Re: [dm-crypt] Retrieve the Passphrase from RAM Memory

[Arno Wagner <arno@wagner.name>]

On Mon, Sep 26, 2011 at 11:34:05PM -0300, Eduardo Schultze wrote:
> Hello,
> 
> I'm a Security Information student at Unisinos College, Brazil. As a paper
> during this semester it was me and my colleagues choice to write a paper
> about LUKS on Ubuntu 10.4.
> 
> My question is -  Is it possible to retrieve the passphrase from RAM memory
> after a successful authentication and shutdown? Is this case we would turn
> the system on, authenticate, turn off, and then check if the passphrase
> would still be in the RAM memory even with the turned off computer.

No. The passphrase is not stored and the PBKDF2 iterations
prevent reconstructing it.

However, you can get the master key. DRAM keeps state only for 
seconds after turn-off. You can freeze the RAM (I pelive some people 
around Ross Anderson have done that with some success) to extend that 
time.
 
> If not, would it be possible to dump the RAM memory and retrieve the
> passphrase (now with the system turned on)?
> 
> I looked for these answers at the FAQ section but couldn't find it.

They are not there, because they have low relevance in practice. 
If somebody gets access to the physical machine while
the container is unlocked, you should assume they can get access
to the data. They would still not get the passphrase.

For the memory-dump, you can extrapolate the techniques used
in FAQ item 

   "How do I recover the master key from a mapped LUKS container? 

Or you can just try every 256 bit word from the memory dump. 
As you do not need iterations if you have the master key, that 
should be doable pretty fast. Incidentally, that is one of the
ways DeCSS (break of DVD encryption) got the key from a software
player.

As to your paper, good choice! I also suggest you put in
a section about LUKS usability (of paramount importance
with security software, but often forgotten) and the typical
problems people have. The mailing-list archive should 
provide plenty of examples.

Is the paper going to be in english? If so, I would like
to get a copy once it is finished. Might be instructive to
get an outside view.
 
Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier