One of the adages of computing is that no hardware is safe when a hacker has physical access to the machine. In an age of booming laptop sales, people haven't found that reassuring and have frequently turned to disk encryption in an effort to protect their personal data. A new paper (PDF) by a group of Princeton computer scientists suggests that disk encryption is vulnerable to a hack that will be hard to correct for: data about the encryption can be extracted from the machine's RAM.

Most people know that the contents of RAM are lost when a machine powers down. The paper notes, however, that this process isn't instantaneous. In their tests, the authors found that various forms of RAM take anywhere from 2.5 to 35 seconds to reach a null state (newer RAM got there faster). That process is temperature-dependent; dropping the RAM to -50°C cut the rate at which memory was lost to 0.1 percent per minute. If that temperature seems hard to reach, it's not. The researchers achieved it by turning a canned air dispenser upside-down and spraying it on the RAM chip. Dropping the chip in liquid nitrogen kept the error rate at a similar level for up to an hour.

That's more than long enough to move the chip to a new machine for analysis. But the researchers also developed ways to hack the RAM while in place. A quick reboot will also preserve the contents of memory but, in most cases, large portions of that memory are quickly overwritten by the operating system during the boot sequence. To avoid this problem, the researchers devised tiny kernels that took up very little memory while dumping the remaining contents onto disk for further analysis. These included versions that booted from USB drives or operated over a netboot infrastructure.

With the memory contents in hand, the next step was to crack the encryption and compensate for the sporadic memory errors. Here, the researchers relied on the fact that most decryption systems store information derived from the encryption keys in memory to speed calculations. These key schedules have a some known features that make finding them largely a matter of scanning for patterns in the memory. Once near matches are identified, they can be set aside for more detailed analysis (including corrections for memory errors), eliminating most brute force aspects of the cracking.

The authors also noted that memory in the the RAM chips they examined decayed in a stereotypical pattern across their tests, allowing for the possibility of sophisticated error correction based on the identification of these patterns. That level of sophistication, however, wasn't needed for their current implementations.

The paper describes algorithms for recognizing and extracting AES, DES, RSA, and tweak key information from memory. The authors have also turned these on most of the common encryption methods, including TrueCrypt and dm-crypt, as well as Mac OS-X's FileVault and Vista's BitLocker. Using an external USB drive, the authors were able to identify and extract the key and mount a BitLocker-encrypted volume in about 25 minutes. While wandering around the memory of an Intel Mac, they not only cracked the FileVault encryption but also stumbled onto multiple copies of the login password.

The paper includes a number of suggestions for improving security in the face of this kind of attack, but most of them would involve either changes in the hardware architecture or a radical overhaul of the encryption process itself. In most cases, the changes would simply make the attack harder, rather than impossible. Overall, it seems that disk encryption may help prevent casual data loss, but it is no match for a well-prepared attacker.

Further reading and viewing: