Monday, October 26, 2009

Attack on Drive Encryption

Recently Joanna Rutkowska posted about a simple yet affective attack she preform on TrueCrypt, (a popular data encryption utility). Although the attack, (dubbed Evil Maid) was carried out on a TrueCrypt encrypted volume the attack was shown to be affective on other forms of drive encryption like PGP.
The scenario of the attacks work like this:
  • The attacker gains access to your system and boots from a external volume.
  • Then installs the Evil Maid sniffer on the victim computer.
  • After a restart the sniffer will capture and record the paraphrase the next time the user enters it in to the system.
Computers that have a Trusted Platform Module (TMP) can defend against these type of attacks.
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer or laptop, and communicates with the rest of the system using a hardware bus.
Computers that incorporate a TPM have the ability to create cryptographic keys and encrypt them so that they can be decrypted only by the TPM.Because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely upon the operating system and is not exposed to external software vulnerabilities.

This type of attack helps reinforce a philosophy of computer security that if a attacker has physical access to your system there is little you can do to protect it.

Read more about Evil Maid on Joanna Rutkowska's blog http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html

No comments:

Post a Comment