The #Microsoft report on the technical investigations for #Storm0558 key acquisition is a rather interesting read.

They of course can't and don't go into specifics about the nature of the key leakage. I'm totally guessing here, but it might be that the tooling Microsoft used to detect and sanitize the #keymaterial didn't identify the key in the specific key schedule form. Maybe a new #encryption cipher was used that uses a new key schedule format that the tooling didn't support, or the cipher implementation started to store the key schedule in a new, different way.

This incident is a good example on how attempts of #sanitizing logs, memory dumps and similar of sensitive information are a losing game. At best it can be considered best effort, there's always ways information can end up leaking out despite your best efforts in trying to identify it.

For critical systems the encryption key should only ever exists in a security enclave or HSM. That'd be the only way to ensure that the key cannot leak: It's nowhere in the memory to begin with.

ref:
https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/

A short letter to our non-infrastructure colleagues: "The Value of a Small but Visible Investment in Infrastructure Security"

From time to time, conversations come up on why infrasec is important, and I regularly find variations of this TLDR to be useful.

I hope this is helpful for you to learn or share a perspective on where infrasec fits among a portfolio of security approaches for defense in depth.

#KeyMaterial #InfraSec
https://keymaterial.net/2023/06/14/tldr-the-value-of-a-small-but-visible-investment-in-infrastructure-security/