Popular Encryption Methods May Be Flawed

Researchers from Princeton University have found a simple way to crack popular encryption software, including the FileVault feature built-in to Apple's operating system and BitLocker, which is included in Windows Vista. The software aims to store data in a scrambled form making it indecipherable if in the wrong hands.

Both programs use a federally approved algorithm that encrypts the information when it is written to, or read from, a hard disk. However, the keys allowing the computer to unscramble data are stored in the computer's memory. In theory, any information in a computer's memory disappears the moment a computer is shut down. But, it turns out a cold memory chip can retain data for anywhere between a few seconds and several minutes once the power is cut.

The researchers found that chips stored in liquid nitrogen could be transported to another machine and the data read, allowing them to find the key to the encryption. They then discovered that the technique could still work if the chips were simply cooled by a blast of cold air such as that found in dust remover sprays.

It's not clear whether the problem affects government-held information because the methods used to encrypt such data are kept secret.

Spokespersons for Apple and Microsoft said that encryption software only offered a certain degree of security, and that this could be enhanced by using physical methods which require a card or USB stick to be in a machine before data can be unscrambled. (Source: nytimes.com)

Clearly such attacks require data thieves have physical access to a machine, so the method wouldn't be any use to Internet hackers. A spokesman for the research group said, "The risk seems highest for laptops, which are often taken out in public in states that are vulnerable to our attacks." (Source: news.com)

Most of the concern over this vulnerability is with large corporations and government departments, particularly those who allow confidential information to be stored on laptops that can be stolen. Ordinary home users probably don't have much to worry about, though it may be worth making sure you don't leave a computer unattended in 'sleep' mode if there's even the slightest risk of it being nabbed.