Upon actually reading the paper, I answered my own question. The attack works regardless of BitLocker's mode if the computer is on or in standby, and works in "basic mode" (BitLocker+TPM in transparent operation mode) even if computer is off (since booting it up will cause the TPM to automatically release the key if no boot components have changed), but will not work if computer is in hibernation or in an off state and not in basic mode.
Very interesting paper. The attack exploits hardware, so I suspect we'll need a hardware solution for this problem. - G ----- Original Message ----- From: "Dave Jevans" <[EMAIL PROTECTED]> To: <[email protected]> Cc: "Garrett M. Groff" <[EMAIL PROTECTED]> Sent: Friday, February 22, 2008 12:17 AM Subject: Re: [FDE] Scary...... > This attack WOULD work, as it is preserving the AES keys in DRAM after the > authentication has been completed. > > > At 6:28 PM -0500 2/21/08, Garrett M. Groff wrote: >>Regarding the following statement: >>"It's a pretty exotic attack if you're using authentication (ie not >>Bitlocker in TPM mode, or some autoboot mode)." >> >>That is only an issue when using BitLocker's "transparent operation mode," >>right? I.e., when using BitLocker+TPM and requiring that a PIN or USB key >>be >>entered/present, this hardware-based attack doesn't work. Correct? >> >> >>----- Original Message ----- >>From: "SafeBoot Simon" <[EMAIL PROTECTED]> >>To: <[email protected]> >>Sent: Thursday, February 21, 2008 5:38 PM >>Subject: Re: [FDE] Scary...... >> >> >>It's a pretty exotic attack if you're using authentication (ie not >>Bitlocker in TPM mode, or some autoboot mode). >> >>You'd have to attack a FDE protected machine that was on, or was on >>only a very short time ago (minutes). Most data exposure comes from >>people stealing drives or machines from cars etc which are long off. >> >>This is also not that new (though it seems to be creating a lot of >>panic today) - it's an attack considered for many years. >> >>And of course with FDE, the simple act of zeroing all copies of the >>key from memory on shutdown would resolve the "just off" scenario, >>though nothing except something like Danbury or Seagate FDE solves the >>"stolen while on" situation - but in that case, there are many good, >>but perhaps more exotic attacks, like the firewire memory download, or >>any potential network attack points. >> >> >>On Feb 21, 3:19 pm, "Ali, Saqib" <[EMAIL PROTECTED]> wrote: >>> http://citp.princeton.edu/memory/ >>> >>> However, hardware based encrypted drives like Seagate FDE would easily >>> deter these type of attacks. >>> _______________________________________________ >>> FDE mailing list >>> [EMAIL PROTECTED]://www.xml-dev.com/mailman/listinfo/fde >> >>_______________________________________________ >>FDE mailing list >>[email protected] >>http://www.xml-dev.com/mailman/listinfo/fde >> >>_______________________________________________ >>FDE mailing list >>[email protected] >>http://www.xml-dev.com/mailman/listinfo/fde > > _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
