (which corresponds roughly to what can be achieved in practice for cold boot attacks when applying cooling), a cold boot attack on Kyber KEM parameters has a cost of 243 operations when the second, NTT-based encoding is used for key storage, compared to 270 operations with the first encoding. On the other hand, in the case of the ring-LWE-based KEM, New Hope, the cold boot attack complexities are similar for both encoding methods.

Leakage-resilient CCA2-secure certificateless public-key encryption scheme without bilinear pairing

In practical applications, an encryption scheme should withstand various leakage attacks (e.g., side-channel attacks, cold-boot attacks, etc.). Thus, in this paper, a new leakage-resilient certificateless public-key encryption (LR-CL-PKE) scheme is presented, and whose security is based on the classic decisional Diffie–Hellman (DDH) assumption. Considering the computational costs, because without bilinear pairing, our construction is more efficient than traditional LR-CL-PKE schemes. Based on the hardness of the DDH assumption, the security of our proposal is proved. Furthermore, in the leakage setting, our construction can keep its claimed security even if the adversary can learn a certain amount of additional information on the secret key through various leakage attacks.

Efficient Branch and Bound on FPGAs Using Work Stealing and Instance-Specific Designs

Branch and bound (B8B) algorithms structure the search space as a tree and eliminate infeasible solutions early by pruning subtrees that cannot lead to a valid or optimal solution. Custom hardware designs significantly accelerate the execution of these algorithms. In this article, we demonstrate a high-performance B8B implementation on FPGAs. First, we identify general elements of B8B algorithms and describe their implementation as a finite state machine. Then, we introduce workers that autonomously cooperate using work stealing to allow parallel execution and full utilization of the target FPGA. Finally, we explore advantages of instance-specific designs that target a specific problem instance to improve performance. We evaluate our concepts by applying them to a branch and bound problem, the reconstruction of corrupted AES keys obtained from cold-boot attacks. The evaluation shows that our work stealing approach is scalable with the available resources and provides speedups proportional to the number of workers. Instance-specific designs allow us to achieve an overall speedup of 47 × compared to the fastest implementation of AES key reconstruction so far. Finally, we demonstrate how instance-specific designs can be generated just-in-time such that the provided speedups outweigh the additional time required for design synthesis.