Well, probably everybody knows that USENIX conferences are one of the best security conferences where you can present your research, TRESOR is only one of the great paper presented this year. Built mainly from University of Erlangen-Nuremberg, Germany it ensures that all encryption states as well as the secret key and any part of it are only stored in processor registers throughout the operational time of the system, thereby substantially increasing its security. Their solution takes advantage of Intel’s new AES-NI instruction
set and exploits the x86 debug registers in a non-standard way, namely as cryptographic key storage. TRESOR is compatible with all modern Linux distributions, and its performance is on a par with that of standard AES implementations. I totally suggest this reading which better explains how it works.
TRESOR is resistant against cold boot attacks and other attacks on main memory. If you don’t remember these kind of attacks, I suggest those readings (yet USENIX): “Lest We Remember: Cold Boot Attacks on Encryption Keys“, “Introduction to Cold Boot Attack” and those experimental guidelines from Princeton University… and yes, of course the attack code (From Princeton University too)
Running TRESOR on a 64-bit CPU that supports AES-NI, there is no performance penalty compared to a generic implementation of AES and the supported key sizes are 128, 192 and 256 bits (full AES).
Running TRESOR on a plain old 32-bit CPU, supporting at least SSE2, is possible as well. But you get a performance penalty of about factor six compared to generic AES and the only supported key length is 128 bits. Thus, we recommend to use TRESOR in combination with one of Intel’s new Core-i processors supporting AES-NI (e.g., Core-i5 or Core-i7).
Here the Download Page.
Here the configuration and utilization page.
As they honestly pointed out, Loop-Amnesia is a similar project.
One thought on “ TRESOR: Secure Encryption Out of RAM ! ”
Very useful material, much thanks for this article.