Archive for the ‘Cryptography’ Category

Bypassing whole disk encryption using the coldboot technique

Monday, July 20th, 2009

The cold boot technique is a technique pioneered at Princeton a few months back that can be used to recover among many other things the keys used to do whole disk encryption.  The team at Princeton has a good video explaining how the technique works here: http://citp.princeton.edu/memory/.

The technique is actually pretty straight forward, rapidly terminate a running (or hibernating) machine  and get it to boot your usb thumbstick asap (this can also be done over the network via PXE).  Once the thumbstick boots up with their tiny piece of software, the software simply dump all memory to a file on the usb stick. Once complete you are free to go to any other machine  with your thumbstick and analyze this dump file with any of your favorite forensic tools. Many treasures can be unearthed by analyzing this dump but to make it easier to find AES and RSA encryption keys in the memory dump, the team also provides 2 tools for the job. The whole disk encryption key is only one of the many thing an attacker will have access to after having access to a  memory dump.  All running programs, lmhash passwords, files in memory, etc will be recoverable using common disk forensic tools.

Last but not least, and perhaps the most interesting aspect of their research is that they found out is that they were able to make the memory stay around in RAM for up to 10 minutes at a time by cooling down the dram chips in the computer before abruptly terminating it.  In their demo they were able to use common dust spray cans to cool down the memory sufficiently. Their numbers were for warm DRAM chips were more around the seconds to minutes range depending on many factors. It maybe a good idea to test your machines to see how much data you can recover from memory after a cold boot so you can determine how vulnerable they are to this technique.

To mitigate this risk you should layer encryption of very sensitive documents  by using file or virtual disk encryption within your encrypted drive.  Remember that whole disk encryption should only be one of multiple layers,  reduce the risk of this physical threat by combining whole disk encryption with  physical security measures. Shutting down the machine completely when possible may also be a good idea.

Tags: ,
Posted in Cryptography, Forensics | No Comments »

Storing sensitive information using public key encryption in PHP

Friday, July 17th, 2009

To encrypt your sensitive information using public key encryption (also known as asymetric encryption), first you will need to install OpenSSL and generate a key pair in PEM format. I will not cover how to install OpenSSL, details on installing OpenSSL can be found at: http://www.openssl.org/

Once you have installed OpenSSL you will want to use it to generate both a private and public key.

To generate your private key use the following command:

openssl genrsa -aes256 -out private.pem 2048

This will genarate a private key named “private.pem”.  Make sure to keep this key in a secure location, ideally not on the web, application or database server. Keeping the private key on a couple usb drives would be a good idea so you can simply use it off the usb drive when needed to decrypt data and have a few extra usb keys as backups.  If you lose the private key, you will not be able to retrieve the encrypted information. While generating your public key, make sure to use a strong pass-phrase as it will be the last line of defence in protecting your private key. Your private key is the key to the kingdom, once someone has access to it, they will be able to decrypt any information that was encrypted using your public key.

Next generate a public key using the following command:

openssl rsa -in private.pem -out public.pem -outform PEM -pubout

This will generate the public key in a file named public.pem. This public key will be used to encrypt your sensitive information. This public key is not sensitive information and can be shared with anyone and put on your web server. Only the corresponding private key will be able to decrypt information that was encrypted with this public key. Once you have generated the public key you will want to put it on your web server so you can encrypt your sensitive information with it.

To encrypt information in php using your newly generated public key you will want to use the openssl_pkey_get_public() and openssl_public_encrypt() functions. Simply, the first function loads the pem file containing your public key and the second function encrypt your data into a variable using your public key. Here is an example on how to do so:


<?php
$string = "data to encrypt";

// public.pem key needs to point to a valid path or url where your public key is located
$publickey = openssl_pkey_get_public (file_get_contents("public.pem")); 

// this encrypts input $string into $crypt_output using $publickey
openssl_public_encrypt($string, $crypt_output, $publickey); 

// this outputs the encrypted data in binary format
echo $crypt_output; 
?>
$crypt_output is in a binary format, if you plan on storing it in a database text field such as char or varchar then you will want to base64 encode the data first using base64_encode(). For optimal performance, you should load the public key once and use it across request but this code snippet is simplified for demonstration  purposes.
Finally to decrypt your data (here we are assuming the data is in a file named “cipher”),  you would issue the following command to decrypt it using your private key:

openssl rsautl -decrypt -inkey private.pem -in cipher

If you decided to base64 encode your data, make sure to base64 decode it before feeding it to openssl. Ideally you would decrypt that data somewhere outside your web server or database server for further processing using openssl but if you would also like to do it in php (web or cli), it’s also possible to use openssl_pkey_get_private() and openssl_private_decrypt() from within php (pretty much just like the public key encryption example) to decrypt information.

This is the general idea on how public key encryption can be used in php to securely store data on your servers and later decrypt it at another location using the private key. Even if your server gets compromised and the public key and encrypted data is available to attackers they would not be able to decrypt the information using today’s technology if they do not have access to your private key.

Tags: , , , , ,
Posted in Cryptography | 5 Comments »