TC cold ram attack question

Hello everyone,

I have been a long time lurker and this board has helped me a great deal in lots of questions.
But now I have one taht even the search function could not answer completely.

I read about the possibility of a cold Ram attack when TC volumes are not dismounted correctly.
My question now is, how long is this attack possible?
Let's say the computer keeps running, does that mean the attack is possible as long as the computer is running?
When I shut down the computer and unplug the power cable, how long would the Master key be still retrievable from RAM, e.g. how long does it reside in RAM afetr power is cut completely?

Thanks in advance for any help!

Pecker

 

When you properly dismount a TrueCrypt volume its key is wiped immediately, so this is by far the best approach. You can set up a simple hotkey to do this with a single click or a keystroke combination.

If you yank the plug or otherwise shut down your system without dismounting then you have to wait for your system's memory to decay before the key becomes irretrievable. The time interval varies considerably for different computers, but it appears to be a matter of seconds or possibly up to several minutes. I suggest you read this if you haven't already:

http://citp.princeton.edu/memory/

 

Great, thanks a lot for the link and info.

So basically, if I dismount the volumes normally there is no way of accessing the key, right?

And even if they are not dismounted, the Ram will be cleared after a few minutes and has to be accessed physically in order to read the contents, right?

Pecker

 

Essentially yes, although there are a few exceptions. For example, if you hibernate your computer while a TrueCrypt volume is mounted then the key, which is normally held only in RAM, will be written to disk in the hiberfil.sys file. Thus, it's best to disable hibernation when TrueCrypt volumes are mounted. (I'm referring to the use of standalone TrueCrypt volumes, not the new System Encryption feature, which handles this differently.)

Right. Keep in mind, of course, that if somebody wants to break into your computer and they have physical access then there are other methods they could use that would work even better, e.g. placing a keylogger or a hidden camera in order to capture your passphrase, or possibly performing a surprise visit at a moment when you've stepped away from the computer and can't dismount the volume.

 

This is an issue with all encryption software including PGP, but is pointed towards whole disk encryption, if an attacker gets to your machine before the ram clears itself, and keeps it cold, he can keep the data on the ram for up to 10 hours, giving him more than enough time to retrieve your pass/keys so Ive read, I may be wrong?

I think it may be different for Encrypted Containers, as in one can disable the option to cache the password/keyfiles in the ram, this feature is used to mount multiple containers that use the same pass/keys, and is not needed unless you plan to do so!

So if disabled, the key should be automatically cleared once the container is mounted? am I right?

If so, why don't the creators of the encryption software make it so the password/keys are cleared after the whole encrypted disk is mounted, why does it have to remain in memory after the disk has been mounted?

If the keys can be cleared for open encrypted containers, why cant they be cleared for open whole disk encrypted partitions?

 

Where did you read this "up to 10 hours"? Browsing the princeton details on this attack, I remember the time for the attack was around 10 minutes, if the ram got cooled immediately.

 

I think it was the time for attack was up to 10 minutes, but once the Ram was froze/cold, the information could remain for up to 10 hours being that the ram remained in the cold state!

I could be wrong, I think the link is somewhere on this forum though!

 

The encryption key has to remain in RAM for the entire time that the container remains mounted, otherwise there would be no way to encrypt/decrypt the data. The key is quickly and securely wiped from RAM as soon as the container is dismounted. Thus, if cold boot attacks are on your threat list, the best strategy would be to dismount any open containers as soon as you don't need them, and have a hotkey ready so you can perform an instant dismount if necessary.

System encryption works similarly, but it is more vulnerable to a memory attack because the key must remain in RAM for the entire time that the encrypted system is in use. Also, the key is not immediately wiped during a shutdown, otherwise the various shutdown processes, some of which can take quite awhile, would be unable to finish. In an emergency situation it would probably be best to pull the plug so that the RAM can start to decay immediately rather than waiting for Windows to complete a normal shutdown.

If you use system encryption and fear cold-boot attacks, the best approach is to combine system encryption with container encryption, and dismount your containers anytime they aren't needed.

 

Why is their an option in Truecrypt "To" Cache the passwords and keyfiles in memmory "Or Not" and an option to wipe the password/Keyfile cache?

Wouldn't this option be obsolete, if the passwords and keyfiles are stored (Kept in) in the memory anyways?

I think their is also a way for an attacker to read your memory from his machine (wile online) if he gained access to your machine thru the use of a Trojan ect to gain control?

___________________________________________________________________________________________

 

Imho there is another problem, something that is able to reside over tc encrypted harddisks as a hidden layer or hidden layered file system, it looks like a stealth communication bot.
This is much more unreal then a usual worst case scenario of a pc/laptop theft attack.

 

The password/keyfile data is used to generate the encryption key, which is stored in RAM. The encryption key (also known as the "master key") is necessary before you can mount an encrypted volume, and it remains in RAM until you dismount the volume. However, once the encryption key has been generated you no longer need the password/keyfile data, and this can be disposed of. The option to cache it in memory (stored in plaintext the last time I checked) is merely a convenience feature. If you do cache it then you can mount multiple containers using the same password/keyfile data, while only having to enter the password and point to the keyfile(s) once. If desired you can also wipe the password cache to increase your security, or just never cache it in the first place. It all depends upon your threat model. However, you can't wipe the encryption key until the volume has been dismounted, so if someone is reading your memory then you're in serious trouble.

Yes, if an attacker could read your memory then you would be royally screwed, and your encryption keys would be among the many prizes. Any mounted containers would also be wide open, by the way. The whole point of online security is to prevent this sort of thing from happening. The only way TrueCrypt could defend you against that threat would be if you never typed in your passwords and never mounted your containers.

 

Thanks for the reply, that was interesting! I wasn't to sure on how that part worked!

so the password/keyfile generates the master key, and is only needed to generate the master key which then sits in Ram until you decide to dismount your volume, and shut down your machine for the time needed to erase the information stored in your ram! Now I understand it!