Tag: computer security

Ars Technica: A new way to think about data encryption: two-level keys

Current encryption methods are far from perfect—a fact highlighted by the numerous data security breaches that have occurred over the past few years. Technological limitations in the “trusted server” model for encryption and psychological barriers hinder the robust protection of data. A trio of computer science researchers has set out to simplify encryption systems. Their research, which began in 2005, has led to a novel encryption system that they term “functional encryption” greatly simplifies the problem of key complexity.

In a functional encryption system, keys are personalized and only one is needed for a person to gain access to all the data that should be available to them. In addition to simplifying the key process, this idea allows users—with proper access rights—to search encrypted volumes for specific information.

For the mathematically inclined the published research paper.

BBC News: Home Office CD in auction laptop

A highly confidential Home Office disk was found hidden in a laptop computer sold on eBay.

The CD was found between the keyboard and circuit board of the laptop by computer repair technicians in Westhoughton, near Bolton.

This is an odd story because it is a mystery how it would end up being hidden inside the laptop. However it’s not all bad news because unlike other recent security lapses in this case the repair technicians discovered that the data on the CD had been encrypted.

Ed Felten and his colleagues have released an amazing research result which leads to an attack on hard disk encryption systems such as TrueCrypt, BitLocker and FileVault. Through the process of rapidly reducing the temperature of the memory chips in a computer they can extract the data contained within which would include the encryption key neccessary to decrypt the computer’s hard drive. [via]

Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials.

This is a very interesting piece of research but I don’t believe that it actually yields a practicable attack on hard disk encryption as long as the user maintains control of their computer in the thirty seconds or less following shutdown.

Just make sure that you don’t leave your laptop laying around whilst in sleep mode or locked by a screensaver password, but a user with enough security sense to have hard disk encryption on there computer is unlikely to do that anyway.

Declan McCullagh gives his analysis of the research in this article Disk encryption may not be secure enough, new research finds.

BBC News: M&S staff details left on laptop

Marks and Spencer has been found in breach of data protection rules after the theft of a laptop containing the personal details of 26,000 employees.

The Information Commissioner’s Office (ICO) said the data on the laptop, which was stolen from the home of an M&S contractor, was unencrypted.

The ICO has ordered M&S to make sure all laptop hard drives are fully encrypted by April 2008.