Jacob Appelbaum

Lest we remember: cold-boot attacks on encryption keys

Contrary to widespread assumption, dynamic RAM (DRAM), the main memory in most modern computers, retains its contents for several seconds after power is lost, even at room temperature and even if removed from a motherboard. Although DRAM becomes less reliable when it is not refreshed, it is not immediately erased, and its contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access to a machine. It poses a particular threat to laptop users who rely on disk encryption: we demonstrate that it could be used to compromise several popular disk encryption products without the need for any special devices or materials. We experimentally characterize the extent and predictability of memory retention and report that remanence times can be increased dramatically with simple cooling techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for mitigating these risks, we know of no simple remedy that would eliminate them.

Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate

We present a refined chosen-prefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular end-user website certificate provided by a commercial CA. Compared to the previous construction from Eurocrypt 2007, this paper describes a more flexible family of differential paths and a new variable birthdaying search space. Combined with a time-memory trade-off, these improvements lead to just three pairs of near-collision blocks to generate the collision, enabling construction of RSA moduli that are sufficiently short to be accepted by current CAs. The entire construction is fast enough to allow for adequate prediction of certificate serial number and validity period: it can be made to require about 249 MD5 compression function calls. Finally, we improve the complexity of identical-prefix collisions for MD5 to about 216 MD5 compression function calls and use it to derive a practical single-block chosen-prefix collision construction of which an example is given.

High stakes: designing a privacy preserving registry

This paper details our experience designing a privacy preserving medical marijuana registry. In this paper, we make four key contributions. First, through direct and indirect interaction with multiple stakeholders like the ACLU of Washington, law enforcement, the Cannabis Defense Coalition, state legislators, lawyers, and many others, we describe a number of intersting technical and socially-imposed challenges for building medical registries. Second, we identify a new class of registries called unidirectional, non-identifying (UDNI) registries. Third, we use the UDNI concept to propose holistic design for a medical marijuana registry that leverages elements of a central database, but physically distributes proof-of-enrollment capability to persons enrolled in the registry. This design meets all of our goals and stands up in the face of a tough threat model. Finally, we detail our experience in transforming a technical design into an actual legislative bill.