Tuomas Aura CSE-C3400 Information Aura CSE-C3400 Information security Aalto University, ... enters password 2. Hashed to ... Windows partition cannot bypass OS access controls

  • View
    213

  • Download
    0

Embed Size (px)

Transcript

  • Encrypting stored data

    Tuomas AuraCSE-C3400 Information security

    Aalto University, autumn 2014

  • Outline

    1. Scenarios

    2. File encryption

    3. Encrypting file system

    4. Full disk encryption

    5. Data recovery

    Acknowledgement: These slides are partly based on Microsoft material.

    2

    Simple application of cryptography and a good example of how difficult it is to build secure system

    This lecture is uses Windows as an example. The same principles and questions apply to competing file and disk encryption products

  • Scenarios for data encryption

    Lost and stolen laptops

    Contain confidential data and access credentials

    Physically compromised servers

    Contain business secrets, customer data and PII

    Unauthorized insiders have physical access

    Decommissioned hard disks

    Secure decommissioning is expensive

    Hardware recycling is typically done in the cheapest and fastest way: no time for secure disk wipe

    Old PCs from the US are shipped to China for recycling

    3

  • Data encryption Scenarios:

    lost and stolen laptop computers

    stolen servers

    decommissioning hard disks

    Risk of disclosure of confidential data

    The obvious solution: encrypt data on disk

    But computer security is never quite so simple:

    Security often conflicts with usability

    Security often conflicts with reliability; plan for datarecovery is needed

    System design mistakes or programming errors could compromise data

    4

  • FILE ENCRYPTION

  • Simple file encryption1. User enters

    passphrase2. Passphrase hashed

    with a cryptographic hash functionto produce a key

    3. File encrypted with the key E.g. AES in CBC mode Decryption with

    the same key Examples:

    crypt(1), GPG

    6

    1*****

    **

    2

    SHA-1

    d70f3619a209b

    Our plan is.3

    % gpg --output ciphertext.gpg --symmetric plaintext.docEnter passphrase:

  • Limitations of file encryption User action needed, and users are lazy Automated use (scripting) hard to implement because

    where do you store the secret passphrase? Brute-forcing the passphase possible

    Can be mitigate with a slow hash (e.g. PBKDF2)

    Encrypting a file normally creates an encrypted copy; what happens to the old plaintext file? No guarantee that the plaintext is not left on the disk

    Word processors and other software create temporary files and backup copies Unencrypted versions and fragments of the file may be left in

    locations that the user does not even know about

    There are tools for deleting temporary files and for wiping free disk space, but none is completely reliable

    Cloud storage keep all old data

  • Wiping files Deleting a file simply marks the space free but does not

    erase the contents: raw data is still on the disk Overwriting a file does not always erase the old contents:

    File system may organize data in unexpected ways: backups, revision control, copy on write, journal, etc.

    Solid state disks (SSD) write in complex patterns

    Wiping all empty disk space by overwriting Deletes most data but no guarantee Disk drive behavior is not always controllable by the file system

    driver: bad block replacement, optimizations

    Magnetic data remanence: magnetic medium may retain traces of previous contents even after overwritten

    Physical destruction: grinding disks, heating magnetic medium above Curie temperature Flash memory (SSD) fragments may retain data

    8

  • ENCRYPTING FILE SYSTEM

  • Windows encrypting file system (EFS)

    Encryption is a file attribute

    Possible to enable encryption for all files in a folder new files encrypted

    Files are readable only when the user is logged in

    Encryption and decryption are transparent to applications

    Similar products exist for Unix

    10

  • EFS key management

    1. User logs in, enters password

    2. Hashed to produce key

    3. Used to decrypt Users Master Key

    4. Used to decrypt Users Private EFS Key

    5. Used to decrypt File Encryption Key (FEK)

    6. Used to encrypt on write and decrypt on read

    1

    2

    PBKDF2

    d70f3619a209b15

    Our plan is.

    6

    User

    name:

    Windows

    Password:

    Log on to:

    Username

    *********

    Domain

    OK Cancel Shut Down... Options

  • EFS limitations Encrypts contents of specific files only User login credentials (password) needed for decryption

    System has no access to encrypted files unless user logs in System cannot index files without the user password Backups contain encrypted files, not the plaintext

    When encrypting plaintext files, the original file is not wiped, just deleted; the data remains on the disk User should create files in an encrypted folder

    Transparent decryption e.g. data decrypted transparently when copying to a file share over network or

    to an un-encrypted FAT partition

    Some data is not encrypted: folder and file names temp files, earlier unencrypted versions, printer spool registry, system files and logs page file can now be encrypted but requires policy configuration

    Hibernation file may contain decryption keys

    12

  • EFS and password cracking EFS security depends on the secrecy of user password

    Password hashes are stored in a database on the disk

    Password are vulnerable to brute-force attacks NT hash and historical LM hash use no salt and are

    therefore especially vulnerable

    Rainbow tables (Hellman90, Oechslin03)

    Attacker can boot to another OS, extract the password hashes from the hard disk and crack the user password Note: resetting user or admin password does not enable

    access to encrypted files

    EFS supports smart cards as an alternative login method

    http://www-ee.stanford.edu/~hellman/publications/36.pdfhttp://lasecwww.epfl.ch/~oechslin/publications/crypto03.pdf

  • Trojans, root kits etc.

    EFS data is vulnerable to Trojans, viruses and key loggers

    Attacker with access to hardware can compromise OS and install a root kit or key logger

    Note that these problems do not apply to lost or stolen laptops

  • EFS summary Encrypts single files and folders; leaves a lot of

    information unencrypted Requires care from user

    User must understand what is encrypted and what else happens to the data

    User of a non-domain computer must backup keys or risk data loss

    Security depends on a strong password

    System cannot access encrypted files for admin tasks like backup and indexing

    Hibernation breaks the security Apart from the hibernation issue, EFS would be pretty

    secure way of encrypting all files on a data disk (D:)

    15

  • FULL DISK ENCRYPTION

    16

  • Full disk encryption Entire disk is encrypted:

    Protects all information on disk Easier to use correctly than EFS

    Products are available from various hardware and software vendors including hard disk manufacturers

    Password, key or physical token required to boot or to mount disk; thereafter transparent Usability and reliability issues? Requires user/admin to be present at boot time

    In software-based products: Password must be strong enough to resist brute-force guessing Hibernation is a problem

    Hardware solution would be better

    17

  • Trusted platform module

    Trusted hardware enables some things that otherwise would be impossible

    Trusted platform module (TPM) is a smart-card-like module on the computer motherboard or, preferably, embedded in the CPU Holds crypto keys and platform measurements in

    platform configuration registers (PCR)

    Useful TPM operations: TMP_Seal: encrypt data in any platform

    configuration

    TPM_Unseal: decrypt the data, but only if the platform configuration is the same as when sealing

  • Windows BitLocker

    19

    Full-volume encryption in Windows Uses TPM for key management

    Optional PIN input and/or USB dongle at boot time

    System volume must be NTFS, data disks can also be FAT

    Sealing the entire system partition: Encrypt data with a symmetric key

    Seal the key; store sealed key on disk; unseal when booting

    TPM checks the OS integrity before unsealing the key Can boot to another OS but then cannot unseal the

    Windows partition cannot bypass OS access controls

    For a stolen laptop, forces the thief to hardware attack against TPM

  • BitLocker partitions

    EncryptedWindows partition

    Boot partition

    Windows partition contains:

    Volume metadata with MAC

    Encrypted OS

    Encrypted page file

    Encrypted temp files

    Encrypted data

    Encrypted hibernation file

    Boot partition contains: MBROS loaderBoot utilities

    1.5 GB

  • BitLocker keys

    Storage Root Key (SRK) inside TPM1

    4

    2 Volume Master Key (VMK)

    3Full Volume Encryption Key (FVEK)

    Plaintext data

    and bring

    milk

    Separate VMK/FVEK adds flexibility how?

    Encrypted keys in

    volume metadata

    d70f3619a209b15

    Encrypted data

  • Algorithms and key sizes Storage root key (SRK) is a 2048-bit RSA key Volume master key (VMK) is a 256-bit symmetric key Full volume encrypt key (FVEK) is a 128 or 256-bit

    symmetric key The disk in encrypted with AES-CBC

    Initialization vector (IV) derived from sector number (because there is no space for storing a random IV in the disk block)

    No integrity check Adding a MAC wo