Experts find way around secured data

A simple method to steal encrypted information by freezing computer hard disks has been developed by a group of U.S. computer researchers.

The technique could be used to undermine security software protecting critical data on computers, The New York Times says. And, it's as easy as chilling a computer memory chip with an inexpensive blast of frigid air from a can.

The move, described on the Princeton University group's Web site Thursday, exploits a little-known vulnerability of the dynamic random access - DRAM - chip. Those chips temporarily hold data, which are supposed to disappear when the computer's electrical power is turned off.

But, the researchers discovered the chips retain memory for seconds or even minutes after power is cut, giving them ample time to freeze the chips with a blast of canned air so they can be read, the Times said.

Now let's put this into perspective:

DRAM memory chips lose their memory when power is removed. If you shut off the computer, the RAM is cleared (due to it's design, it requires power to keep data in RAM). This was previously assumed to be immediate, but it turns out it is gradual rather. Why? I do not know. Maybe someone from our readers can enlighten the rest of us. Apparently, the warmer the DRAM chip, the faster the decay. Under normal circumstances, it's a few seconds. Cooling the DRAM with air will make it decay a little more slowly - maybe a few minutes before the data is too corrupted to read. If you "flash freeze" it in liquid nitrogen, it'll take hours before the memory decays to an unreadable state.

This, in and of itself, has nothing to do with being able to read encrypted files or encrypted hard drives. However, it does expose a loophole: if the encryption key is in RAM, someone with physical access to the computer may be able to read that RAM, acquire the key, and then be able to decrypt files on disk.

The solution? Never leave a powered up computer that uses encryption. Shut it off before you leave. Suspend to RAM is no good - you have to shut it off.

The only 100% sure fix for this is to ensure that the key is never in RAM. There are only two ways to do this; first, never use encryption, or second, store the key in a register in the CPU (which requires development of new hardware), or, though I can only hazard a solution here as I am no engineer, maybe having the key on a secure dongle.

This is, however, the normal progress of security technology. Somebody develops a technology, and then somebody finds a flaw. The flaw is fixed, and then somebody finds another flaw. Rinse and repeat. There is no such thing as "bug-free" software. If someone claims they have bug or flaw free software, the flaws just haven't been found yet. Nothing is “fool proof”, or better to say, nothing will withstand someone who has time and money at hand to try and crack the defenses.

In other words:

How long will it take, in reality, for the RAM to have shut off properly and the data be GONE? Theoretically, the way I see it, a couple of minutes after you have shut down the PC, e.g. turned it off and turned the power to it off too. Unless some bursts in during that process and gets to the PC, opens it up, sprays a freon onto the chips, etc. then that may be happening but... reality would say to that that this is HIGHLY unlikely and the time it would take to actually get to the chips – physically – should have already rendered attempts null and void.

All this is is a scenario of the fact that it could be done if the chip is immediately accessible, etc. Instead of worrying about this, however, we should rather worry about those, dare I say, idiots that keep their passwords to their encryption keys and such in the wrong places or have them as simple as wife's maiden name or what-have-you. Or those that carry dongles with either passwords, encryption keys, and such, which are not, the dongles that is, password protected, let alone encrypted themselves. Flash drives of the kind as “Cruzer Enterprise” from SanDisk, or those from “Ironkey” or those from Kingston Data might provide the answer there. The weakest link is not technology, in most instance, but, as so often in other situations too, the human element.

© Michael Smith (Veshengro), February 2008