Cryptography for Storage Systems

8/13/2019 Cryptography for Storage Systems

1/47


2/47

Overview

Encryption in storage systems

Tweaka!e encryption

Integrity protection

"ey management


3/47

Encryption instorage systems


4/47

Traditional storage systems:Inside the box

app

ino#e

$s

!k

ha

%irect-attache# storage


5/47

Networked storage systems

NAS(Network-attached Storage)

net

&'() CI'(*TC+,I+

net

$s

ha

ino#e

!k

$s

app

SAN(Storage-area Network)

!k

'C) i(C(I

net

!k

hanet

ino#e

$s

app

OBS(Object Storage)

ino#e

net

.B(-(C(I*T10

net

ino#e

!k

ha

$s

app


6/47

Storage-device models

B!ock #e/ice- rea# write !ocks

----- #e/ice-!e/e! access contro!----

.ect storage #e/- rea# write ytes in oect

- create #estroy oect--- oect-!e/e! access contro!- space a!!ocation- ackup ops

'i!e ser/er- rea# write #ata in $i!e

- create #estroy $i!e- #irectory operations- $i!e,#ir-ase# access

contro!- space a!!ocation- ackup ops


7/47

Tweakable encryption


8/47

Block cipher

%eterministic) key-#epen#ent trans$ormation .ne input !ock to one output !ock E() %E() B!ow$ish B!ocks si4e5 typica!!y 126 its *17 ytes

"ey si4e5 typica!!y 126 its an# more

'orma!!y !ock cipher imp!ements a pseu#o-ran#om permutation *+R+ ppears !ike a ran#om permutation to any

computationa!!y oun#e# oser/er *who #oes notha/e the key

Mo#e o$ operation *8chaining8 mo#e re9uire# E!ectronic-co#eook mo#e *ECB means no chaining


9/47

Why a block-cipher mode ooperation!

+!ainte:t asitmap picture

Encrypte# inECB mo#e

Encrypte# insecure mo#e o$

operation


10/47

"ncryption at the block layer

;%e/ice-!e/e!< encryption o$ =12-yte sectors Transparent to storage system no e:tra

space a/ai!a!e to chaining mo#e IEEE (I(> stan#ar#i4ation5 +171?, 1 , 2

app

ino#e

$s

!k

E


11/47

#sing $B$ mode

Ran#om I@ re9uire#) ut there is no space to store %eri/e I@ $rom sector a##ress

IV = EK( disk id || sector address ) IV = EHash(K)( disk id || sector address )

Aeaks !ocation o$ $irst up#ate# !ock within sector ttack possi!e i$ a#/ersary may in/oke #ecryption $or

some sectors) ut not $or others

+1

E

C1

"

I@+

2

E

C2

"

I@


12/47

Tweakable encryption %Tw"&

E"* is a +R+) #eterministic a$ter picking " (ame permutation in e/ery instance Tweaka!e E")T* is a $ami!y o$ in#epen#ent

permutations) in#e:e# y T Aisko/) Ri/est) >agner) CR+T. D02 T F a##ress o$ !ock

+

E

C

"*secret

+

E

C

" T*pu!ic

E"* is +R+ E")T* is a +R+ $or e/ery T

Tra#itiona! Tweaka!e


13/47

Narrow-block Tw"

E/ery !ock in sector encrypte# in#epen#ent!y Tweak is sector a##ress s p!us !ock in#e: i Aeaks on!y that !ock has een up#ate# 8Better8 security against acti/e attacks

Cipherte:t in #isk sector s

+1

+i +n

E"

s GG i

C1 Ci Cn

+!ainte:t

Tweake# !ockF

cipher !ock

*17 ytes


14/47

HT(-E(mo#e ase# on HEH Rogaway) (ICR+T D0

Tweak F sector s GG !ock in#e: i "ey " F "1 GG "2 i! "#($%$&)' riiti*e e+ee!t' ie,,icie!t ,or i='%'$...

Sta!dardi/ed b0 IEEE 1%2%3 a!d NIS4 S1 &-5&E 6sed i! ractice (e.g.' 4r7ecr0t' #8E ,or disk dri*es)

Narrow-block Tw" mode

+i

E"1

s

E"2

+i

9i


15/47

.ne tweake# !ockcipher encryption per sector Tweak is sector a##ress s Aeaks on!y that sector has een up#ate#

Wide-block Tw"

Cipherte:t in #isk sector s

+1 +n

E s

C1 Cn

+!ainte:t

"

Tweake# !ockF

#isk sector

*=12 ytes


16/47

Wide-block Tw"

+ropose# imp!ementations are s!owerthan E( EME2-E(5 2: E( HCB-E(5 1: E( J 2: "#($%$&)-7+t.

(tan#ar#i4e# as IEEE +171?2 *2010

./erhea# consi#ere# to e *too cost!y &o practica! #ep!oyment so $ar


17/47

$omparisonCBC mode TwE narrow TwE wide

Passive adversary- Aoca!i4e changes 'irst change# !! !ocks >ho!e sector in encrypte# $i!e !ock in sector that change# *est possi!e

Active adversary

- Trigger contro!!e# Change one !ock &one &one change o$ p!ainte:t mo/e !ocks

Situation in practice%ep!oye# %ep!oye# &ot use#

How realistic are active attacks- Encryption in .( kerne!) attack re9uires access to store# its- Kn!ike!y $or !aptops- More p!ausi!e $or /irtua! #isk images on c!ou# storage


18/47

!ntegrity protection


19/47

Integrity protection or oneclient

(torage consists o$ n#ata items:1) ) :n

C!ient accesses storage /ia integrity-protection !ayer Kses sma!! truste# memory to

store short re$erence hash /a!ue /*together with encryption keys

Integrity !ayer operations Rea# item an# /eri$y wrt / >rite item an# up#ate /

accor#ing!yIntegrity

C!ient

Truste#memory


20/47

'ash trees or integritychecking %(erkle trees&

+arent no#e is hash o$ itschi!#ren

Root hash /a!ue commits a!!#ata !ocks Root hash in truste#

memory Tree is on e:tra untruste#storage

To /eri$y :i) recompute path

$rom :ito root with si!ing

no#es an# compare to truste#

root hash

To up#ate :i) recompute new

root hash an# no#es a!ong path$rom :ito root

root

L0 L1

L00 L01 L10 L11

:1 :2 :3 :

Rea# write operations nee# work.*!og n

Lash operations E:tra storage accesses


21/47

()lti-client integrityprotection

(ing!e-c!ient so!ution Re!ies on hash /a!ue / (tore# !oca!!y in truste# memory Changes a$ter e/ery up#ate operation

Mu!tip!e c!ients

&ee# to synchroni4e truste# memories (o!ution with #igita! signatures

E/ery c!ient associate# with apu!ic,pri/ate key pair

>rite operation pro#uces signature onhash /

C!ient stores signature an# hash * ) / onc!ou#

Rep!ay attacks This approach permits rep!ay attacks +re/ente# using truste# coor# ser/ice

Integrity

C!ient C!ient C!ient


22/47

()lti-client integrity protec-tion and orking attacks

(er/er may present #i$$erent /iews to separate# c!ients Eg) not show the most recent >RITE operation to a rea#er Creates a 8$ork8 etween their histories C!ients cannot pre/ent this without communication

Kse $ork !ineari4ai!ity Ma4ieres) (hasha) +.%C D025 I$ ma!icious ser/er $orks the /iews o$ two c!ients once) then

their /iews are $orke# e/er a$terthey ne/er again see each others up#ates

E/ery inconsistency or integrity /io!ation resu!ts in a $ork Best achie/a!e guarantee $or storage on untruste# ser/er 'orks can e #etecte# on a 8cheap8 !ow-security e:terna!

channe! Kse on!y a semi-truste# coor#inator Cachin et a!) (IM N Comput) 2011

+rototype imp!ementation in @E&K( (hraer et a!) CC(> 2011


23/47

*ey management


24/47

Today - +roprietary key mgmt,

Enterprise Cryptographic En/ironments

Ke0:a!agee!t

S0ste

DiskArrays

BackupDisk

BackupTape

BackupSystem

Collaboration &Content Mgmt

Systems

File ServerPortals

ProductionDatabase

Replica

Staging

nterpriseApplications

eCommerceApplications

BusinessAnalytics

Dev!Test"b#uscation

$A%A%'P%

Ke0:a!agee!t

S0ste

Ke0:a!agee!t

S0ste

Ke0:a!agee!t

S0ste

Ke0:a!agee!t

S0ste

Ke0:a!agee!t

S0ste

Ke0:a!agee!t

S0ste

Ke0:a!agee!t

S0ste

CRM

mail

t St d di d k


25/47

)t)re - Standardi.ed keymanagement

E!terrise ;r0tograhic E!*iro!e!ts

Enterprise "eyManagement

DiskArrays

BackupDisk

BackupTape

BackupSystem

Collaboration &Content Mgmt

Systems

File ServerPortals

ProductionDatabase

Replica

Staging

"ey #anagement !nteroperability Protocol

nterpriseApplications

mail

eCommerceApplications

BusinessAnalytics

Dev!Test"b#uscation

$A%A%

'P%

CRM

O/SIS * ( t I t


26/47

O/SIS *ey (anagement Inter-operability +rotocol %*(I+&

.(I( HMA

C!ient-ser/er protoco!

%e$inesoects withattriutes) p!us operations

.ects5 symmetric keys) pu!ic,pri/ate keys)certi$icates) thresho!# key-shares

ttriutes5 i#enti$iers) type) !ength) !i$ecyc!e-state)!i$ecyc!e #ates) !inks to other oects

.perations5 create) register) attriute han#!ing


27/47

O/SIS *(I+

"MI+ #ra$t spec prepare# y in#ustry group L+) IBM) R(-EMC) nCipher,Tha!es) Broca#e)

(eagate) A(I) &etpp IBM- an# IBM Zurich-!e# *e#itor an# TC co-chair

.(I( "MI+ Technica! Committee *200? "MI+ /10 re!ease# in .ct 2010 "MI+ /11 re!ease# in 'e 2013

http5,,wwwoasis-openorg,committees,kmip,

To#ay #ep!oye# y mu!tip!e /en#ors in storage-encryption conte:t


28/47

*(I+ ob0ects and attrib)tes

.ects o$ $our types (ymmetric keys) pu!ic keys) pri/ate keys)

certi$icates

O=0 attriutes I#enti$ier) state) initia!i4ation time) acti/ation time)#eacti/ation time

ccess-contro! speci$ic attriutes

CA) usage

"M( accesse# y remote users o/er network


29/47

*(I+ operations Create*i#) parameters ." %eri/e*i#)parentPi#) au:P#ata ."

(tore*i#) c!earPkey ." Import*unwrappingPkeyPi#) wrappe#Pkey ."

Rea#*i# c!earPkey E:port*i#) wrappingPkeyPi# wrappe#Pkey

Rea# attriutes*i# Qattriutes (et attriutes*i#) QnewPattriutes ."

(earch*i#) con#ition Qi#s %estroy*i# ." -- #e!etes key) ut !ea/es attriutes intact %e!ete*i# ." -- #e!etes key an# attriutes *i$ possi!e

Most ops are straight$orwar#) ut some in/o!/e cryptography


30/47

/ccess control model or *(I+

Ksers %etermine# y user registry *eg) A%+ (pecia! users5 any) creator

+ermissions +er-oect #min) %eri/e) %estroy) E:port) Rea#)

Rea#ttriutes) Knwrap) >rap +er-user

Create) (tore

E/er oect ohas an ac!attriute oac! Q*u) p G u Ksers) p +ermissions


31/47

/ key server is a crypto /+I

"ey ser/er e:ecutes cryptographicoperations

(o $ar) cryptographic security +Isha/e een!inke# to secure har#ware tokens *IBM CC)

+"C( S11

>e e:ten# the stu#y o$ cryptographic security+Is to

"ey-management systems on a network ccesse# y mu!tip!e users


32/47

$ryptographic tokens!

Cryptographic processorsHardware security modules (HSM)

Crypto co-processor intamper-proo$ enc!osure

"eys ne/er !ea/etoken in c!ear

E:ecutes a!!cryptographicoperations with keys

Token

Kser

#min

KserKser


33/47

$ommercial crypto tokens

L+ ta!!a :170

Tamper-resistant an# -responsi/e accor#ing to 'I+( 10-2) up to Ae/e!

IBM 7=

In$ineon T+MnCipher,Tha!es netL(M


34/47

Why cryptographic tokens!

8Cryptographic keys must not !ea/e secure L>8

Intro#uce a separation etween5 #ministration o$ keys security o$$icer

#ministration o$ ser/ers ser/er operator

'ewer opportunities $or insi#er attacks

'oun# in many corporate en/ironments

Uo/ernment) $inance) te!ecom

But a!so in your pocket (martcar#s) (IM car#s) transport tickets


35/47

Interacting with a token

Kser u authenticates to tokenu Qsecurity-o$$icer) app!ication

uin/okes operations through Crypto +I .perations on pay!oa#

Encrypt) #ecrypt) sign) /eri$y "ey-management operations

Create) store) rea#V) up#ateVkey %eri/e key $rom a parent key >rap key , e:port Knwrap key , import

V Restricte# to a#minW

(tan#ar#i4e# inter$aces +"C( S11 EMC,R( Common cryptographic architecture *CC IBM


36/47

+roblems with crypto /+Is %1&

Aegacy +I po!icies are o$ten 8un#erspeci$ie#8 &e/erthe!ess) they aim to protect keys

+ure!y !ogica! attacks +I attacks E:pose a protecte# key n#erson) Bon#) C!u!ow

E:amp!e attack on +"C( S11 Sensitivekeys must not e e:pose# in c!ear +"C( S11 #enies rea# operation y user u a#min

i$ key kis sensitive But a!!ows uto wrap kun#er a non-sensitivekey #user uwraps kun#er # an# rea#s #this e:poses kin c!ear


37/47

+roblems with crypto /+Is %2&

>hy

>hy is access contro! with simp!e rea#,writepermissions not enough to protect keys

Because keys may #epen# cryptographica!!y onother keys .n!y cryptographic operations create such

#epen#encies

+ropose to keep track o$ #epen#encies with amo#e! $or strict access controlCachin) Chan#ran) C(' D0?


38/47

3ependencies among keys

"ey k #epen#s on a key p "ey kwas #eri/e# $rom p

#eri/e*a)c) #eri/e*a)#) #eri/e*a)e "ey kwas wrappe# un#er p

wrap*c)g) wrap*)e

i

c#

a

e $

gh

ib k


39/47

New attrib)tes or keys

strict Q$a!se) true %etermines i$ oect go/erne# y 8strict po!icy8

#epen#ents .ects .ther oects whose cryptographic /a!ue can e

compute# $rom the cryptographic /a!ue o$ the oect

ancestors .ects .ther oects on which the oect #epen#s

rea#ers Ksers Ksers who ha/e e:ecute# rea#*k$or

some key ksuch that oect k#epen#ents

B i d i li i


40/47

Basic and strict policies

I$ ostrict F true) then oene$its $romstrict security po!icy

.therwise) oun#er!ies asic access-contro!

po!icy

(trict security po!icy respects #epen#enciesetween keys in access #ecisions

B i th i ti


41/47

Basic a)thori.ation

Basic authori4ation ru!e o$ permission p$or user uon oect o5

B(ICKTL*u) p) o F

*any) p

oac! or*u F ocreator and*creator) p ) p oac! or*u) p oac!

I l t ti d


42/47

Implementation o read

Con#ition $or user uto e:ecute rea#*o5ostrict F $a!se andB(ICKTL*u) Rea#) o orostrict F true and

9 o#epen#ents) B(ICKTL*u) Rea#) 9

E$$ect5ifostrict F true then

9 o#epen#ents) 9rea#ers 9rea#ers Qu

I l t ti t


43/47

Implementation o export

Con#ition $or user uto e:ecute e:port*o) w5ostrict F $a!se andB(ICKTL*u) E:port) o orostrict F true and wstrict F true and

B(ICKTL*u) E:port) o andB(ICKTL*u) >rap) w and/ wrea#ers) 9 o#epen#ents)

B(ICKTL*/) Rea#) 9 andw o#epen#ents

E$$ect5ifostrict F true then

/ wrea#ers) orea#ers orea#ers Q/w#epen#ents w#epen#ents o#epen#ents oancestors oancestors wancestors

Kse authenticate# encryption $or key wrapping

I l t ti i t


44/47

Implementation o import

Con#ition $or uto e:ecute import*w) wrappe#instrict mo#e5B(ICKTL*u) Knwrap) w and

wrea#ers F andwstrict F true and

W key in %B with same #igest as o)where oF unwrap*wrappe#

E$$ect5w#epen#ents w#epen#ents o#epen#ents

oancestors oancestors wancestors

Importe# key must not yet e:ist in the system

3estroy and delete


45/47

3estroy and delete

Con#ition $or uto e:ecute #estroy*o5B(ICKTL*u) %estroy) w

%estroys on!y the cryptographic materia!) !ea/es theoect attriutes in %B

Con#ition $or uto e:ecute #e!ete*o5B(ICKTL*u) #min) w

%estroys the oect an# its attriutes) ut

only ifo#epen#ents F

Notes


46/47

Notes

Mo#e! o$ Cachin-Chan#ran *C(' D0? has on!yone key ser/er (er/er shou!# keep a g!oa! history Mu!tip!e ser/ers nee# to synchroni4e state

+rototype imp!ementation at IBM Zurich !! keys an# #epen#ency #ata store# in %B Compact representation) in#epen#ent o$ history

Re9uires system to track a!! operations E:perience with prototype shows it is e$$icient

&o e:posure to rea! wor!# yet

4eerences


47/47

4eerences

Christian Cachin) &ishanth Chan#ran 8 securecryptographic token inter$ace8In Proc. Computer SecurityFoundations (CSF)) 200?

Mathias BXrk9/ist) Christian Cachin) Roert Laas) Hiao-u

Lu) ni! "urmus) RenY +aw!it4ek) an# Marko @uko!ic 8%esignan# imp!ementation o$ a key-!i$ecyc!e management system8In Proc. Financial Cryptography) 2010

.(I( "ey Management Interoperai!ity +rotoco! *"MI+Technica! Committee) 8"ey Management Interoperai!ity

+rotoco! @ersion 118.(I( (tan#ar#) 2013https5,,wwwoasis-openorg,committees,#ocumentsphpwgPare/Fkmip

Documents

Cryptography for Storage Systems