At 10:38 AM 3/21/2008 -0700, Jon Callas wrote:
Despite that my hypotheses are only that, and I have no experimental
data, I think that using a large block cipher mode like EME to induce
a pseudo-random, maximally-fragile bit region is an excellent
mitigation strategy.
Isn't EME patented? -
I've been thinking about similar issues. It seems to me that just
destroying the key schedule is a big help -- enough bits will change in
the key that data recovery using just the damaged key is hard, per
comments in the paper itself.
On Tue, Mar 18, 2008 at 09:46:45AM -0700, Jon Callas wrote:
What operates like a block cipher on a large chunk?
Tweakable modes like EME.
Or as a non-patented alternative one could use the Bear/Lion
constructions [1], which can encrypt arbitrary size blocks at
reasonably good speeds (depending
On Mar 19, 2008, at 6:56 PM, Steven M. Bellovin wrote:
I've been thinking about similar issues. It seems to me that just
destroying the key schedule is a big help -- enough bits will change
in
the key that data recovery using just the damaged key is hard, per
comments in the paper itself.
Such as Cold Boot, etc.
There have been a number of conversations among my colleagues on how
to ameliorate this, particularly with an eye to making suspend mode
safer.
In the Cold Boot paper, the authors suggested XORing a piece of random
memory onto the dangerous bits, so as to fuzz
