Re: the cold-boot attack | |
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] | |
Richard Zidlicky wrote: > Hi, > >> As a reaction to this "attack" I wonder if it might be possible to >> use level 2 cache of the processor to store keys in highly volatile >> memory space. 2 or more megabytes on the CPU die might be a last >> resort. As gpg prevents leaking keys from kernel ram to swap >> partitions, newer disk encryption might prevent keys to be stored >> in DRAM cells. Of course, elderly processors might not do this >> stunt due to lack of level 1/2/3 cache but newer architectures >> offer ever increasing megabytes. Is that a worthwhile option? > > there is aonether option that is well doable with todays technology. > On a multi-CPU machine run a dedicated noninterruptible kernel > thread on one of the cores which keeps essential parts of the key in > CPU registers at all times. > I'm curious how you would account for the key schedule information and other sensitive information. > Using some of the coprocessors would be another interesting idea but > much less portable. Yes, it is less portable but it is tamper resistant and specifically designed to thwart many types of attacks. Regards, Jacob Appelbaum - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
[Home] [Kernel] [Linux Crypto] [Gnu Crypto] [Gnu Classpath] [Netfilter] [Bugtraq] [Network Security Reading]