The speaker lineup for the Embedded Online Conference is pretty amazing! Sign up with promo code GANSSLE90 and wonderful things will happen like reversal of male pattern baldness, a guest spot on Teen Vogue magazine, and a boost of what JFK called "vim and vigor." It will also get you $100 off the $190 registration fee (which goes up to $290 May 1).

By Jack Ganssle

Securing Keys

Published 6/01/2009

In one of the more interesting articles in the Communications of the ACM in recent years, Halderman and a cast of thousands write in the May, 2009, issue that they have found a way to get encryption keys from any PC using, of all things, Freeze-Mist.

At room temperature they found that a 1999-era Dell PC's DRAM gives a 41% bit error rate after 60 seconds without power, rising to only 50% after 5 minutes. But at -50C there were no errors after a minute, and only a 0.000095% bit error rate after 300 seconds! I was astounded by those numbers which go against everything I believed about DRAM.

Things get worse (or better, for those trying to keep stuff encrypted) with more modern DRAM. But not enough better to thwart determined attackers. A 2006 IBM Thinkpad had a bit error rate of 0.025% after 40 seconds, and only 0.18% after twice that time.

The implications are stunning. First, everything PC folks believe about security is wrong. The authors were able to freeze memory, remove power, pull the chips, and then reconstruct keys. They went much further, and created software that very effectively searches DRAM for all sorts of keys (DES, AES, and RSA), extracts them, fixes bit errors in the keys, and then decode files stored on the systems' hard disks. I had to check to make sure this wasn't an April 1 article.

Second, do you ever depend on DRAM forgetting? For creating, say, a seed for a random number generator, to hide data, to see if power failed, or for other reasons? If so, your assumptions may be wrong.

(Note: We've long known that memory at power-on isn't particularly random, so it's poor practice to use it as a random number seed. But a lot of code looks to see if stored values are corrupt to detect a power-cycle, and that scheme doesn't seem valid anymore.)

The authors cite a study that suggests SRAM has similar retention issues.

I highly recommend reading the piece. Alas, it's available only to ACM members. It's one of the few articles I've read in a long time that just flabbergasted me.