[Discuss] Cold Boot Attacks on Encryption Keys

[Kent Borg]

On 11/10/2013 10:59 AM, Richard Pieri wrote:
> The only reliable defense against these is to maintain good physical 
> security.
>

Correct.

But as I think about it, I don't think putting your machines in a co-lo 
means you are completely doomed.

For example, say you are renting some physical space over which you have 
some significant control. Be it a cage or maybe just a cabinet, you 
should be able to have some intrusion detection (booby traps) and use 
that shut things down--including deleting keys.

One catch is that if you want high availability you had better have 
redundancy across multiple co-los and your software design had better be 
designed to handle such outages.

Your co-lo agreement had better not give them routine access or you will 
always be down.

Another catch is that if your booby traps are triggered or your systems 
are otherwise shutdown and can't monitor themselves, you can't just come 
back and enter your keys and restart things: not if you are 
significantly paranoid. Why knows what snooping alterations have been 
performed on your equipment? A big audit, inspection, and reinstallation 
of key components is in order. I would suggest a healthy collection of 
seals, both high quality standardized seals and custom seals.

I think it would be fun to design such a system. Not that the men with 
the black bags from the TLA couldn't defeat it, just that they would 
have to put significant effort into doing so and couldn't be certain 
they could do so without detection.

Put another way, even at a co-lo I think good physical enough security 
could be devised to force the TLAs to look at other avenues. Cyber 
attacks, social engineering attacks, etc.

-kb