How does Symantec Endpoint Encryption (SEE) 11.x and Symantec Encryption Desktop (SED) 10.x protect against the "Cold Boot" attack and how can end users better protect themselves?
Synopsis: The "Cold Boot" attack is a way to obtain data from stale memory by using the basic characteristics of DRAM/SRAM found in all PCs. The data obtained can include keys, passwords, etc. and can be used to breach the security of software-based Disk Encryption (DE) . A method to achieve this was first published by Princeton University researchers in February 2008. Enhancements to the initial attack were published in subsequent years including 2018 that combat some of the countermeasures deployed by hardware and security vendors.
Specific Protection against the "Cold Boot" or Princeton class of attack was added to Symantec Endpoint Encryption (SEE) since SEE Full Disk v7.0. This protection was optional, but is enabled by default. This protection ensures that cryptographic key information cannot be retrieved from RAM after shutdown or hibernation.
Symantec Endpoint Encryption version 8.x AES symmetric keys are never loaded into memory until the user authentication step is completed. This is a required step when the machine is either coming out of hibernation or being booted from a shut down or cold state. Even if the Symantec Endpoint keys are accessed in memory, a unique AES initialization vector still needs to be created to encrypt or decrypt each sector of the disk. Because of this, the attacker would need to figure out the seeding algorithm and key expansion methodology to recover data from the disk – making compromise of the Symantec Endpoint 8.x product highly unlikely.
Current Encryption Products and Countermeasures:
Symantec Endpoint Encryption 11 and Symantec Encryption Desktop 10 include the following countermeasures against the "Cold Boot" or Princeton class of attacks. These countermeasures are always enabled by default and do not need any additional policy changes:
Note that while the above countermeasures improve the overall security, they do not provide complete protection against physical cold boot attacks where the attacker opens the case and attacks the hardware.
As an extra precaution, Symantec recommends security administrators perform the following steps to limit the attack surface: