9

I understand that the longer a computer is off, the more resistant it is to a cold boot attack. I also understand that an AES key can be reconstructed from a redundant round key schedule even after a large percentage of the bits in memory have decayed, and RSA private keys can be obtained in a similar fashion. According to this paper, there is a period of slow bit decay, followed by a period of rapid decay, followed by a period of slow decay. How long would it take for the redundant information from which the key is recovered to degenerate to the point where it can not be recovered. Would it be a matter of hours? Days? Or would it take several weeks for the bits to decay sufficiently? The paper gives an indication that the key can be recovered if the computer is turned off, but it gives no indication of how long.

davidb
  • 4,285
  • 3
  • 19
  • 31
Zen Hacker
  • 571
  • 1
  • 3
  • 11

1 Answers1

2

There are some factores that are crucial for these kind of attacks. The RAM of a PC is not flushed immediately after the pc is powered off but it is in normal cases flushed in under a minute. When this attack was migrated first by scientists they said the memory needed between 10 and 30 seconds till the content wasn't useable anymore.

This period of time can be increased by using ice spray like its done in the cold-boot-attack. They said this will increase the lifetime of the data in the memory to 10+ minutes after the PC was powered off.

There are also some practical issues that can prevent such an attack. When you reboot a pc there are two stages of memory testing in which the BIOS writes to the memory. In the first stage which is not optional the first 64k are tested. In the second stage which is optional the whole memory is tested. This test writes to the memory and if this happens the cold-boot-attack will not work anymore because all the content you needed has been overwritten. So you have to skip the test.

Also boot passwords are likely to obstruct your attempt to boot a live system. This is of cause needed to dump or at least analyse the memory of the pc. This might prevent the attack at all because even a weak security measure that can be overcome in half an hour might cost you so many time that the data in the memory is gone.

// I heard of some cases where the police tried to prevent their suspects from turning off their PC's because they wanted to carry out a cold boot attack. One of these cases took place in germany (where I come from). The suspect was an arms dealer on the darknet and he was that paranoid he only runned his laptop with an electric wire and a detatched battery. In the raid the suspect pulled out the electric wire and the police then wasn't able to recover the cryptographic key. You can find the whole article here.

davidb
  • 4,285
  • 3
  • 19
  • 31
  • So if a PC is powered off for several hours, without the memory being frozen, would the memory be completely flushed? Or would it still be possible to recover the key? I'm kind of confused by this, because part of the literature on cold boot attacks says that they can be carried out on PCs that are powered off, but other parts suggest that memory decays too quickly to do this after more than a few seconds. – Zen Hacker Jan 06 '16 at 16:06
  • @ZenHacker After several hours, the memory would _absolutely_ be gone. – forest May 19 '18 at 23:29