View
220
Download
0
Embed Size (px)
Citation preview
8/13/2019 Cryptography for Storage Systems
1/47
8/13/2019 Cryptography for Storage Systems
2/47
Overview
Encryption in storage systems
Tweaka!e encryption
Integrity protection
"ey management
8/13/2019 Cryptography for Storage Systems
3/47
Encryption instorage systems
8/13/2019 Cryptography for Storage Systems
4/47
Traditional storage systems:Inside the box
app
ino#e
$s
!k
ha
%irect-attache# storage
8/13/2019 Cryptography for Storage Systems
5/47
Networked storage systems
NAS(Network-attached Storage)
net
&'() CI'(*TC+,I+
net
$s
ha
ino#e
!k
$s
app
SAN(Storage-area Network)
!k
'C) i(C(I
net
!k
hanet
ino#e
$s
app
OBS(Object Storage)
ino#e
net
.B(-(C(I*T10
net
ino#e
!k
ha
$s
app
8/13/2019 Cryptography for Storage Systems
6/47
Storage-device models
B!ock #e/ice- rea# write !ocks
----- #e/ice-!e/e! access contro!----
.ect storage #e/- rea# write ytes in oect
- create #estroy oect--- oect-!e/e! access contro!- space a!!ocation- ackup ops
'i!e ser/er- rea# write #ata in $i!e
- create #estroy $i!e- #irectory operations- $i!e,#ir-ase# access
contro!- space a!!ocation- ackup ops
8/13/2019 Cryptography for Storage Systems
7/47
Tweakable encryption
8/13/2019 Cryptography for Storage Systems
8/47
Block cipher
%eterministic) key-#epen#ent trans$ormation .ne input !ock to one output !ock E() %E() B!ow$ish B!ocks si4e5 typica!!y 126 its *17 ytes
"ey si4e5 typica!!y 126 its an# more
'orma!!y !ock cipher imp!ements a pseu#o-ran#om permutation *+R+ ppears !ike a ran#om permutation to any
computationa!!y oun#e# oser/er *who #oes notha/e the key
Mo#e o$ operation *8chaining8 mo#e re9uire# E!ectronic-co#eook mo#e *ECB means no chaining
8/13/2019 Cryptography for Storage Systems
9/47
Why a block-cipher mode ooperation!
+!ainte:t asitmap picture
Encrypte# inECB mo#e
Encrypte# insecure mo#e o$
operation
8/13/2019 Cryptography for Storage Systems
10/47
"ncryption at the block layer
;%e/ice-!e/e!< encryption o$ =12-yte sectors Transparent to storage system no e:tra
space a/ai!a!e to chaining mo#e IEEE (I(> stan#ar#i4ation5 +171?, 1 , 2
app
ino#e
$s
!k
E
8/13/2019 Cryptography for Storage Systems
11/47
#sing $B$ mode
Ran#om I@ re9uire#) ut there is no space to store %eri/e I@ $rom sector a##ress
IV = EK( disk id || sector address ) IV = EHash(K)( disk id || sector address )
Aeaks !ocation o$ $irst up#ate# !ock within sector ttack possi!e i$ a#/ersary may in/oke #ecryption $or
some sectors) ut not $or others
+1
E
C1
"
I@+
2
E
C2
"
I@
8/13/2019 Cryptography for Storage Systems
12/47
Tweakable encryption %Tw"&
E"* is a +R+) #eterministic a$ter picking " (ame permutation in e/ery instance Tweaka!e E")T* is a $ami!y o$ in#epen#ent
permutations) in#e:e# y T Aisko/) Ri/est) >agner) CR+T. D02 T F a##ress o$ !ock
+
E
C
"*secret
+
E
C
" T*pu!ic
E"* is +R+ E")T* is a +R+ $or e/ery T
Tra#itiona! Tweaka!e
8/13/2019 Cryptography for Storage Systems
13/47
Narrow-block Tw"
E/ery !ock in sector encrypte# in#epen#ent!y Tweak is sector a##ress s p!us !ock in#e: i Aeaks on!y that !ock has een up#ate# 8Better8 security against acti/e attacks
Cipherte:t in #isk sector s
+1
+i +n
E"
s GG i
C1 Ci Cn
+!ainte:t
Tweake# !ockF
cipher !ock
*17 ytes
8/13/2019 Cryptography for Storage Systems
14/47
HT(-E(mo#e ase# on HEH Rogaway) (ICR+T D0
Tweak F sector s GG !ock in#e: i "ey " F "1 GG "2 i! "#($%$&)' riiti*e e+ee!t' ie,,icie!t ,or i='%'$...
Sta!dardi/ed b0 IEEE 1%2%3 a!d NIS4 S1 &-5&E 6sed i! ractice (e.g.' 4r7ecr0t' #8E ,or disk dri*es)
Narrow-block Tw" mode
+i
E"1
s
E"2
+i
9i
8/13/2019 Cryptography for Storage Systems
15/47
.ne tweake# !ockcipher encryption per sector Tweak is sector a##ress s Aeaks on!y that sector has een up#ate#
Wide-block Tw"
Cipherte:t in #isk sector s
+1 +n
E s
C1 Cn
+!ainte:t
"
Tweake# !ockF
#isk sector
*=12 ytes
8/13/2019 Cryptography for Storage Systems
16/47
Wide-block Tw"
+ropose# imp!ementations are s!owerthan E( EME2-E(5 2: E( HCB-E(5 1: E( J 2: "#($%$&)-7+t.
(tan#ar#i4e# as IEEE +171?2 *2010
./erhea# consi#ere# to e *too cost!y &o practica! #ep!oyment so $ar
8/13/2019 Cryptography for Storage Systems
17/47
$omparisonCBC mode TwE narrow TwE wide
Passive adversary- Aoca!i4e changes 'irst change# !! !ocks >ho!e sector in encrypte# $i!e !ock in sector that change# *est possi!e
Active adversary
- Trigger contro!!e# Change one !ock &one &one change o$ p!ainte:t mo/e !ocks
Situation in practice%ep!oye# %ep!oye# &ot use#
How realistic are active attacks- Encryption in .( kerne!) attack re9uires access to store# its- Kn!ike!y $or !aptops- More p!ausi!e $or /irtua! #isk images on c!ou# storage
8/13/2019 Cryptography for Storage Systems
18/47
!ntegrity protection
8/13/2019 Cryptography for Storage Systems
19/47
Integrity protection or oneclient
(torage consists o$ n#ata items:1) ) :n
C!ient accesses storage /ia integrity-protection !ayer Kses sma!! truste# memory to
store short re$erence hash /a!ue /*together with encryption keys
Integrity !ayer operations Rea# item an# /eri$y wrt / >rite item an# up#ate /
accor#ing!yIntegrity
C!ient
Truste#memory
8/13/2019 Cryptography for Storage Systems
20/47
'ash trees or integritychecking %(erkle trees&
+arent no#e is hash o$ itschi!#ren
Root hash /a!ue commits a!!#ata !ocks Root hash in truste#
memory Tree is on e:tra untruste#storage
To /eri$y :i) recompute path
$rom :ito root with si!ing
no#es an# compare to truste#
root hash
To up#ate :i) recompute new
root hash an# no#es a!ong path$rom :ito root
root
L0 L1
L00 L01 L10 L11
:1 :2 :3 :
Rea# write operations nee# work.*!og n
Lash operations E:tra storage accesses
8/13/2019 Cryptography for Storage Systems
21/47
()lti-client integrityprotection
(ing!e-c!ient so!ution Re!ies on hash /a!ue / (tore# !oca!!y in truste# memory Changes a$ter e/ery up#ate operation
Mu!tip!e c!ients
&ee# to synchroni4e truste# memories (o!ution with #igita! signatures
E/ery c!ient associate# with apu!ic,pri/ate key pair
>rite operation pro#uces signature onhash /
C!ient stores signature an# hash * ) / onc!ou#
Rep!ay attacks This approach permits rep!ay attacks +re/ente# using truste# coor# ser/ice
Integrity
C!ient C!ient C!ient
8/13/2019 Cryptography for Storage Systems
22/47
()lti-client integrity protec-tion and orking attacks
(er/er may present #i$$erent /iews to separate# c!ients Eg) not show the most recent >RITE operation to a rea#er Creates a 8$ork8 etween their histories C!ients cannot pre/ent this without communication
Kse $ork !ineari4ai!ity Ma4ieres) (hasha) +.%C D025 I$ ma!icious ser/er $orks the /iews o$ two c!ients once) then
their /iews are $orke# e/er a$terthey ne/er again see each others up#ates
E/ery inconsistency or integrity /io!ation resu!ts in a $ork Best achie/a!e guarantee $or storage on untruste# ser/er 'orks can e #etecte# on a 8cheap8 !ow-security e:terna!
channe! Kse on!y a semi-truste# coor#inator Cachin et a!) (IM N Comput) 2011
+rototype imp!ementation in @E&K( (hraer et a!) CC(> 2011
8/13/2019 Cryptography for Storage Systems
23/47
*ey management
8/13/2019 Cryptography for Storage Systems
24/47
Today - +roprietary key mgmt,
Enterprise Cryptographic En/ironments
Ke0:a!agee!t
S0ste
DiskArrays
BackupDisk
BackupTape
BackupSystem
Collaboration &Content Mgmt
Systems
File ServerPortals
ProductionDatabase
Replica
Staging
nterpriseApplications
eCommerceApplications
BusinessAnalytics
Dev!Test"b#uscation
$A%A%'P%
Ke0:a!agee!t
S0ste
Ke0:a!agee!t
S0ste
Ke0:a!agee!t
S0ste
Ke0:a!agee!t
S0ste
Ke0:a!agee!t
S0ste
Ke0:a!agee!t
S0ste
Ke0:a!agee!t
S0ste
CRM
t St d di d k
8/13/2019 Cryptography for Storage Systems
25/47
)t)re - Standardi.ed keymanagement
E!terrise ;r0tograhic E!*iro!e!ts
Enterprise "eyManagement
DiskArrays
BackupDisk
BackupTape
BackupSystem
Collaboration &Content Mgmt
Systems
File ServerPortals
ProductionDatabase
Replica
Staging
"ey #anagement !nteroperability Protocol
nterpriseApplications
eCommerceApplications
BusinessAnalytics
Dev!Test"b#uscation
$A%A%
'P%
CRM
O/SIS * ( t I t
8/13/2019 Cryptography for Storage Systems
26/47
O/SIS *ey (anagement Inter-operability +rotocol %*(I+&
.(I( HMA
C!ient-ser/er protoco!
%e$inesoects withattriutes) p!us operations
.ects5 symmetric keys) pu!ic,pri/ate keys)certi$icates) thresho!# key-shares
ttriutes5 i#enti$iers) type) !ength) !i$ecyc!e-state)!i$ecyc!e #ates) !inks to other oects
.perations5 create) register) attriute han#!ing
8/13/2019 Cryptography for Storage Systems
27/47
O/SIS *(I+
"MI+ #ra$t spec prepare# y in#ustry group L+) IBM) R(-EMC) nCipher,Tha!es) Broca#e)
(eagate) A(I) &etpp IBM- an# IBM Zurich-!e# *e#itor an# TC co-chair
.(I( "MI+ Technica! Committee *200? "MI+ /10 re!ease# in .ct 2010 "MI+ /11 re!ease# in 'e 2013
http5,,wwwoasis-openorg,committees,kmip,
To#ay #ep!oye# y mu!tip!e /en#ors in storage-encryption conte:t
8/13/2019 Cryptography for Storage Systems
28/47
*(I+ ob0ects and attrib)tes
.ects o$ $our types (ymmetric keys) pu!ic keys) pri/ate keys)
certi$icates
O=0 attriutes I#enti$ier) state) initia!i4ation time) acti/ation time)#eacti/ation time
ccess-contro! speci$ic attriutes
CA) usage
"M( accesse# y remote users o/er network
8/13/2019 Cryptography for Storage Systems
29/47
*(I+ operations Create*i#) parameters ." %eri/e*i#)parentPi#) au:P#ata ."
(tore*i#) c!earPkey ." Import*unwrappingPkeyPi#) wrappe#Pkey ."
Rea#*i# c!earPkey E:port*i#) wrappingPkeyPi# wrappe#Pkey
Rea# attriutes*i# Qattriutes (et attriutes*i#) QnewPattriutes ."
(earch*i#) con#ition Qi#s %estroy*i# ." -- #e!etes key) ut !ea/es attriutes intact %e!ete*i# ." -- #e!etes key an# attriutes *i$ possi!e
Most ops are straight$orwar#) ut some in/o!/e cryptography
8/13/2019 Cryptography for Storage Systems
30/47
/ccess control model or *(I+
Ksers %etermine# y user registry *eg) A%+ (pecia! users5 any) creator
+ermissions +er-oect #min) %eri/e) %estroy) E:port) Rea#)
Rea#ttriutes) Knwrap) >rap +er-user
Create) (tore
E/er oect ohas an ac!attriute oac! Q*u) p G u Ksers) p +ermissions
8/13/2019 Cryptography for Storage Systems
31/47
/ key server is a crypto /+I
"ey ser/er e:ecutes cryptographicoperations
(o $ar) cryptographic security +Isha/e een!inke# to secure har#ware tokens *IBM CC)
+"C( S11
>e e:ten# the stu#y o$ cryptographic security+Is to
"ey-management systems on a network ccesse# y mu!tip!e users
8/13/2019 Cryptography for Storage Systems
32/47
$ryptographic tokens!
Cryptographic processorsHardware security modules (HSM)
Crypto co-processor intamper-proo$ enc!osure
"eys ne/er !ea/etoken in c!ear
E:ecutes a!!cryptographicoperations with keys
Token
Kser
#min
KserKser
8/13/2019 Cryptography for Storage Systems
33/47
$ommercial crypto tokens
L+ ta!!a :170
Tamper-resistant an# -responsi/e accor#ing to 'I+( 10-2) up to Ae/e!
IBM 7=
In$ineon T+MnCipher,Tha!es netL(M
8/13/2019 Cryptography for Storage Systems
34/47
Why cryptographic tokens!
8Cryptographic keys must not !ea/e secure L>8
Intro#uce a separation etween5 #ministration o$ keys security o$$icer
#ministration o$ ser/ers ser/er operator
'ewer opportunities $or insi#er attacks
'oun# in many corporate en/ironments
Uo/ernment) $inance) te!ecom
But a!so in your pocket (martcar#s) (IM car#s) transport tickets
8/13/2019 Cryptography for Storage Systems
35/47
Interacting with a token
Kser u authenticates to tokenu Qsecurity-o$$icer) app!ication
uin/okes operations through Crypto +I .perations on pay!oa#
Encrypt) #ecrypt) sign) /eri$y "ey-management operations
Create) store) rea#V) up#ateVkey %eri/e key $rom a parent key >rap key , e:port Knwrap key , import
V Restricte# to a#minW
(tan#ar#i4e# inter$aces +"C( S11 EMC,R( Common cryptographic architecture *CC IBM
8/13/2019 Cryptography for Storage Systems
36/47
+roblems with crypto /+Is %1&
Aegacy +I po!icies are o$ten 8un#erspeci$ie#8 &e/erthe!ess) they aim to protect keys
+ure!y !ogica! attacks +I attacks E:pose a protecte# key n#erson) Bon#) C!u!ow
E:amp!e attack on +"C( S11 Sensitivekeys must not e e:pose# in c!ear +"C( S11 #enies rea# operation y user u a#min
i$ key kis sensitive But a!!ows uto wrap kun#er a non-sensitivekey #user uwraps kun#er # an# rea#s #this e:poses kin c!ear
8/13/2019 Cryptography for Storage Systems
37/47
+roblems with crypto /+Is %2&
>hy
>hy is access contro! with simp!e rea#,writepermissions not enough to protect keys
Because keys may #epen# cryptographica!!y onother keys .n!y cryptographic operations create such
#epen#encies
+ropose to keep track o$ #epen#encies with amo#e! $or strict access controlCachin) Chan#ran) C(' D0?
8/13/2019 Cryptography for Storage Systems
38/47
3ependencies among keys
"ey k #epen#s on a key p "ey kwas #eri/e# $rom p
#eri/e*a)c) #eri/e*a)#) #eri/e*a)e "ey kwas wrappe# un#er p
wrap*c)g) wrap*)e
i
c#
a
e $
gh
ib k
8/13/2019 Cryptography for Storage Systems
39/47
New attrib)tes or keys
strict Q$a!se) true %etermines i$ oect go/erne# y 8strict po!icy8
#epen#ents .ects .ther oects whose cryptographic /a!ue can e
compute# $rom the cryptographic /a!ue o$ the oect
ancestors .ects .ther oects on which the oect #epen#s
rea#ers Ksers Ksers who ha/e e:ecute# rea#*k$or
some key ksuch that oect k#epen#ents
B i d i li i
8/13/2019 Cryptography for Storage Systems
40/47
Basic and strict policies
I$ ostrict F true) then oene$its $romstrict security po!icy
.therwise) oun#er!ies asic access-contro!
po!icy
(trict security po!icy respects #epen#enciesetween keys in access #ecisions
B i th i ti
8/13/2019 Cryptography for Storage Systems
41/47
Basic a)thori.ation
Basic authori4ation ru!e o$ permission p$or user uon oect o5
B(ICKTL*u) p) o F
*any) p
oac! or*u F ocreator and*creator) p ) p oac! or*u) p oac!
I l t ti d
8/13/2019 Cryptography for Storage Systems
42/47
Implementation o read
Con#ition $or user uto e:ecute rea#*o5ostrict F $a!se andB(ICKTL*u) Rea#) o orostrict F true and
9 o#epen#ents) B(ICKTL*u) Rea#) 9
E$$ect5ifostrict F true then
9 o#epen#ents) 9rea#ers 9rea#ers Qu
I l t ti t
8/13/2019 Cryptography for Storage Systems
43/47
Implementation o export
Con#ition $or user uto e:ecute e:port*o) w5ostrict F $a!se andB(ICKTL*u) E:port) o orostrict F true and wstrict F true and
B(ICKTL*u) E:port) o andB(ICKTL*u) >rap) w and/ wrea#ers) 9 o#epen#ents)
B(ICKTL*/) Rea#) 9 andw o#epen#ents
E$$ect5ifostrict F true then
/ wrea#ers) orea#ers orea#ers Q/w#epen#ents w#epen#ents o#epen#ents oancestors oancestors wancestors
Kse authenticate# encryption $or key wrapping
I l t ti i t
8/13/2019 Cryptography for Storage Systems
44/47
Implementation o import
Con#ition $or uto e:ecute import*w) wrappe#instrict mo#e5B(ICKTL*u) Knwrap) w and
wrea#ers F andwstrict F true and
W key in %B with same #igest as o)where oF unwrap*wrappe#
E$$ect5w#epen#ents w#epen#ents o#epen#ents
oancestors oancestors wancestors
Importe# key must not yet e:ist in the system
3estroy and delete
8/13/2019 Cryptography for Storage Systems
45/47
3estroy and delete
Con#ition $or uto e:ecute #estroy*o5B(ICKTL*u) %estroy) w
%estroys on!y the cryptographic materia!) !ea/es theoect attriutes in %B
Con#ition $or uto e:ecute #e!ete*o5B(ICKTL*u) #min) w
%estroys the oect an# its attriutes) ut
only ifo#epen#ents F
Notes
8/13/2019 Cryptography for Storage Systems
46/47
Notes
Mo#e! o$ Cachin-Chan#ran *C(' D0? has on!yone key ser/er (er/er shou!# keep a g!oa! history Mu!tip!e ser/ers nee# to synchroni4e state
+rototype imp!ementation at IBM Zurich !! keys an# #epen#ency #ata store# in %B Compact representation) in#epen#ent o$ history
Re9uires system to track a!! operations E:perience with prototype shows it is e$$icient
&o e:posure to rea! wor!# yet
4eerences
8/13/2019 Cryptography for Storage Systems
47/47
4eerences
Christian Cachin) &ishanth Chan#ran 8 securecryptographic token inter$ace8In Proc. Computer SecurityFoundations (CSF)) 200?
Mathias BXrk9/ist) Christian Cachin) Roert Laas) Hiao-u
Lu) ni! "urmus) RenY +aw!it4ek) an# Marko @uko!ic 8%esignan# imp!ementation o$ a key-!i$ecyc!e management system8In Proc. Financial Cryptography) 2010
.(I( "ey Management Interoperai!ity +rotoco! *"MI+Technica! Committee) 8"ey Management Interoperai!ity
+rotoco! @ersion 118.(I( (tan#ar#) 2013https5,,wwwoasis-openorg,committees,#ocumentsphpwgPare/Fkmip