According to the article \"Lest We Remember: Cold Boot Attacks on Encryption Key

Question

According to the article "Lest We Remember: Cold Boot Attacks on Encryption Keys" there is a quick and dirty entropy test that can help to find possible AES Key Schedules in memory dumps. Although there are references to this algorithm in blogs of other famouse cryptographers (for example, this post), I haven't been able to find any explanation why it works and why this algorithm is correct. Is there anybody who can provide me with a proof of correctness of this entropy test or can just explain me why it actually works?

Explanation / Answer

The way you worded the question is misleading, as the entropy test is performed AFTER they have extracted an AES key from memory. The test is used to confirm whether it is a likely encryption key or an AES key used for benchmarking or algorithm verification.

The actual procedure involves cycling through the entire memory space, and examining each block of memory that could be the size of a computed key schedule, which may look daunting, but is actually quite fast, due to the simplicity of the key schedule. They cycle through the memory space in word increments and compute the first iteration of the key schedule. If it matches the next words in memory, the entire key schedule is performed and compared. This is about 134 million iterations in total on a 4GB memory space, which only takes a few minutes; it is especially if the testing system has AESNI instructions on multiple cores, the search may only take seconds. The full key schedule is 10 iterations for a 128-bit key.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.