Abstract
A cold boot attack is a kind of side-channel attack that exploits a property of dynamic random-access memory. Using a cold boot attack, attackers can extract decayed key material from a running computer’s memory, which is a serious threat to computers using disk encryption software. Previously, an algorithm was presented that recovers a secret key from a decayed Advanced Encryption Standard key schedule. However, this method cannot recover a secret key if reverse bit flipping occurs, even in only one position, because this algorithm assumes a perfect asymmetric decay model. To remedy this limitation, we propose an algorithm based on the maximum likelihood approach, which can recover a secret key in an imperfect asymmetric decay model, i.e., where bit flipping occurs in both directions. We also give the theoretical bound of our algorithm and verify the validity thereof.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A similar analysis on RSA is shown in [7].
References
Albrecht, M., Cid, C.: Cold boot key recovery by solving polynomial systems with noise. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 57–72. Springer, Heidelberg (2011)
Alex Halderman, J., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold boot attacks on encryption keys. In: Proceedings of the 17th USENIX Security Symposium, 28 July–1 August, San Jose, CA, USA, pp. 45–60 (2008)
Henecka, W., May, A., Meurer, A.: Correcting errors in RSA private keys. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 351–369. Springer, Heidelberg (2010)
Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009)
Huang, Z., Lin, D.: A new method for solving polynomial systems with noise over \(\mathbb{F}_2\) and its applications in cold boot key recovery. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 16–33. Springer, Heidelberg (2013)
Kamal, A.A., Youssef, A.M.: Applications of SAT solvers to AES key recovery from decayed key schedule images. IACR Cryptology ePrint Arch. 324 (2010)
Kunihiro, N.: An improved attack for recovering noisy rsa secret keys and itscountermeasure. (2015, to appear in ProvSec2015)
Kunihiro, N., Honda, J.: RSA meets DPA: recovering RSA secret keys from noisy analog data. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 261–278. Springer, Heidelberg (2014)
Liao, X., Zhang, H., Koshimura, M., Fujita, H., Hasegawa, R.: Using maxsat to correct errors in AES key schedule images. In: IEEE 25th International Conference on Tools with Artificial Intelligence, 4–6 November 2013, Herndon, VA, USA, pp. 284–291 (2013)
Paterson, K.G., Polychroniadou, A., Sibborn, D.L.: A Coding-Theoretic Approach to Recovering Noisy RSA Keys. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 386–403. Springer, Heidelberg (2012)
Tsow, A.: An improved recovery algorithm for decayed AES key schedule images. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 215–230. Springer, Heidelberg (2009)
Acknowledgement
We would like to thank Junya Honda for helpful advice. This research was supported by CREST, JST and supported by JSPS KAKENHI Grant Number 25280001.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
AÂ Proof of Theorem 1
In this appendix, we show the sketch of proof of Theorem 1 in a similar way to the result of Kunihiro and Honda [8]. First, we introduce some notation for the proof.
We denote by \(\mathbf{1}[\cdot ]\) the indicator function and by E[X] the expectation of a random variable X. Instead of \(\log \mathrm{Pr}[D|C]\), we use the score function \(R(x;y) = \log \frac{dF_x}{dG}(y),\ x, y \in \{0,1\}\), where \(F_x\) is the distribution of the imperfect asymmetric decay model, G is the mixture distribution \((F_0 + F_1)/2\) and \(dF_x/dG\) is the Radon-Nikodym’s derivative. Then, \(R(C_{i,j}; D_j)\) is \(\sum ^{i}_{r=1} \sum ^{m_r}_{k=1} R(C_{i,j}[r][k];D_i[r][k])\), where \(C_{i,j}[r][k]\) is the k-th computed byte with depth r and \(R(C_{i,j}[r][k];D_i[r][k])\) is the sum of the score for each bits in \(C_{i,j}[r][k]\). Note that R(x; y) is equivalent to \(\log \mathrm{Pr}[D|C]\) and the performance of our algorithm does not change.
We use Lemmas 1 and 2 in [8]. Lemma 1 shows the Chernoff’s inequality and Lemma 2 evaluates the score of the incorrect candidates. Our algorithm is different from their algorithm in that our algorithm has a structure of 256-ary tree. Thus, we use Assumption 1. (2) and modify Lemma 2 into the following form.
Lemma 2 (modified Lemma 2 [8]). For \(\forall i > d\), \(j \in \{ 256^{d-1}+1, \cdots , 256^d \}\),
Proof of Theorem 1
(sketch). Let \(l = \lfloor \log _{256} L \rfloor \). We can assume without loss of generality that the index of the correct key schedule is \(j = 1\). By the union bound and some transformation, the error probability of our algorithm can be bounded by
\({\text {Let} u \in (R, I(X;Y))}\) be arbitrary. Then the probability in (4) is bounded by
The former and latter probabilities in (5) can be bounded by
where \( \varLambda ^{*}(u) = \sup _{\lambda \le 0}\{ \lambda u - \ln E[\exp (\lambda X)] \}\).
Combining the bounds with (5), we have
Note that we can consider \(m_d = 1/R\) for a larger L. We finish the proof with (4) and (6) and obtain
BÂ Experimental Results
Table 6 shows the success rates for different L values and key lengths in details. As mentioned in Sect. 4, the result shows that a lager L raises the success rates. On the other hand, the success rates is independent of key lengths.
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Tanigaki, T., Kunihiro, N. (2016). Maximum Likelihood-Based Key Recovery Algorithm from Decayed Key Schedules. In: Kwon, S., Yun, A. (eds) Information Security and Cryptology - ICISC 2015. ICISC 2015. Lecture Notes in Computer Science(), vol 9558. Springer, Cham. https://doi.org/10.1007/978-3-319-30840-1_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-30840-1_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30839-5
Online ISBN: 978-3-319-30840-1
eBook Packages: Computer ScienceComputer Science (R0)