TRESOR implements AES encryption without storing keys in RAM

Tuesday, September 13th, 2011 | Jim Cheetham | Comments Off on TRESOR implements AES encryption without storing keys in RAM

TRESOR is a kernel patch for Linux 2.6.36 that offers interesting protection against attacks on encryption keys that are stored in RAM.

Many DRAM chips hold their state for a relatively long time after power-off — long enough for an attacker to boot their own OS and dump a complete copy of your running RAM image. Sometimes even long enough to remove the chips and re-insert them into a separate machine for copying!

If an attacker has a copy of your RAM, he also has a copy of any encryption keys that you are currently using, i.e. for disk encryption products.

The TRESOR patch has found an effective way to keep your AES private keys out of RAM, stashing them into the debug registers of your CPU (preferably an Intel Core i5 or Core i7 with the AES-NI extensions) and performing encryption/decryption directly in the CPU. This protects your AES key from anyone reading RAM, because it simply isn’t in there! If you further restrict your kernel to remove the ability to insert modules and to provide /dev/kmem, there is no known way to extract your key from the machine at all, but it can still be used efficiently.

The current downsides to the project are of course the limited kernel version support and problems with the user interface for providing the key at initial boot and when returning from suspend. But it provides a level of protection that even the Trusted Platform Module hardware solution cannot match.

Do you do Java

Thursday, September 8th, 2011 | Mark Bedford | Comments Off on Do you do Java

Oracle have released Java 7 which includes some security updates along with several new features. It can coexist with existing versions and has installers for 32 and 64 bit systems. The installer does not remove any previous versions of Java, which seems to be an intended feature. However from an application security perspective, why would you leave a susceptible application installed. Java is one of the most targeted applications in use today, so if you want to run only the latest version remember to uninstall Java 6.