sign in sign up
<<
Home , Cold boot attack, Key whitening

MASARYK UNIVERSITY FACULTY OF INFORMATICS

Attacks & Analysis of OpenSSL AES crypto material from memory dumps

MASTER'S THESIS

Surya Prakash Mishra

Delhi, Spring 2017 Replace this page with a copy of the official signed thesis assignment and a copy of the Statement of an Author. Declaration

Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.

Surya Prakash Mishra

Advisor: Chester Reibero,Petr. Svenda

i Acknowledgement

I would like to express my sincere thanks and gratitude to my thesis supervisor Prof. Chester Reibero for his valuable guidance, support and feedback. I owe my sincere thanks to RNDr. Petr Svenda, Ph. D for his motivation and insight because of which only I could explore the details. My thanks and gratitude to prof. RNDr. Vaclav Matyas, MSc, Ph.D who has remained source of inspiration for carrying out this work.

ii Abstract

In recent years, side-channel attacks[l] have seen significant progress. Among the different types of side-channel attacks, cold boot attack[2] has been considered as a very powerful attack and has created con• siderable interest among researchers. The attack was discovered by a group of researchers from Princeton University[2] in 2008 and ex• ploits memory remanence property of random access memory. This attack can be used to beat hard disk system, protecting sensitive information of IT products. Success of the attack depends upon detection and correction of sensitive information in the distorted data obtained during execution of the attack. In this thesis, an at• tempt has been made to improvise recovery methods so that the attack can be made feasible, even when more errors have been intro• duced during the execution of attack. Experiments have also been carried out to study and improve the efficacy of these techniques for mounting the attack on realistic hard systems like Truecrypt/VeraCrypt[3].

iii Keywords clock glitching, cold boot attack, DIMM, EM attack, fault attack, light weight OS, memory remanance, power attack, side channel attack, SIMM, , voltage glitching.

iv Contents

1 Introduction 1

2 Side Channel Attacks 3

3 Different types of memories and 4

4 Usage of different types of RAMs 8

5 OpenSSL[15] and AES[16] 9 5.1 OpenSSL[15] 9 5.2 AES[16] 9 5.2.1 Substitute Byte 13 5.2.2 Shift Row Transformation 15 5.2.3 Mix Column Transformation 16 5.2.4 Add Round Key Transformation 16 5.2.5 Round Key Generation 16

6 Truecrypt/Veracrypt[3] and its detailed description 19 6.1 Using Veracryptl3] for creation ofvolume or container ... 19 6.2 Technical details of creation of encrypted volume 21 6.3 XTS Mode of Operation 22 6.4 Veracrypt[3] Volume Format 22 6.5 Header Key Derivation 25 6.5.1 Random Number Generator 26

7 Steps required to mount cold boot attack 28

8 Experiments carried out and results obtained 29 8.1 Imaging Tool 29 8.1.1 Experiments of memory remanence 30 8.1.2 Study of Statistical patterns 31 8.1.3 AES Key Detection^] 34 8.1.4 AES key detection results 35 8.1.5 Reconstruction of Correct Keys 37 8.1.6 Experiments with Veracrypt/Truecrypt[3] ... 44

v 9 Conclusion

Bibliography List of Tables

5.1 AES Round Transformation 10 5.2 AES S-Box[16] 14 5.3 AES Inverse S-Box[16] 15 6.1 Veracrypt[3] Volume Format 24 8.1 Statistics of distortion pattern after 2 seconds 33 8.2 Statistics of distortion pattern after 5 seconds 33 8.3 Statistics of distortion with respect to time 33 8.4 Byte wise hamming distances of distorted key from original round keys : 38 8.5 Round Key byte determination during Key Correction for 128-bit key 41 8.6 Success Rate for 128-bit AES 44 8.7 Round Key byte determination during Key Correction for 256-bit key 46 8.8 Success Rate for 256-bit AES 47

vii List of Figures

3.1 SRAM and DRAM Cell[14] 7 5.1 AES Block Diagram[16] 11 5.2 AES Round Transformation[16] 12 5.3 AES Column Transformation and Round Key Generation[16]. 17 1 Introduction

Remanence effect of different types of memory has been known since long. In the case of non-volatile memory like a magnetic disk, it used to be considered as a security threat and adequate countermeasures like the use of secure erasure was already in practice. In the case of volatile memory, like SRAM and DRAM memory remanence was not taken seriously. In 2008, researchers from • ton University[2], demonstrated memory remanence of RAM, as a potential security threat and named it as cold boot attack. Their re• search has established, that volatility of computer memory, should not be taken as granted because it can also be exploited to get sensi• tive information of the system. They observed that content of RAM remains intact up to few minutes at normal temperature (after power has been removed) and its duration can be increased by cooling it. In the attack, an attacker with physical access to memory tries to retrieve secret parameters like key, password and other sensitive information related to the system. To mount the attack system needs to be cold booted. In cold boot• ing, the system is reset or powered off in a way, that does not get the opportunity to shutdown cleanly. The system is re• booted immediately using a lightweight operating system, which will also be used to dump the content of RAM in the disk. Other way of mounting the attack is removing memory module and putting it into a compatible system or cooling of memory modules and using it at some other point of time to retrieve sensitive information. Among these possible three approaches, the first approach seems to be more practical and less cumbersome. Although attack itself is simpler to carry out, the acquisition of memory is a volatile process and results in corrupted memory acquisition. In this approach issues related to cor• rection of distorted data and its impact on the feasibility of mounting attack is an interesting problem. In this thesis, an attempt has been made to study the distortion pattern of data with respect to time. Analysis of distortion pattern and its use for correction of keys from dumped content of RAM is also attempted. To carry out this study OpenSSL implementation of AES, as well as other implementations available over the internet has been

1 i. INTRODUCTION taken. Extensive experimentation has been carried out to see the ap• plicability of improved key correction technique for recovering the two 256-bit key used in hard disk encryption system Truecrypt/Veracrypt.

2 2 Side Channel Attacks

Side channel attacks are attacks in which focus of analyst is not on the theoretical aspects of the crypto algorithm, instead it tries to exploit information gained from physical implementation of it. Some of the side channel attacks which have been effectively utilized for analysis of different are timing attack[4], power attack[5], elec• tromagnetic attack[6], acoustic attack[7], fault attack[8] and memory remanence attack[2]. Timing attack exploits timing variations during the execution of a cryptographic algorithm. These variations may be due to branching operations, cache memory or other micro-architectural features of the processor. Such attacks have been proved effective for the public as well as private key cryptosystems. In the case of power attack, correlation between power consumed by the device and data being manipulated is used for extraction of se• cret parameters (like the key). Simple power attack, differential power attack[5],correlation power attack[9] and template attack[10] are the different variations of this type of attacks. These attacks are more effective for embedded systems. Attack philosophy for is same as that of power attack except that the side channel exploited is electromagnetic emanations of the device. Being non-invasive in nature, this type of at• tack is easier to mount but quite often it requires extra post processing of signals before mounting the attack. In fault attack, an attempt is made to introduce the fault during execution of the algorithm and by using correct and faulty ciphertext an attempt is made to find the key. Initially this attack was published for RSA[8] but later on, it was extended for block ciphers like DES[11] and AES[12] also. To introduce the fault during execution of algorithm clock glitching[13], voltage glitching and focused ion beam can be used. In memory remanence attack memory remanence effect of volatile and nonvolatile memory is used. Cold boot attack is memory rema• nence attack and it can be used for extraction of the key for public as well as private key cryptosystems.

3 3 Different types of memories and data rema• nence

Data Remanence is a property of a storage media by which it retains the residue of data even after it has been erased in some way. This property of magnetic storage was known as early as the 1960s. In theory, there is always some possibility of recovering data using the techniques like magnetic force microscopy, if data has been sparsely written. Data encryption, overwriting, degaussing and destruction of original media were commonly used methods to safeguard against accidental disclosure of data from such devices. Semiconductor memories also exhibit memory remanence[14] property. In practice, two different types of semiconductor memory is used, namely Random Access Memory(RAM) and Read Only Memory (ROM). RAM is further divided as Static RAM (SRAM) and Dynamic RAM (DRAM). To store some information in SRAM, a bistable flip- flop is set in some particular state which remains in this state as long as power is applied and no new data is written. In DRAM information is stored by charging a capacitor which must be refreshed periodically, as the charge dissipates over a period of time. Normally these DRAM cells are electrically refreshed every few milliseconds and all the mem• ory modules are modified simultaneously, although specific timing instant and rates of refresh may depend upon the needs of a given set of memory modules. Refresh timings of these memory modules is decided by com• puter's BIOS but it can also be modified by the operator of the com• puter. Circuitry of SRAM is more complex than that of DRAM so actual realisations of DRAMs are more compact(25%) than that of SRAMs. But due to their faster access timings and low-power opera• tions they are preffered over DRAMs. These cells are arranged in the form of a matrix and each cell is individually addressable. To write the data into the cell, the cell is selected and the value written via Data/Data is stored in cross-coupled flip-flops. DRAM cells[14] are built using a capacitor and transistor which are used to store or access charge in the capacitors. Early designs used three-transistor (3T) cells, newer ones use a one-transistor cell as

4 3- DIFFERENT TYPES OF MEMORIES AND DATA REMANENCE shown in Figure 3.1. Data is stored in the cell by setting the data line to a high or low voltage level when the select line is activated. Circuit for DRAM cell is simpler compared to the SRAM cell which uses six- transistors. Reading data from a DRAM cell is tricky and designing it to maximize the stored charge in the minimum storage capacitor is a challenge. To read the data, sense amplifiers are used which are extremely sensitive comparators and are used to compare the value stored in the DRAM cell with that of a reference cell. The reference cell used is a dummy cell storing a voltage which is halfway between the two voltage levels used in the memory cell. Cell storage typically consists of the underlying semiconductor serving as one plate, separated from the other poly-silicon plate by a thin oxide film. Earlier memory blocks ranging in the size from 16 Kb to 1 Mb in planar DRAM cells, were using this fairly straightforward two-dimensional cell capacitor. In these cells capacitor is placed next to the transistor, occupying about a third of the total cell area. These capacitor plates are normally separated by oxide thickness and by reducing this thickness capacitance is increased. This also leads to the reduction of cell area. Designers of newer cells decided to move from the 2D plate capacitor structure to 3D structures such as trench and stacked capacitors to produce the memory blocks of higher capacity. The time during which the cell contents can be recovered without access to specialized equipment is defined as storage time. Typically this lies between 2 to 4 seconds for normal memory cells. It is based on storage capacity and therefore on the physical dimensions of the capacitor [5]. DRAM designers have introduced various ingenious tricks to reduce dimensions of the cell while keeping the capacitor storage constant. The surface area of the dielectric and conducting material used for holding charge is the deciding factor to hold a given electric charge. In fact, these two things are proportional to each other. In order to increase the density of standard computer memory, size of these ca• pacitors needs to be shrunk. As memory density increases, the surface area of each individual capacitor decreases, hence it will be storing less charge for each information bit. Effect of this smaller stored charge is that it will reduce the time required for a given capacitor to sufficiently discharge to return to its ground state. Major cause of DRAM-based memory decay is this discharge or leaking of electrical energy.

5 3- DIFFERENT TYPES OF MEMORIES AND DATA REMANENCE

The decay time of a capacitor is measured in terms of half-life period which is difficult to find. The process of computer memory decay is stochastic and it can be modeled using a statistical multi• variate covariance model. This type of modeling is considered as a difficult problem and can be done only when certain key factors can be estimated. The rate of decay depends on several factors like size of the capacitor, the temperature of memory and residual capacitance of . There are many other unidentified factors which may also influence decay factor like impurities in the semiconductor mate• rial, cosmic rays and electromagnetic interference. Among all these factors temperature is the only factor which is easier to control and can be done by cooling of the memory module. Cold boot attack is based upon the fact that simply turning off a computer does not necessarily ensure erasure of all its memory con• tents. In this attack content of the memory is captured by removing the power and rebooting the system with alternate operating system having a small footprint. To increase the retention time of memory chips these memory modules can be flash freezed and then at ap• propriate time they can be used in other system and content can be captured. Flash-freezing can be carried out by inverting a can of dust removal spray to propel the liquid inside it. The liquid coming out of this can easily achieve temperatures of -40C.

6 3- DIFFERENT TYPES OF MEMORIES AND DATA REMANENCE

+V

Load Devices

Data Date

Select Select

SRAM Cell

Select

Storage Capacitor Date

DRAM Cell

Figure 3.1: SRAM and DRAM Cell[14] 7 4 Usage of different types of RAMs

As far as usage of different types of RAM is concerned SRAM is gener• ally restricted to hardware components where very high data transfer rates are required such as CPU cache and hardware buffers (i.e. hard disk and optical drive buffers). Typical usage of DRAM include older computer memory modules which are no longer in use but were com• mon among older computer systems like 386,486 and older Pentium models. DRAM is nearly obsolete and has been superseded by SDRAM which includes DDR1, DDR2 and DDR3 memory technologies, each of which is a newer form of SDRAM. Data transfer rate in SDRAM is significantly higher compared to DRAM. Different type of DRAM-based memory modules have different bus interfaces like SIMM or DIMM interface. To connect to system bus the SIMM interface uses a single side of metal contacts on a memory module. Whereas DIMM-based memory module uses two sets of contacts, one on each side of the module. These types of memory modules utilize specific number of contacts to connect to the system bus. SIMMs are generally limited to 72 or less single-sided memory module contacts (sometimes called pins) while DIMMs are 72 or more dual-sided memory module contacts. It is quite common that modern computer systems are equipped with memory varying from 1 to 4 GB RAM. It is also very likely that memory is spread across multiple memory slots. These systems may support either 32 or 64-bit architectures, although most of these sys• tems support both 32 and 64-bit processing. In terms of addressability 32-bit systems are generally limited to a maximum of 4 GB of mem• ory whereas 64-bit models are capable of supporting much larger amounts of memory. 32-bit systems are generally limited to a max• imum of 4 GB of memory. Most of the modern flavors of operating systems like Windows and Linux distribution support both 32 and 64-bit computing.

8 5 OpenSSL[15] and AES[16]

5.1 OpenSSL[15]

When communicating over computer networks various security re• quirements needs to be addressed. Communication over the network needs to be protected against evesdropper and identity of the persons involved in communication needs to be established. OpenSSL[15] is a very popular library used for implementing secure protocols like SSL/TLS over the internet, meeting these requirements. It has been very widely used in the majority of webservers and is an open-source implementation. The library implements various crypto-primitives re• quired for various useful functions and is written in C language. This library can be used in various other languages using wrappers. Differ• ent versions of library have been made available for operating systems like Unix, Linux, Windows, MacOS etc. Latest version of openSSL[15] is l.l.Oe which have been made available in August 2016. OpenSSL[15] provide support to following algorithm: Symmetric cryptographic algorithms for Confidentiality: AES, , , SEED, CAST-128, DES, IDEA, RC2, RC4, RC5, Triple DES, GOST. Cryptographic hash functions for Integrity : MD5, MD4, MD2, SHA-1, SHA-2, RIPEMD-160, MDC-2, GOST R, BLAKE2. Public-key (Key Distribution and Authentication): RSA, DSA, Diffie-Hellman , Elliptic curve, GOST-R.

5.2 AES[16]

National Institute of Standards and Technology (NIST) in 2001 defined new standard known as Advanced Encryption Standard (AES)[16], as a specification for the encryption of electronic data for the non• classified purpose. NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits. It is a symmetric-key algorithm where,the same key is used for both encrypting and decrypting the data. It differs from DES[17] in the way that it is not Feistel structure. Basic design principle

9 5- OPENSSL[I5] AND AES[I6] used in this algorithm is the substitution-permutation network which is fast in both and hardware. The overall structure of AES can be described using figure 5.1. The input is a single 128-bit block both for encryption and decryption. Input 128-bit is organized as 16 bytes and is represented as the 4x4 matrix and is called state matrix. The oOrdering of bytes within the matrix is by column. This state matrix is modified at each stage of the algorithm and then final output is taken as cipher text (see figure 5.1). Key is also depicted as a 128 bit and is represented in the form of 4x4 matrix of bytes. Key is then expanded using round key transformation into an array of words. These expanded round keys are used in round transformations used during the process of encryption and decryption. The algorithm begins with add round key stage and then n-1 rounds of transformation consisting of four stages and final round transformation consisting of three stages is applied. Value of n is 10 for 128-bit key and 14 for the 256-bit key. This applies for both encryp• tion and decryption with the exception of last round. Each stage of a round in the decryption algorithm is the inverse of it's counterpart in the encryption algorithm. Each n-1 round of encryption consists of following stages Final Round does not consist of Mixcolumn operation.

Table 5.1: AES Round Transformation

Encryption Decryption Substitute Inverse Substitute Bytes Shift Rows Inverse Shift Rows Mix Columns Inverse Mix Columns Add Round Key Inverse Add Round Key

Following figure depicts complete encryption and decryption process using AES From original 128-bit or 256-bit key, round keys are generated using round transformation function. Each round key also consists of 128-bit. Depending upon the block size of plain text no of round keys

10 5- OPENSSL[I5] AND AES[I6]

128 or 192 or 256 bit Key 128-bit plain tort

Key Whitening

v Key Expansion N-llh Round Transformation 4 Operations

M-tii Round Transformation 3 Operations

128-fait cipher text

Key Size HOL of Rounds

128 ID 192 12 256 14

Figure 5.1: AES Block Diagram[16] 11 5- OPENSSL[I5] AND AES[I6]

"i HI •.• KM 1'NuilEvM _±_ _L_ Villi I-MIIMHI ht'V |4 • wt*, íl • ^ -\HLI• I fiP|i||il i I'M 11(1 kľ> Im viM' iiili In k-> "í

Slljfl Jmťi^Ľ shift nm\ T IhuiM1 km S. n»K -1 I "L h > I I 1 1 t «KT|. \llll IMIIIIll kll —t ~ t Imvltt MJII I" lv->

lm viM' shift nm

Ť . i .

I Sul nl Li U II I H r. -

Sltjfl [ii«. ^liA I. • h I I I I I k • • --- ~1 )I>II»Ľ mi^ i iils \|IHI I • • |3J3< I kľt \LII3 ITPIIIIII klí T llľilIM' Mil) 1)1 In —

*"hil1 r m-- "1 IIHH-I^L j)Lft nm\~j á K Aťlii Jtpitmi kit .»1+0, «1. \LM hihínl kit 1- Ť

C i|:|:i : n M l í |)fll lint

l.ľ I.IKTl|>[ill|l |tl) J li i I i |:l

Figure 5.2: AES Round Transformation[16]

12 5. OPENSSL[I5] AND AES[I6] is either 11 or 15. Additional round key is used for whitening which is done before first round.

5.2.1 Substitute Byte

In this stage simple table look up is done. Table consists of 256 entries and each entry is a byte which have been obtained using an algebraic expression. 128-bit obtained from the previous operation is divided into 16 parts each consisting of a byte. Each byte is replaced with another value using this table, hence another set of 128 bit value is obtained. For decryption inverse S-Box is used. These two boxes are given below

13 5- OPENSSL[I5] AND AES[I6]

Table 5.2: AES S-Box[16]

00 01 02 03 04 05 06 07 08 09 Oa Ob Oc Od Oe Of

00 63 7c 77 7b £2 6b 6f c5 30 01 67 2b fe d7 ab 76

10 ca 82 c9 7d fa 59 47 fO ad d4 a2 af 9c a4 72 cO

20 b7 fd 93 26 36 3f f7 cc 34 a5 e5 fl 71 d8 31 15

30 04 c7 23 c3 18 96 05 9a 07 12 80 eb 27 b2 75

40 09 83 2c la lb 6e 5a aO 52 3b d6 b3 29 e3 2f 84

50 53 dl 00 ed 20 fc bl 5b 6a cb be 39 4a 4c 58 cf

60 dO ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8

70 51 a3 40 8f 92 9d 38 £5 be b6 da 21 10 ff f3 d2

80 cd Oc 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73

90 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e Ob db

aO eO 32 3a Oa 49 06 24 5c c2 d3 ac 62 91 95 e4 79 bO e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08

cO ba 78 25 2e lc a6 b4 c6 e8 dd 74 If 4b bd 8b 8a

dO 70 3e b5 66 48 03 f6 Oe 61 35 57 b9 86 cl Id 9e

eO el f8 98 11 69 d9 8e 94 9b le 87 e9 ce 55 28 df

fO 8c al 89 Od bf e6 42 68 41 99 2d Of bO 54 bb 16

14 5. OPENSSL[I5] AND AES[I6]

Table 5.3: AES Inverse S-Box[16]

00 01 02 03 04 05 06 07 08 09 Oa Ob Oc Od Oe Of 00 52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb 10 7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb 20 54 7b 94 32 a6 c2 23 3d ee 4c 95 Ob 42 fa c3 4e 30 08 2e al 66 28 d9 24 b2 76 5b a2 49 6d 8b dl 25 40 72 f8 £6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92 50 6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84 60 90 d8 ab 00 8c be d3 Oa f7 e4 58 05 b8 b3 45 06 70 dO 2c le 8f ca 3f Of 02 cl af bd 03 01 13 8a 6b 80 3a 91 11 41 4f 67 dc ea 97 £2 cf ce fO b4 e6 73 90 96 ac 74 22 e7 ad 35 85 e2 £9 37 e8 lc 75 df 6e aO 47 fl la 71 Id 29 c5 89 6f b7 62 Oe aa 18 be lb bO fc 56 3e 4b c6 d2 79 20 9a db cO fe 78 cd 5a f4 cO If dd a8 33 88 07 c7 31 bl 12 10 59 27 80 ec 5f dO 60 51 7f a9 19 b5 4a Od 2d e5 7a 9f 93 c9 9c ef eO aO eO 3b 4d ae 2a f5 bO c8 eb bb 3c 83 53 99 61 fO 17 2b 04 7e ba 77 d6 26 el 69 14 63 55 21 Oc 7d

5.2.2 Shift Row Transformation

As already explained 16 byte of the block is represented in form of state which consists of 4 rows and 4 columns. For encryption shift row transformation is used and for decryption inverse shift row transfor• mation is used. In row transformation operation each row of the state is given certain amount of left circular shift byte-wise. First row is not given any shift, whereas second row is circularly shifted by one, third row by two and fourth row by three. For inverse shift row operation same amount of shift is given but this is done in opposite direction.

15 5. OPENSSL[I5] AND AES[I6]

5.2.3 Mix Column Transformation

In this transformation state matrix is pre-multiplied by a 4x4 matrix us• ing GF(28) arithmetic. In decryption Inverse mix column transforma• tion is used i.e matrix used is the inverse of matrix used in encryption. Transformation carried out for encryption and decryption can be rep• resented using figure 5.3. In this multiplication each element of matrix is treated as an element of GF(28) i.e a polynomial of degree less than 8 and multiplication and addition is carried out in above mentioned field, leading to another element of same field and consisting of 8 bits.

5.2.4 Add Round Key Transformation

In add round key transformation 128-bit of state are bitwise xored with 128-bit of round key. Operation is carried out column wise that is 4 byte of each column is xored with one word of round key. Simplicity of the operation helps in achieving efficiency. In the operation each bit of the key gets affected due to round key bits which is not known to attacker.

5.2.5 Round Key Generation

This operation is very crucial from cold boot attack point of view. AES requires 11 round keys for 128-bit and 15 round keys for 256-bit key. This is also called as expanded key. Each round consists of 128-bit or 4 32-bit words. First four words of the key comes from original key only i.e first round key is same as original key. Remainder of the expanded key is generated one word at a time. Each word w[i] is calculated using immediately preceding word w[i-l] and the word four positions back i.e w[i-4]. Whenever i is not multiple of 4 calculation is simple xoring of previously mentioned words, otherwise more complex function is used. In such cases previous word is transformed before xoring in following way.

1. Wordrotation: One-byte circular left shift is given on a word. This implies that an input word consisting of bytes blb2b3b4 will be transformed tob2b3b4bl.

16 5. OPENSSL[I5] AND AES[I6]

r -\ r > 02 03 01 01 Sjyi 5nti 5^ S'iyi S'IVL ^0,2 S'o^ Sin Si i S| j S| n S^i i S'I j S'I ^ 01 02 03 01 Sjj) Sj i Sj j Sj q 01 01 02 03 03 01 01 02 ^3^J S^

V Column MixingJ Trareformalion[16]

S'lyi ^ajL C Oe Ob Od 09 ^OJI $0J- SJJ^ ^0,3 ^III S^i i S% j S^i3 09 Oe Ob Od Sin Si i Si j Si ^ S'sji S"? i S'j j S'j ^ Od 09 Oe Ob Sj ii Sj i Sj j Sj n S' Sj^lj ^ Ob Od 09 Oe ^3,0 3wl J j^Saji s^ s^ s^^

Inverse Column Mixing Transformation [16]

k o k -I k13

k 1 k S k 9 k I

k 2 k •© k to k n

k k k 1 n k^.

'o 'l w2 w3

w7

Round Icy generation [16]

Figure 5.3: AES Column Transformation and Round Key Genera• tion^]. 17 5. OPENSSL[I5] AND AES[I6]

2. SubWord: It performs byte substitution using s-boxes on each byte of input word.

3. Round Constant Addition : Round constants are added to output of SubWord

Round constants is a 32-word in which the three rightmost bytes are always 0. Thus the effect of xoring of a word with Rcon is to only perform an xoring on the leftmost byte of the word. The round constant is different for each round and is defined as Rcon [/] = (RC \j], 0,0,0) withRCfl] = 1, RC[j] = 2* RC[j — 1] and with multiplication defined over the Field GF(28).

18 6 Truecrypt/Veracrypt[3] and its detailed de• scription

Truecrypt[3] is a free open-source software for disk encryption avail• able for almost all the popular platform like Linux, Windows and Mac. Developers of the software have not disclosed their identity and aban• doned it after some time. At , it is available as Veracrypt[3] at www.idrix.in with certain additional features. As far as cold boot at• tack is concerned most of the technical aspects of Truecrypt[3] and Ve- racrypt[3] is same. Henceforth all description will be for Veracrypt[3]. Veracrypt[3] establishes on the fly encryption i.e data is automati• cally encrypted right before it is saved and gets decrypted right after it is loaded, without any user intervention. Any encrypted data can only be read (i.e decrypted) only when user supplies correct pass- word/keyfiles(s) or encryption key. It encrypts entire file-system in• cluding folder name, free space and metadata. Files can be copied to and fro from a mounted volume just like they are copied from normal disk. Veracrypt[3] never saves any decrypted data to a disk, it only stores them temporarily in RAM. Even when the volume is mounted, data stored in the volume is still encrypted. When operating system used for hosting the software is restarted the volume will be dismounted and files stored in it will become inaccessible in the sense, that it will be stored in encrypted form. Even when the system has not been properly shut down files stored in the volume is encrypted. To make them accessible volume needs to be mounted with correct password/keyfile. .Necessary technical details of its usage, storage format and cryptographic functionality are described below.

6.1 Using Veracrypt[3] for creation of volume or container

Veracrypt[3] can be obtained from www.idrix.in and installed on PC. S/w is available for platforms like Windows, Linux and Mac. Although it can be used to encrypt whole hard disk including native operating system, but most of the experiments have been carried out by creating

19 6. TRUECRYPT/VERACRYPT[3] AND ITS DETAILED DESCRIPTION a container. Following steps need to be carried out for the creation of encrypted container or volume.

1. STEP1: Run Veracrypt[3] s/w . GUI will appear with the option of creating volume Select it and click next.

2. STEP2: New GUI will appear giving options of creating en• crypted file container, encrypt a non-system partition/drive and encrypt the system partition or entire system drive. Among these three options select first one for creation of encrypted file container and click next.

3. STEP3: New GUI will appear consisting of two options first indi• cating Standard Veracrypt[3] volume and second one indicating hidden Veracrypt[3] volume. Select the first one for creating standard volume.

4. STEP4: Select path name in newer GUI and click next.

5. STEP5: Newer GUI will ask for encryption algorithm and hash algorithm. It will provide various alternatives for these algo• rithms. For the experimentation of cold boot attack, AES has been selected.

6. STEP6: Select the volume size appropriate for storing required information and click next.

7. STEP7: New GUI will ask for user password which will be used for generating AES keys used for encryption purposes. It will ask for conformance also. After entering the password click next.

8. STEP8 : Newer GUI will ask for the file-system used for for• mating. Select any file system preferably FAT32. Any other file system will also work for experimentation.click next. Finally, encrypted volume will be created.

9. STEP9 : To use the created file system, the same sequence of steps is followed but rather than creating the volume, created volume is mounted.

20 6. TRUECRYPT/VERACRYPT[3] AND ITS DETAILED DESCRIPTION

6.2 Technical details of creation of encrypted volume

First 512 byte of any volume created using Veracrypt[3] consists of information related to the key. Out of these 512 bytes, first 64 bytes consists of the salt in the plain. Veracrypt[3]attempts to decrypt the volume header using the key derived from user password and salt. All data used and generated in the course of the process of decryption are kept in RAM. There are many parameters which are not known and are determined through the process of trial and error by trying all possible combinations for following 1. Pseudo-random function used by fol• lows PKCS #5 v2.0[18]. Key derivation function (which will be described later) accepts password entered by the user, a PIM value, the hash function selected by user and salt and produces a sequence of values from which header encryption key and secondary header key is formed. These keys are used to decrypt the volume header in XTS mode.

2. Different possibilities of encryption algorithm like 256-bit AES, , , AES-Serpent, AES-Twofish, Serpent etc.

3. . Depending upon the choice of key size may vary. Using the derived key, decryption is carried out and it is checked whether decrypted text consists of ASCII string "Vera" ("True" for Veracrypt[3]) and if the CRC-32 checksum of the last 256 bytes of the decrypted data matches with the value located at 10th position. Since these values are encrypted its value will not be known to the attacker. If these two conditions are not met, process will continue. If for all possible options, the condition does not meet process will terminate and volume will not be mounted. Using above approach correct password, encryption algorithm, hash algorithm, key size and the correct header key derivation algo• rithm is determined. The determined encryption algorithm is used in XTS mode with primary master key and secondary master key, which are retrieved from the decrypted volume header. These keys are used to decrypt any sector of the volume, except the volume header. Actual volume is encrypted using header keys.

21 6. TRUECRYPT/VERACRYPT[3] AND ITS DETAILED DESCRIPTION

6.3 XTS Mode of Operation

XTS mode[19] is an extension of XEX mode, which was designed by Phillip Rogaway in 2003.XTS mode[19] uses two independent keys, whereas in XEX mode single key is used. XTS mode was approved by NIST in 2010 for protecting the confidentiality of data on storage devices. The mode was also approved by the IEEE for cryptographic protection of data on block-oriented storage devices (IEEE 1619) in 2007. In this mode cipher text is computed using following equations Ciphertexti = E^\(Plaintexti A (E^n) © a1)) A (E^n) © az)where

1. i is the cipher block index within data unit, counting is done from 0.

2. n is the data unit index, counting is done from 0.

3. Kl is the primary encryption key and K2 is the secondary en• cryption key. Size of the key is 256-bit although depending upon the choice of combination of cryptosystem, effective key size may vary.For AES effective key size is 512 bit.

4. © denotes multiplication of two polynomials over the binary field GF(2128) modulo a suitably selected irreducible polynomial x128 + x7 + x2 + x + 1 of degree 128.

5. i is the cipher block index within data unit, counting is done form 0.

6. a. is the primitive element of the above-mentioned field. Primitive element is an element which generates all elements of multiplica• tive group of the field.

6.4 Veracrypt[3] Volume Format

Veracrypt[3] provides two types of volumes, one is file hosted, other is partition/device hosted. These volumes do not provide any signature or ID related to Veracrypt[3]. Content of these volumes appear solely random until it has been decrypted with the suitable key. Free space on each Veracrypt[3] volume is filled with random data when it is

22 6. TRUECRYPT/VERACRYPT[3] AND ITS DETAILED DESCRIPTION created. To generate the random data it generates a temporary encryp• tion keys(primary and secondary) by the random number generator and initializes the algorithm. Initialized algorithm is used to encrypt plain text blocks consisting of random bytes generated by the random number generator. The cipher text obtained is used to fill the free space on the volume. These temporary keys are stored in the RAM and once formatting has finished they will be deleted from RAM. First, 64 bytes of the volume is not encrypted and stores random salt. Remaining data is stored in encrypted format. Data stored at offset 0 and offset 256 consists of data generated by random number generator. The maximum possible size of Veracrypt[3] volume size is 263 bytes but due to security reason maximum allowed size is 1 Peta Byte. Detailed data format is given in Table 6.1.

23 6. TRUECRYPT/VERACRYPT[3] AND ITS DETAILED DESCRIPTION

Table 6.1: Veracrypt[3] Volume Format Position Size Data

64th to 67th byte 4 "Vera"

68th to 69th byte 2 Header Format version

70th to 71sr byte 4 Required version of Veracrypt

72nd to 75th byte 4 CRC-32 checksum of 256-511 bytes

76rfc to 91st byte 16 Reserved (It contains zeros)

76ŕÄ to 91ŕÄ byte 16 Reserved (It contains zeros)

92th to 99ŕ?í byte 8 Size of hidden Volume

100th to 107ŕ?í byte 8 Size of volume

108ŕ?í to 115th byte 8 Byte offset of start of the key scope Size of the encrypted area within the key 116ŕ?í to 123th byte 8 scope Flag bits (Used for indicating system and 124ŕ?í to 127ŕ?í byte 4 non-system encryption remaining bits are reserved)

128th to 131sr byte 4 Sector Size( using bytes)

132th to 251ŕ?í byte 120 Reserved( It is supposed to contain 0s) CRC checksum of bytes from 64th to 252ŕ?í to 255th byte 4 251th byte - Concatenated primary and secondary 256ÍÄ to th byte master keys Reserved and omitted for system encryp­ 512ŕ?í to 65535th byte 65535 tion.

65536ŕ?í to 131071th 65536 Used for hidden volume header byte 131072ŕ?í to th Used for Data Area and system encryp­ 65536 byte tion 65536 Backup header 65536 Backup header for hidden volume

24 6. TRUECRYPT/VERACRYPT[3] AND ITS DETAILED DESCRIPTION

6.5 Header Key Derivation

Veracrypt[3] volume header consisting of master key and other data is encrypted using header key and this key is derived using PKCS# v2.0. To derive it 512-bit salt is used, indicating that for each password 2512 keys can exist. The existence of such huge variation decreases vulnerability to rainbow table or dictionary based attacks. This salt is generated using Veracrypt [3]random number generator during the volume creation process. Header key derivation function is based upon hash functions like HMAC-SHA-512, HMAC-SHA-256, HMAC-RIPEMD-160 or HMAC- Whirlpool selected by user. The size of the key remains same irrespec• tive of size of hash function. For example in XTS mode two 256-bit key is used, hence 512 bits will be generated irrespective of the hash function selected. To derive the header key large number of iterations are performed. This is done to increase exhaustive search timing of passwords. For sys• tem partition i.e for boot encryption 200000 iterations are used when the user has selected HMAC-SHA-256 derivation function and 327661 iterations are used for HMAC-RIPEMD-160. For standard containers and other partitions 655331 iterations are used with HMAC-RIPEMD- 160 and 500000 iterations are used with other hash functions like HMAC-SHA-512, HMAC-SHA-256 and HMAC-Whirlpool. Newer version provides Personal Iterations Multiplier Field(PIM) enabling users to have more control over the number of iterations used by the key derivation function.When this value is not specified it uses default values as mentioned above. In case it has been specified by the user, the number of iterations will depend upon the fact that whether it is going to encrypt the system partition or standard container. In case of system partition number of iterations will be PIM x 2000 otherwise it will be 15000+(PIMxl000). When cascaded cryptosystem is used, key of different cryptosys- tem is mutually independent, even though they have been derived from a single password. For example for cascaded choice AES-Twofish- Serpent header key derivation function generates 768 bits for the pri• mary key and 768 bits for the secondary key from given password and salt. First 768 bit is then split into three, 256-bit key for primary key and second 768 bit is split into three 256-bit key for secondary key.

25 6. TRUECRYPT/VERACRYPT[3] AND ITS DETAILED DESCRIPTION

These keys are generated in such a way that even when the adversary has one of the keys he cannot derive other key or password using any feasible method. The only way is to use brute force or dictionary based attack, which can be only be mounted on weak passwords.

6.5.1 Random Number Generator

Random number generator used in Veracrypt[3] is based on strong random numbers used by Peter Gutman and cryptographic random numbers by Carl Ellison. Random number generator is used to gener• ate the master encryption key, the secondary key, salt and key files. It creates a pool of random values in RAM. Data consists of 320 bytes and is filled from the following sources.

1. mouse movements

2. Keystrokes

3. In the case of Linux and Mac. operating systems, values gener• ated by built-in RNG like / dev/urandom and / dev/ random. In the case of MS Windows, random numbers are collected reg• ularly from CryptoAPI, network interface statistics and various Win32 handles, time variables and counters at 500-ms intervals.

Data generated using above method is divided into individual bytes before writing into the pool by adding it to already existing data, modulo 28 at the position of pool cursor. After writing the data pool cursor is advanced by one byte. Cursor position will be set to the beginning of the pool after it has reached at the end. After writing every 16t?Jbyte the pool mixing function is automatically applied to the entire pool. The purpose of pool mixing function is diffusion. Diffusion will spread the influence of individual raw bits over as much of the pool state as possible hiding statistical relationship if any. Pool mixing function applies in following way.

1. Let R be the randomness pool.

2. Let H be the hash function selected by the user.

3. Let I = byte size of output of hash function, z = byte size of randomness pool which is 320, q = (z/l)

26 6. TRUECRYPT/VERACRYPT[3] AND ITS DETAILED DESCRIPTION

4. Compute Hash of randomness pool i.e M = H(R). Divide R into q blocks, xor each block with M and obtain the new state of pool.

The content of this pool is never exported directly. Thus for an attacker it will be infeasible to determine or predict the content even when he knows the value at any point of time.

27 7 Steps required to mount cold boot attack

Cold boot attack requires imaging of residual memory after the system has been cold rebooted. When the system is rebooted memory con• troller refreshes the DRAM by reading and writing each value. At this point of time decay halts and values are fixed and a program needs to be run on the system which can read the data lying in memory using normal memory access instructions. Challenge in such cases is that of the system will overwrite the memory. Making an attempt to load full operating system would be very destructive. So for this purpose, a tiny special-purpose program is required which can accurately take the dump of memory to some medium. Such programs should require a trivial amount of RAM and their memory offset should be such that data of interest is not affected. Once memory dump has been taken one needs to locate the sen• sitive information like key of the algorithm used. This can be done by using some signature of the software using the intended cryptoal- gorithm or some property of intended cryptoalgorithm itself. This search has to be carried out in such a way that it works for corrupted data also. One can also make an attempt to stop the distortion of data by cooling it. Since most of modern cryptosystems are designed in such a way that smallest amount of distortion in the key will lead to complete corruption of the plain text. Trying all possible distortion in the key will require huge amount of computation, making attack infeasible. So some alternate and intelligent way has to be found-out to locate and correct the key.

28 8 Experiments carried out and results ob• tained

8.1 Imaging Tool

Princeton University[2] researchers has also provided tool for dump• ing RAM but there are other open domain tools which are easier to configure. In this thesis tool from Mcgrew[20] security have been used to carry out experiments. Tool has been configured in following way

1. To configure it msaramdmp.tar.gz needs was downloaded from Macgrew[20] security and syslinux-3.61.tar.gz was downloaded from Linux website.

2. Disk to be used for dumping the content needs to be appro• priately partitioned. Tool fdisk was used for this purpose. Two partitions were created. Filesystem of the first partition was kept FAT16 (fdisk uses no. 6 for this filesystem) and size of this parti• tion was kept 1 Megabyte. Second partition type is Venix 80286 (fdisk used number 40) and it's size was kept 4GB equal to the size of the RAM of system. More such partitions were also cre• ated to carry out more experimentation in one go.

3. The first partition was made bootable. Command fdisk uses flag b to do it.

4. Filesystem msdos is copied into first partition using mkfs.msdos command.(mkfs.msdos /dev/sdol)

5. Untar syslinux.tar.gz. Directory consists of another directory mbr consisting of 512 byte master boot record file mbr.bin. File mbr.bin is copied to the drive where data is to be dumped. Linux command used for this is dd if=mbr.bin of=/dev/sd<>

6. Directory consists of another directory . From this directory syslinux is installed into the drive. Linux com• mand used for this is ./syslinux /dev/sdol

29 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

7. Mount first partition. Untarred file consists of files and . These files are copied to the place where mounted partition.

Using above procedure any external disk can be configured for tak• ing dump of RAM. A disk was configured using above procedure and memory dump of RAM of PC was taken. It took approximately 25 minutes to take the dump of 1 GB RAM. To reduce the dumping time for experimentation purposes hard disk with SATA interfaces were used which has reduced dumping time of few seconds (30 sees.). After each dump partition type gets changed to 41, which needs to be changed to 40 for next dump. Before carrying out each experi• mentation, dumping partition is written with zeros using /dev/zero command.

8.1.1 Experiments of memory remanence

To see the effect of memory remanence content of the RAM was filled with string "lasteffortforcoldboot" and memory dump was taken using the hard disk configured in above- mentioned way. From the BIOS the external was set as the primary boot device and dump was taken. Rebooting of system was done after 2 seconds and after 5 seconds. Experiments were carried out on two laptops and three workstations. Both laptops are equipped with DDR3 RAM, whereas out of three workstations, two are equipped with DDR3 RAM and one is equipped with DDR2 RAM. Nearly five attempts of cold boot attack was made with each system. Out of all these systems only system with DDR2 RAM has shown memory remanence effect. Henceforth all the reported results were obtained on this system only.

Sample of the dumped content is as follows.

Output after 2 seconds :

Address Content

03ec280: tlastmfoortfozc. 03ec290: ldboo.l.steff.r.

30 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

03ec2a0: forco.d.ootla.t 03ec2b0: ffortfozcoldb.ot 03ec2c0: lasteff.rtforgo. 03ec2d0: dboot.a.teffo.t 03ec2e0: orcol.b.otlas.e. 03ec2f0: fortfor.oldboot. 03ec300:

Output after 5 seconds :

Address Content

03ec280: tlastf.grtfo.c. 03ec290: ldboo.l.steff.r. 03ec2a0: forco.d.ootla.t. 03ec2b0: fforto.coldb.o. 03ec2c0: laSteff.rtforwo. 03ec2d0: dboot.a.teffo.t. 03ec2e0: orcol.b.otl's.e. 03ec2f0: fortf.p.gldbo.t. 03ec300: astefoo

8.1.2 Study of Statistical patterns

After carrying out an initial study to see memory remanence effect it is necessary and imperative to carry out the statistical study of distortion pattern so that it can be exploited for any cryptanalytic purpose. This study will also help in the development of an algorithm for detection and correction of sensitive data. Earlier also in Princeton university[2] work it was reported that distortion from 0 to 1 and 1 to 0 is different. Experiments were carried out to make estimate of distortion pat• tern in the statistical sense only. Initially, it was done to find out dis• tortion pattern with respect to time. To draw some conclusion about distortion pattern, the sample size was increased from smaller size to the extent that there was no change in the observed values of statistical

31 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED parameters. Repeated experimentation has suggested that results are nearly consistent. Detailed results are shown in table 8.2.

32 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

Table 8.1: Statistics of distortion pattern after 2 seconds Total No. of bits 1680 3360 5040 6720 8400 No.of changed bits 118 234 352 462 576 Zero to One 116 230 346 455 568 One to Zero 2 4 6 7 8 % zero to One change 6.90 6.84 6.86 6.77 6.76 % One to Zero change 0.11 0.12 0.12 0.10 .09 % of total change 7.02 6.96 6.98 6.87 6.85

Table 8.2: Statistics of distortion pattern after 5 seconds No of bits 800 1600 2400 3200 4000 4800 No of changed bits 114 368 679 948 1241 1518 Zero to One 106 283 488 672 870 1059 One to Zero 8 85 191 276 371 459 % Zero to One 13.29 17.70 20.35 21.02 21.76 22.07 % One to Zero 1.06 05.30 07.94 8.59 9.28 9.56 % of changed bits 14.35 23.04 28.29 29.62 31.04 31.63

These experiments were carried out for other timings also. On the average observed statistics is shown in table 8.3

Table 8.3: Statistics of distortion with respect to time Time (seconds) % distortion 1 5 2 10 5 30 10 48

33 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

8.1.3 AES Key Detection^]

Once content of RAM is dumped one has to find probable AES key from the dumped content. Almost all implementation of AES includ• ing OpenSSL pre-computes round keys and then uses during the process of encryption. Normally round key bytes are stored in con• secutive memory locations also. Depending upon the key size no. of bytes in the round keys will vary. For example two popular variants of AES consists of 128 and 256 bit as key. 128-bit AES requires 11,128-bit round keys totaling into 16x11= 176 bytes. Similarly in case of 256-bit AES, no. of bytes in round keys will be 16x15=240 bytes. Round key function has been written in such a way that entropy of expanded key is maximum, implying that byte distribution follows a uniform distribution. This fact can be used to filter the data at first level. Computing frequency at the byte level and checking that maximum frequency of any byte is not greater that 10 works in practice. Detailed experimentation indicated that in 90% of cases of this threshold works satisfactorily, whereas in remaining cases it has to be increased to 20. Above mentioned strategy can not work single-handedly. As de• scribed in the explanation of round key expansion function round key data is generated in a systematic way. This can also be exploited for detection of possible AES key. For example starting from 4, 32-bit words, 5th word is generated by xoring of first and transformed fourth word. The transformation consists of shifting, application of S-box and addition of round constant. Hence xoring of first, transformed fourth and fifth will give a word consisting of all zeros. Since some of the bits are distorted so this value will consist of few ones also. In this particular case distortion of a single bit in the fourth word may lead to few more discrepancies also. This will happen whenever index is a multiple of 4 whereas in other cases distortion will be reflected lin• early only. For 128-bit AES, 40 such calculations will be done. So out of 40x32=1280 bits, 256 bit can be expected to be distorted in 128-bit AES and out of 56x32=1792 bits, 360 bits can be expected to be distorted. In practice threshold of 200 works satisfactorily for 128-bit and 300 works satisfactorily for 256-bit AES. Following algorithm, combines above two approaches and works satisfactorily in practice. (In fact this approach was suggested by Price- ton University researchers)

34 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

1. Starting from the first byte take 176 bytes for 128-bit AES 240 byte for 256-bit AES.

2. Compute byte-wise frequency and find the maximum of these frequencies.

3. If maximum frequency is greater than 10 goto step 5.

4. Compute the number of Is in the 40 equations for 128-bit AES and 56 equations for 256-bit AES. If no of Is is less than 200 for 128-bit AES and less than 250 for 256-bit AES report probable key and goto step 5. Else go to step5.

5. stop if the end of file has reached otherwise, skipping first byte take next 176 byte for 128-bit AES and 240 byte for 256-bit AES and goto step 2.

8.1.4 AES key detection results

To carry out the experiments AES implementation of openssll.l.Oe was downloaded. In the downloaded code direc• tory "openssll.l.Oe/crypto/aes" consists of code for AES encryption. Using this library an infinite loop was created encrypting same message with same key again and again. During this process system was rebooted and dump was taken. On dumped content key detection program was run. Sample Results are as follows:

Sample-1128-bit AES key : venunallafromhyd output of key locate program is as follows

Probable distorted round key

7665 687d 6e63 6cf4 6166 726f 6d68 7970 veh.ncl.afromhyp 32d3 ed49 5cb2 4161 3dd4 334e 50ac 4aa2 2..lAa=.3NP.J. 5505 9c0a 09b7 5d3f 3463 6e75 64df 245b U ]?4cnud.[ cf33 6549 c684 7864 f2e7 1617 9629 3248 .3el..xd )2H

35 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED cllO 74c9 0684 Ofae f473 llbc 624b 2bf4 ..t s..bK+. 63el d863 6575 c7dc 9106 d670 f36d f5f4 c.ceu p.m.. a007 906e c562 50a2 5474 d6d2 a711 7b52 ...n.bP.Tt....{R f226 3632 3755 7690 6320 f842 c411 8394 .&627Uv.c .B.... a6ca d02e 919e aab6 e2be 52fc 36af 51e8 R.6.Q. elf4 552b 706a ed94 82d4 b669 b473 6e81 ..U+pj i.sn. 186b eba6 2801 a633 aad5 195a leae 77da .k..(..3...Z..w.

Whereas, actual 11-Round Keys required for above key is :

7665 6e75 6e61 6c6c 6166 726f 6d68 7964 32d3 2d49 5cb2 4125 3dd4 334a 50bc 4a2e 5505 lcla 09b7 5d3f 3463 6e75 64df 245b cf33 2559 c684 7866 f2e7 1613 9638 3248 cOlO 77c9 0694 Ofaf f473 19bc 624b 2bf4 63el c863 6575 c7cc 9106 de70 f34d f584 a007 976e c572 50a2 5474 8ed2 a739 7b56 f226 2632 3754 7690 6320 f842 c419 8314 a6ca dc2e 919e aabe f2be 52fc 36a7 dle8 elf4 472b 706a ed95 82d4 bf69 b473 6e81 586b 4ba6 2801 a633 aad5 195a lea6 77db

Sample-2 Round Key is : numbertheoretica

Probable Round Key is : 6e75 6d62 6573 746a 656f 7265 747b 6365 968e 82f0 f3fe f698 9693 84fd e2fa e79c b91a 5c68 4ae7 aaff dc75 2e0d 3eef c9d9 cec7 ddda 84ff 772b 5854 5927 66ff 90f7 7fa7 93e9 fbc6 e4d7 a3d2 bde4 c5cb 2d56

36 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

6e7f 934f 95f9 778c 362b ca68 f322 e73a ddeb 1342 48df 64cf 7e39 aea6 8dff 49fe 32d0 cdlf 7adb a9fb 04fb 0777 89fa 4eef 53ff 24b8 293d 8d69 2dc6 8ale a426 c4f5 bfe3 c2fl 96fe 4f98 bbl8 c586 lf3e Olfb 3b9f 4d31 ad63 02bf 1659 c72f 096f c6fc

Whereas actual round key is : 6e75 6d62 6572 7468 656f 7265 7469 6361 968e 82f0 f3fc f698 9693 84fd e2fa e79c b91a 5c68 4ae6 aafO dc75 2e0d 3e8f c991 cec7 ddda 8421 772a 5854 5997 66db 90b6 7fa7 93e9 fb86 e4c3 a3d2 bde4 c509 2d52 6e7f 934f 95f9 778c 362b ca68 f322 e73a ddeb 1342 4812 64ce 7e39 aea6 8dlb 499c 32d0 cdlf 7ac2 a9dl 04fb 0777 89e0 4eeb 53ff 24b8 293d 8d69 2dc6 8ale a426 c4f5 bfe3 c2fl 96de 4f98 bbl8 c586 lf3e 0173 3b94 4d31 ad4a 02a9 1652 c72f 096c c65c

8.1.5 Reconstruction of Correct Keys

Experiments carried out suggests that probable keys can be located using above-mentioned approach, but these probable keys will not be useful for actual decryption purpose unless and until errors occurred in cold boot process can be corrected. To correct these errors an al• gorithm was proposed by Halderman. Using proposed algorithm an attempt was made but to correct the errors from dumped round keys. In almost all the cases errors could not be corrected, whereas algo• rithm works well with provided data which consists of data consisting of unidirectional errors l->0. To find out the efficient mechanism for error correction another statistics was computed for finding out byte wise, word wise, row wise and column wise distortion pattern. Sample statistics is given below

37 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

Table 8.4: Byte wise hamming distances of distorted key from original round keys :

Col. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Sum Row (%)

1 0 0 0 0 0 1 0 1 0 0 0 0 0 2 0 1 3.9 2 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0.78 3 0 0 0 0 0 1 0 4 0 0 0 0 0 2 0 2 7.03 4 0 0 0 0 0 6 0 1 0 0 0 0 0 2 0 2 8.59 5 0 0 0 0 0 1 0 2 0 0 0 0 0 3 0 1 5.47 6 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.00 7 0 0 0 0 0 5 0 1 0 0 0 0 0 4 0 3 10.16 8 0 0 0 0 0 3 0 3 0 0 0 0 0 3 0 1 7.81 9 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.00 10 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 2 2.34 11 0 3 0 0 0 3 0 3 0 3 0 0 0 2 0 2 12.50

Sum 0 4 0 0 0 25 0 17 0 4 0 0 0 20 0 16 (%)

From above data following observations can be made

1. Byte-wise minimum Hamming Distance = 0

2. Byte-wise maximum Hamming Distance = 6

3. Total Hamming distance for all rounds = 75 ( 5.326705 %)

4. There are many columns where distortion is 0

5. Byte level distortion is from 0% to 75% .

6. Word level distortion is from 0% to 30%

38 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

7. Column level(88bits/columns) distortion is from 0% to 22.5%

8. Row level distortion(128/row) from 0% to 12.5%

Similar experiments were carried-out with various other keys. Other Observations also follow nearly same distribution with few minor variations.Using above information simplest way of finding correct key is the bruteforce approach, trying all possible keys upto certain hamming distance. Even for 10% of error one need to try all possible keys up to naming distance of 13. This will require 240 computations approximately. Literature survey[21] indicated that method proposed by Alex Tow[22]seemed more promising because statistics indicated that in repeated experiments there were many columns where the error was zero. The approach proposed by Tow[22] is column based and there are many colums with zero error. Proposed algorithm was imple• mented. Details of algorithms and results obtained are as follows.

1. As described in round key generation algorithm, round keys consist of 11x16=176 bytes for 128-bit key . The previous step of probable key detection finds distorted round keys from dumped content using this as input go to step2 .

2. For all 256x256 possibilities of 1st and 17* byte of round key calculate 14* byte from these guessed bytes using AES round key transformation.

3. Compute the hamming distance of these three bytes with dis• torted byte and select bytes giving minimum hamming distance as correct bytes of round keys.

4. For all 256 possibilities of 33rd byte compute 30* byte using pre• viously corrected 17* byte. Choices corresponding to minimum hamming distance is selected as the correct values of 30* and 33rd byte. These two correct values will also lead to the correct value of 26* byte of round key.

5. repeating this process for 49* byte will lead to 46*, 42wd, 38* byte. Continue this process until all elements of a particular row of round keys have been determined.

39 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

6. Using all elements of any determined row, determine the original key.

Round key correction can be described using Table 8.4 and Table 8.5

40 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

Table 8.5: Round Key byte determination during Key Correction for 128-bit key Col no. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Row 1 A ------A - - Row 2 A ------B - - - B - - Row 3 B - - - - C - - - C - - - C ------Row 4 C D D D D E ------Row 5 D E E E F E F ------Row 6 E F F G F G F G ------Row 7 F G H G H G H G H I - - - - Row 8 G H I H I H I J H I J - Row 9 H I J I J K O I J K N I J K Row 10 I J K I O J K L N J K L M J K L - - - Row 11 J K L M K L M K L M K L M

To see the effectiveness of above approach two experiments were carried out. In the first experiment fixed percentage of errors were introduced at random places in round keys. In this case probability of flipping from 0->l and l->0 is same. In the second experiment actual round keys obtained from cold boot dump was taken. In both the cases errors could not be corrected. Tow[22] algorithm works well when the first column does not have more errors. Algorithm proceeds with only one solution, which may not be correct always and will miss the opportunity of getting corrected at the later stage. Incorporating these two facts new algorithm is proposed. Proposed algorithm can be described as follows.

Definitions: Maxindex :Index( Between 1 to 176 for 128-bit key and 1 to 240 for 256-bit key) corresponding to which assumed value of round key byte can guess maximum number of bytes of round keys using previously corrected key bytes.

41 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

MaxWeight : Maximum number of bytes that can be inferred from Maxindex.

Firstindex, Secondindex, Thirdindex : Using roundkey generation process some known two bytes of round key leads to computation of third byte. Indexes corresponding to these three bytes are defined as Firstindex, Secondindex and Thirdindex. In earlier approach bytes were guessed using first column, whereas in this approach first an index is determined which will lead to compu• tation of maximum number of bytes. Starting of process can be done from any column. Another improvement is that rather than main• taining only one solution corresponding to the minimum hamming distance, maintain more solutions having smaller hamming distances also. Only at later stage select the solution leading to minimum ham• ming distance. Steps involved in this approach are as follows 1. For all columns i from 1 to 16 repeat step 2 to step 6

2. For all 256x256 possibilities of ith and (z + 16)tJr byte of round key calculate (z + 14)t?J byte from these guessed byte using AES round key transformation.

3. Compute the hamming distance of these three bytes with dis• torted dumped byte and select a limited combination of three bytes giving smaller hamming distances as possible correct bytes of round keys.

4. Find Maxindex using previously determined bytes.

5. For all 256 choices of values corresponding to this Maxindex take Maxindex as Firstindex, using index of previously determined bytes as Secondindex(if it can be used in round transformation) compute the possible values of bytes for Thirdindex. Compute hamming distance from dumped data and maintain limited number of solutions for the next step.

6. Repeat step4-step5 until a complete row have been determined. Finally, select the solution giving minimum distance.

7. Select the solution giving minimum distance from all 16 solu• tions as required round keys

42 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

Above mentioned improvements were implemented for 128-bit AES. In this case, the method was able to handle 10% errors in all the cases when 512 solutions were maintained. In the case of 15% error method is less accurate and is able to correct in 80% of cases only. A strategy which considers all 16 column of the AES round key schedule one by one is time consuming but the results obtained show higher success rate than that of the single column. More error correction requires more time and more number of solutions needs to be taken. Table 8.6 summarizes success rate for 128-bit AES whereas Table 8.7 for 256-bit AES. These tables clearly indicate that modeified method is better and can consistently handle error upto 10%.

43 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

Table 8.6: Success Rate for 128-bit AES Considering 1 Column Considering 16 Columns % Error 128 256 512 128 256 1 so• 1 so• 512 so• so• so• so• so• lu• lu• solu• lu• lu• lu• lu• lu• tion tion tions tions tions tions tions tions 1% 90% 100% 100% 100% 90% 100% 100% 100% 5% 50% 100% 100% 100% 55% 100% 100% 100% 10% 10% 100% 100% 100% 20% 100% 100% 100% 15% 2% 50% 60% 70% 20% 60% 60% 80% 20% 0% 30% 30% 30% 0% 30% 30% 30% Time Uti• < 1 14 37 1.40 3.50 8.26 5 sec 5 sec lized sec sec sec min min min

8.1.6 Experiments with Veracrypt/Truecrypt[3]

To see the efficacy of method with real life application experiments were carried out with Truecrypt/Veracrypt[3]. Veracrypt uses two keys of 256-bit each.In the case of 256-bit key, algorithm requires slight modification.[3]To determine the actual key one has to find two consecutive rows of round keys consisting of 128-bit each.[3]Results obtained for AES-256 are better than that of AES-128. In this case up to 20% of the error could be corrected with 512 solutions. Since in this case the actual key was not known, [3] attack was mounted using cold boot dump as well as with live dump when created partition was in mounted state.[3]Live dumping can be done when attacker have direct access to operating system and there will be no distortion. Experiments were carried out by creating 10 volumes with ten different passwords in more than 70% of cases two 256-bit key obtained using both the attacks were same. As explained earlier Veracrypt first decrypts volume header using key derived from user password and 64-byte salt stored at the begin• ning of the volume. Since password of the volume is not known this

44 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED can not be done. To circumvent it a temporary volume was created us• ing known password. First, 512 bytes of the volume to be decrypted is replaced with first 512 bytes of volume created with known password. Using modified Truecrypt in which decryption is done using two 256-bit key read from a known file, encrypted volume was decrypted. The corrected key is kept at a place from where modified Truecrypt decrypts requisite volume. Detailed correction process and success rate can be described using table 8.7 and table 8.8.

45 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

Table 8.7: Round Key byte determination during Key Correction for 256-bit key

Col I 10 li 12 13 14 Ro\V 1 Al A2i 2 Bl B2 Al 3 Al A2i Bl 4 Bl B2 Cl C2 Cl 5 CI C2 Dl D2 Dl 6 Dl D2 El El E2 El 7 El E2 Fl F2 Fl F2 Fl 8 Fl Gl F2 Gl G2 Gl G2 Gl 9 Gl Hl G2j H2 - Hl H2 Hl H2 Hl 10 Hl II H2 12 II 12 II 12 J2 II 11 II Jl 12 J2 Jl J2 Jl Kl J2 K2 Jl 12 Jl Kl J2 K2 L2 Kl N2 K2 L2 Kl LI K2 L2 Kl 13 Kl LI K2 L2 M2 LI M L2 M2 LI M: L2 M2 LI

14 LI M: L2 M: M: Nl M2- M: Nil M2 M: 15 M: Nil M2 Ni - NI - Nl

46 8. EXPERIMENTS CARRIED OUT AND RESULTS OBTAINED

Table 8.8: Success Rate for 256-bit AES Considering 1 Column | Considering 16 Columns % error 256 512 1024 256 512 1 so• 1 so• so• so• So• so• so• %Error lu• lu• lu• lu• lu• lu• lu• tion tion tions tions tions tions tions 1% 90% 100% 100% 100% 100% 100% 100% 5% 70% 100% 100% 100% 100% 100% 100% 10% 20% 100% 100% 100% 80% 100% 100% 15% 0% 70% 80% 85% 0% 100% 100% 20% 0% 45% 50% 50% 0% 100% 100% 25% 0% 0% 0% 20% 0% 20% 30% Time Uti• < 1 31 .3.53 45 16.50 43 1.20m in . lized sec sec mm sec min min

47 9 Conclusion

In this thesis, detailed experiments have been carried with cold boot attack. Experiments carried out indicated that attack is very effective DDR-2 RAM with popular implementations of AES. .With newer mod• els of RAM like DDR-3 and DDR-4 memory remanence could not be observed. Detailed experiments to study distortion with respect to time was carried out. Key correction algorithm proposed in the liter• ature was applied to get the actual key from dump obtained using cold boot attack.Using proposed modification, an improvement in the key correction has been observed. Proposed method is able to correct errors up to 10% in 128-bit key and 15% errors for 256-bit key. Experimentation with Truecrypt/Veracrypt[3] indicates that attack can be mounted effectively in the cases where memory remanence could be observed. Various countermeasures have been proposed in the literature to avoid this attack. The effectiveness of the proposed countermeasures, their efficiency and exploring the possibility of mounting the attack in case of DDR-3 and DDR-4 will be explored in the future. Giving rigorous proof for opimality and existence of an algorithm with given error and finding out maximum error which can be corrected is an interesting theoretical problem of research.

48 Bibliography

1. JOY PERSIAL, G; PRABHU, M; SHANMUGALAKSHMI, R. Side chan• nel Attack-Survey. Int J Adva Sei Res Rev. 2011, vol. 1, no. 4, pp. 54- 57. 2. HALDERMAN, J. Alex; SCHOEN, Seth D.; HENINGER, Nadia; CLARKSON, William; PAUL, William; CALANDRINO, Joseph A.; FELDMAN, Ariel J.; APPELBAUM, Jacob; FELTEN, Edward W. Commun. ACM. 2009, vol. 52, no. 5, pp. 91-98. ISSN 0001-0782. Avail• able from DOI: 10.1145/1506409.1506429. 3. TEAM, TrueCrypt. TrueCrypt-Free open-source disk encryption soft• ware for /XP, Mac OS X, and Linux, Sept 2012. URL http://www. . org/.[accessed 18 Sept-2012]. 4. KOCHER, Paul. Timing attacks on implementations of Diffie- Hellman, RSA, DSS, and other systems. In: Advances in Cryptol- ogy—CRYPTO'96.1996, pp. 104-113. 5. KOCHER, Paul; JAFFE, Joshua; JUN, Benjamin. Differential . In: Advances in cryptology—CRYPTO'99.1999, pp. 789-789. 6. KASPER, Timo; OSWALD, David; PAAR, Christof. EM side-channel attacks on commercial contactless smartcards using low-cost equip• ment. In: Information Security Applications. Springer, 2009, pp. 79- 93. 7. GENKIN, Daniel; SHAMIR, Adi; TROMER, Eran. RSA key extraction via low-bandwidth acoustic . In: International Cryptol• ogy Conference. 2014, pp. 444-461. 8. BONEH, Dan; DEMILLO, Richard A; LIPTON, Richard J. On the importance of checking cryptographic protocols for faults. In: In• ternational Conference on the Theory and Applications of Cryptographic Techniques. 1997, pp. 37-51. 9. BRIER, Eric; CLAVIER, Christophe; OLIVIER, Francis. Correlation power analysis with a leakage model. In: International Workshop on Cryptographic Hardware and Embedded Systems. 2004, pp. 16-29.

49 BIBLIOGRAPHY

10. CHARI, Suresh; RAO, Josyula R; ROHATGI, Pankaj. Template attacks. In: In ternational Workshop on Cryptographic Hardware and Embedded Systems. 2002, pp. 13-28. 11. BIHAM, Eli; SHAMIR, Adi. Differential fault analysis of secret key cryptosystems. Advances in Cryptology—CRYPTO'97.1997, pp. 513- 525. 12. YU, Han; XUECHENG, Zou; ZHENGLIN, Liu; YICHENG, CHEN. Efficient DPA attacks on AES hardware implementations. Interna• tional Journal of Communications, Network and System Sciences. 2008, vol. 1, no. 01, pp. 68. 13. WANG, A.; CHEN, M.; WANG, Z.; WANG, X. Fault Rate Analysis: Breaking Masked AES Hardware Implementations Efficiently. IEEE Transactions on Circuits and Systems II: Express Briefs. 2013, vol. 60, no. 8, pp. 517-521. ISSN 1549-7747. Available from DOI: 10.1109/ TCSII.2013.2268379. 14. GUTMANN, Peter. Data remanence in semiconductor devices. In: Pro• ceedings of the 10th conference on USENIX Security Symposium-Volume 10. 2001, p. 4. 15. DAVIES, Joshua. Implementing SSL/TLS using cryptography and PKI. John Wiley and Sons, 2011. 16. MILLER, Frederic P; VANDOME, Agnes F; MCBREWSTER, John. Advanced Encryption Standard. 2009. 17. STANDARD, Data Encryption. FIPS PUB 46-2. National Bureau of Stan• dards. 1993. 18. KALISKI, Burt. PKCS# 5: Password-based cryptography specification version 2.0. 2000. 19. MST, SP. 800-38E, Recommendation for Modes of Oper• ation: The XTS-AES Mode for Confidentiality on Storage Devices. MST Special Publication. 20. MCGREW, W. msramdmp: McGrew Security RAM dumper. McGrew Security. 2008. 21. ALBRECHT, Martin; CID, Carlos. Cold boot key recovery by solv• ing polynomial systems with noise. In: International Conference on Applied Cryptography and Network Security. 2011, pp. 57-72.

50 BIBLIOGRAPHY

TSOW, Alex. An improved recovery algorithm for decayed AES key schedule images. In: International Workshop on Selected Areas in Cryp• tography. 2009, pp. 215-230.

51