Discussion:
req: utility to automatically flush BIOS keyboard buffer after pre-boot authentication
(too old to reply)
thang ornithorhynchus
2009-02-19 23:05:53 UTC
Permalink
Raw Message
The BIOS keyboard buffer retains the pre-boot PW for Drivecrypt plus
pack (and TRuecrypt, possibly others). This can quite easily be
extracted via USB tools or more sophisticated means up to X time after
boot, in plain text. Major hole in the process. I need to know if
there is an automated utility which will invoke with M$ and flush the
buffer? Even a DOS routine, BASIC or similar which can be batched?

Any ideas?

thang
John Smith
2009-03-14 10:05:04 UTC
Permalink
Raw Message
Post by thang ornithorhynchus
The BIOS keyboard buffer retains the pre-boot PW for Drivecrypt plus
pack (and TRuecrypt, possibly others). This can quite easily be
extracted via USB tools or more sophisticated means up to X time after
boot, in plain text. Major hole in the process. I need to know if
there is an automated utility which will invoke with M$ and flush the
buffer? Even a DOS routine, BASIC or similar which can be batched?
Any ideas?
thang
I think the maximum time any passwords in ram or otherwise can be
recovered with special tools is 30 min after shut down, regards
nemo_outis
2009-03-14 14:56:39 UTC
Permalink
Raw Message
Post by John Smith
Post by thang ornithorhynchus
The BIOS keyboard buffer retains the pre-boot PW for Drivecrypt plus
pack (and TRuecrypt, possibly others). This can quite easily be
extracted via USB tools or more sophisticated means up to X time after
boot, in plain text. Major hole in the process. I need to know if
there is an automated utility which will invoke with M$ and flush the
buffer? Even a DOS routine, BASIC or similar which can be batched?
Any ideas?
thang
I think the maximum time any passwords in ram or otherwise can be
recovered with special tools is 30 min after shut down, regards
You think wrong. Modern RAM is completely unrecoverable after 30 seconds
or less - well under 5 seconds is typical.

It is only if the memory can be strongly cooled that it preserves state
for periods up to hours or days. However, it is exceedingly unlikely
that anyone, even in a no-knock raid, could open your computer and chill
your RAM fast enough after you shut the computer off.

Most of this nonsense traces back to the recent hysterical, self-
promoting, and fundamnetally dishonest paper from Princeton:

Lest We Remember: Cold Boot Attacks on Encryption Keys
http://citp.princeton.edu/pub/coldboot.pdf

Note in the paper that that for modern DDR2 RAM (types D, E, & F) memory
state was completely lost in 5 seconds for F, 2 seconds for D & E!

Regards,
John Smith
2009-03-15 07:56:52 UTC
Permalink
Raw Message
Post by nemo_outis
Post by John Smith
Post by thang ornithorhynchus
The BIOS keyboard buffer retains the pre-boot PW for Drivecrypt plus
pack (and TRuecrypt, possibly others). This can quite easily be
extracted via USB tools or more sophisticated means up to X time after
boot, in plain text. Major hole in the process. I need to know if
there is an automated utility which will invoke with M$ and flush the
buffer? Even a DOS routine, BASIC or similar which can be batched?
Any ideas?
thang
I think the maximum time any passwords in ram or otherwise can be
recovered with special tools is 30 min after shut down, regards
You think wrong. Modern RAM is completely unrecoverable after 30 seconds
or less - well under 5 seconds is typical.
It is only if the memory can be strongly cooled that it preserves state
for periods up to hours or days. However, it is exceedingly unlikely
that anyone, even in a no-knock raid, could open your computer and chill
your RAM fast enough after you shut the computer off.
Most of this nonsense traces back to the recent hysterical, self-
Lest We Remember: Cold Boot Attacks on Encryption Keys
http://citp.princeton.edu/pub/coldboot.pdf
Note in the paper that that for modern DDR2 RAM (types D, E, & F) memory
state was completely lost in 5 seconds for F, 2 seconds for D & E!
Regards,
Thanks, I hadn't seen this article.
Mark F
2009-03-15 16:53:02 UTC
Permalink
Raw Message
Original poster was asking how to clear a keyboard buffer, not main
memory. The idea is that a keylogger or whatever could get the
key by running before any keyboard ring buffer is overwritten.

It has nothing to do with cooling main memory to get information
after powerdown.

It seems if the pre-boot program can't clear the buffer itself it
should insist on additional data entry, but I don't know how
many characters would be required.
Post by John Smith
Post by nemo_outis
Post by John Smith
Post by thang ornithorhynchus
The BIOS keyboard buffer retains the pre-boot PW for Drivecrypt plus
pack (and TRuecrypt, possibly others). This can quite easily be
extracted via USB tools or more sophisticated means up to X time after
boot, in plain text. Major hole in the process. I need to know if
there is an automated utility which will invoke with M$ and flush the
buffer? Even a DOS routine, BASIC or similar which can be batched?
Any ideas?
thang
I think the maximum time any passwords in ram or otherwise can be
recovered with special tools is 30 min after shut down, regards
You think wrong. Modern RAM is completely unrecoverable after 30 seconds
or less - well under 5 seconds is typical.
It is only if the memory can be strongly cooled that it preserves state
for periods up to hours or days. However, it is exceedingly unlikely
that anyone, even in a no-knock raid, could open your computer and chill
your RAM fast enough after you shut the computer off.
Most of this nonsense traces back to the recent hysterical, self-
Lest We Remember: Cold Boot Attacks on Encryption Keys
http://citp.princeton.edu/pub/coldboot.pdf
Note in the paper that that for modern DDR2 RAM (types D, E, & F) memory
state was completely lost in 5 seconds for F, 2 seconds for D & E!
Regards,
Thanks, I hadn't seen this article.
nemo_outis
2009-03-16 02:45:52 UTC
Permalink
Raw Message
Post by Mark F
Original poster was asking how to clear a keyboard buffer, not main
memory. The idea is that a keylogger or whatever could get the
key by running before any keyboard ring buffer is overwritten.
It has nothing to do with cooling main memory to get information
after powerdown.
It seems if the pre-boot program can't clear the buffer itself it
should insist on additional data entry, but I don't know how
many characters would be required.
Yes, I know that Drivecrypt and Truecrypt rushed out to flush the startup
memory buffer (which historically is a 32-byte ring buffer memory-mapped
to 0040:001E. DCPP apparently didn't (or if they did they didn't bother
bragging about it).

It's mostly marketing crap. If malware can run it could harvest the
actual encryption key from memory, never mind the lousy startup password
from the keyboard buffer.

Regards,
John Smith
2009-04-09 06:51:36 UTC
Permalink
Raw Message
Post by nemo_outis
Post by Mark F
Original poster was asking how to clear a keyboard buffer, not main
memory. The idea is that a keylogger or whatever could get the
key by running before any keyboard ring buffer is overwritten.
It has nothing to do with cooling main memory to get information
after powerdown.
It seems if the pre-boot program can't clear the buffer itself it
should insist on additional data entry, but I don't know how
many characters would be required.
Yes, I know that Drivecrypt and Truecrypt rushed out to flush the startup
memory buffer (which historically is a 32-byte ring buffer memory-mapped
to 0040:001E. DCPP apparently didn't (or if they did they didn't bother
bragging about it).
It's mostly marketing crap. If malware can run it could harvest the
actual encryption key from memory, never mind the lousy startup password
from the keyboard buffer.
Regards,
Isn't the key useless without the password?
Carsten Krueger
2009-04-09 11:33:00 UTC
Permalink
Raw Message
Post by John Smith
Isn't the key useless without the password?
No. The key in main memory is full decrypted (this can not be changed,
because the key is needed to decrypt the hdd on the fly)

greetings
Carsten
--
ID = 0x2BFBF5D8 FP = 53CA 1609 B00A D2DB A066 314C 6493 69AB 2BFB F5D8
http://www.realname-diskussion.info - Realnames sind keine Pflicht
http://www.spamgourmet.com/ + http://www.temporaryinbox.com/ - Antispam
cakruege (at) gmail (dot) com | http://www.geocities.com/mungfaq/
Loading...