Cryptography for Storage Systems
Content
Cryptography for storage systems
Christian Cachin
IBM Research - Zurich
10 May 2013
Overview
●
Encryption in storage systems Tweaka !e encryption Integrity protection "ey management
●
●
●
Encryption in storage systems
Traditional storage systems: Inside the box
app $s ino#e !k h a
%irect-attache# storage
Networked storage systems
app $s $s
ino#e
app $s ino#e ino#e !k h a net !k net .B(-(C(I h a *T10-
app $s ino#e !k net !k net h a
net net &'() CI'( *TC+,I+-
'C) i(C(I
NAS
(Network-attached Storage)
OBS
(Object Storage)
SAN
(Storage-area Network)
Storage-device models
'i!e ser/er
rea# 0 write #ata in $i!e create 0 #estroy $i!e #irectory operations $i!e,#ir- ase# access contro! - space a!!ocation - ackup ops
. 1ect storage #e/2 B!ock #e/ice
- rea# 0 write ytes in o 1ect - create 0 #estroy o 1ect -- o 1ect-!e/e! access contro! - space a!!ocation - ackup ops - rea# 0 write !ocks --- #e/ice-!e/e! access contro! ---
Tweakable encryption
Block cipher
●
%eterministic) key-#epen#ent trans$ormation
– – – –
.ne input !ock to one output !ock 3E() %E() B!ow$ish 222 B!ocks si4e5 typica!!y 126 its *17 ytes"ey si4e5 typica!!y 126 its an# more
●
'orma!!y !ock cipher imp!ements a pseu#oran#om permutation *+R+–
3ppears !ike a ran#om permutation to any computationa!!y oun#e# o ser/er *who #oes not ha/e the key-
●
Mo#e o$ operation *8chaining8 mo#e- re9uire#
–
E!ectronic-co#e ook mo#e *ECB- means no chaining
Why a block-cipher mode o operation!
+!ainte:t as itmap picture
Encrypte# in ECB mo#e
Encrypte# in secure mo#e o$ operation
"ncryption at the block layer
● ●
●
;%e/ice-!e/e!< encryption o$ =12- yte sectors Transparent to storage system → no e:tra space a/ai!a !e to chaining mo#e IEEE (I(> stan#ar#i4ation5 +171?, 21 , 22
app $s ino#e !k E
#sing $B$ mode
I@ +1 +2
"
E
C1
"
E
C2
222
I@
● ●
Ran#om I@ re9uire#) ut there is no space to store → %eri/e I@ $rom sector a##ress
– –
IV = EK( disk id || sector address ) IV = EHash(K)( disk id || sector address )
● ●
Aeaks !ocation o$ $irst up#ate# !ock within sector 3ttack possi !e i$ a#/ersary may in/oke #ecryption $or some sectors) ut not $or others
Tweakable encryption %Tw"&
Tra#itiona!
+
Tweaka !e
+
" *secret-
E
C
"
E
C
T *pu !ic-
E"*- is +R+
●
E")T*- is a +R+ $or e/ery T
E"*- is a +R+) #eterministic a$ter picking "
–
●
Tweaka !e E")T*- is a $ami!y o$ in#epen#ent permutations) in#e:e# y T BAisko/) Ri/est) >agner) CRC+T. D02E
–
(ame permutation in e/ery instance
T F a##ress o$ !ock
Narrow-block Tw"
+1 +!ainte:t +i s GG i 222 +n
"
E
Ci
222
Tweake# !ock F cipher !ock *17 ytes-
C1
Cn
Cipherte:t in #isk sector s
●
E/ery !ock in sector encrypte# in#epen#ent!y
–
● ●
Aeaks on!y that !ock has een up#ate# 8Better8 security against acti/e attacks
Tweak is sector a##ress s p!us !ock in#e: i
Narrow-block Tw" mode
s +i
"2 αi
E
"1
E
9
+i
●
HT(-3E( mo#e ase# on HEH
– – –
BRogaway) 3(I3CRC+T D0IE
● ●
Sta!dardi/ed b0 IEEE 1%2%3 a!d NIS4 S1 &---5&E 6sed i! (ractice (e.g.' 4r7ecr0(t' #8E ,or disk dri*es)
Tweak F sector s GG !ock in#e: i "ey " F "1 GG "2 i! "#($%$&)' (ri)iti*e e+e)e!t' i e,,icie!t ,or i=-'%'$...
Wide-block Tw"
● ● ●
.ne tweake# !ockcipher encryption per sector Tweak is sector a##ress s Aeaks on!y that sector has een up#ate#
+1 222 +!ainte:t 222 222 +n
"
E
C1 222 222 222 Cn
s
Tweake# !ock F #isk sector *=12 ytes-
Cipherte:t in #isk sector s
Wide-block Tw"
●
+ropose# imp!ementations are s!ower than 3E(
– –
EME2-3E(5 2: 3E( HCB-3E(5 1: 3E( J 2: "#($%$&)-)7+t.
●
(tan#ar#i4e# as IEEE +171?22 *2010./erhea# consi#ere# to e *too- cost!y
–
●
&o practica! #ep!oyment so $ar
$omparison
CBC mode Passive adversary - Aoca!i4e changes in encrypte# $i!e Active adversary - Trigger contro!!e# change o$ p!ainte:t Situation in practice 'irst change# !ock in sector TwE narrow 3!! !ocks that change# TwE wide >ho!e sector * est possi !e-
Change one !ock &one 0 mo/e !ocks
&one
%ep!oye#
%ep!oye#
&ot use#
How realistic are active attacks - Encryption in .( kerne!) attack re9uires access to store# its - Kn!ike!y $or !aptops - More p!ausi !e $or /irtua! #isk images on c!ou# storage
!ntegrity protection
Integrity protection or one client
● ●
●
(torage consists o$ n #ata items :1) 222) :n C!ient accesses storage /ia integrityprotection !ayer – Kses sma!! truste# memory to store short re$erence hash /a!ue / *together with encryption keysIntegrity !ayer operations – Rea# item an# /eri$y w2r2t2 / – >rite item an# up#ate / accor#ing!y
Integrity
Truste# memory
C!ient
'ash trees or integrity checking %(erkle trees&
root L0 L00 L01 L10 L1 L11
● ●
+arent no#e is hash o$ its chi!#ren Root hash /a!ue commits a!! #ata !ocks – Root hash in truste# memory – Tree is on e:tra untruste# storage To /eri$y :i) recompute path $rom :i to root with si !ing no#es an# compare to truste# root hash To up#ate :i) recompute new root hash an# no#es a!ong path $rom :i to root
●
:1
:2
:3
:I
Rea# 0 write operations nee# work .*!og n● Lash operations ● E:tra storage accesses
●
()lti-client integrity protection
●
(ing!e-c!ient so!ution
– – –
Re!ies on hash /a!ue / (tore# !oca!!y in truste# memory Changes a$ter e/ery up#ate operation &ee# to synchroni4e truste# memories E/ery c!ient associate# with a pu !ic,pri/ate key pair >rite operation pro#uces signature σ on hash / C!ient stores signature an# hash *σ) /- on c!ou# This approach permits rep!ay attacks 222 +re/ente# using truste# coor#2 ser/ice
●
Mu!tip!e c!ientsM
–
●
(o!ution with #igita! signatures
– – –
Integrity
●
Rep!ay attacks
– –
C!ient
C!ient
C!ient
()lti-client integrity protection and orking attacks
●
(er/er may present #i$$erent /iews to separate# c!ients
– – –
E2g2) not show the most recent >RITE operation to a rea#er Creates a 8$ork8 etween their histories C!ients cannot pre/ent this without communication
BMa4ieres) (hasha) +.%C D02E5
●
Kse $ork !ineari4a i!ity
–
I$ ma!icious ser/er $orks the /iews o$ two c!ients once) then → their /iews are $orke# e/er a$ter → they ne/er again see each others up#ates
●
E/ery inconsistency or integrity /io!ation resu!ts in a $ork
– –
Best achie/a !e guarantee $or storage on untruste# ser/er 'orks can e #etecte# on a 8cheap8 !ow-security e:terna! channe!
●
–
+rototype imp!ementation in @E&K(
Kse on!y a semi-truste# coor#inator BCachin et a!2) (I3M N2 Comput) 2011E
B(hraer et a!2) CC(> 2011E
*ey management
Today - +roprietary key mgmt,
Enterprise Cryptographic En/ironments
Portals Production Database Replica CRM Staging nterprise Applications
Collaboration & Content Mgmt Systems 'P% &A%
File Server
Disk Arrays Backup System eCommerce Applications Business Analytics Backup Disk
$A%
Backup Tape Dev!Test "b#uscation
mail
Ke0 :a!age)e!t S0ste)
Ke0 :a!age)e!t S0ste)
Ke0 :a!age)e!t S0ste)
Ke0 :a!age)e!t S0ste)
Ke0 :a!age)e!t S0ste)
Ke0 :a!age)e!t S0ste)
Ke0 :a!age)e!t S0ste)
Ke0 :a!age)e!t S0ste)
-)t)re - Standardi.ed key management
E!ter(rise ;r0(togra(hic E!*iro!)e!ts
Portals Production Database Replica CRM Staging nterprise Applications
Collaboration & Content Mgmt Systems 'P% &A%
File Server
Disk Arrays
$A% eCommerce Applications
Backup System Backup Disk Business Analytics
mail
Dev!Test "b#uscation
Backup Tape
"ey #anagement !nteroperability Protocol
Enterprise "ey Management
O/SIS *ey (anagement Interoperability +rotocol %*(I+&
●
.3(I(222M HMA C!ient-ser/er protoco! %e$ines o 1ects with attri utes) p!us operations
–
●
●
. 1ects5 symmetric keys) pu !ic,pri/ate keys) certi$icates) thresho!# key-shares 222 3ttri utes5 i#enti$iers) type) !ength) !i$ecyc!e-state) !i$ecyc!e #ates) !inks to other o 1ects 222 .perations5 create) register) attri ute han#!ing 222
–
–
O/SIS *(I+
●
"MI+ #ra$t spec prepare# y in#ustry group
– –
L+) IBM) R(3-EMC) nCipher,Tha!es) Broca#e) (eagate) A(I) &et3pp IBM- an# IBM Zurich-!e# *e#itor an# TC co-chair-
●
.3(I( "MI+ Technica! Committee *200?– –
"MI+ /120 re!ease# in .ct2 2010 "MI+ /121 re!ease# in 'e 2 2013
●
http5,,www2oasis-open2org,committees,kmip, To#ay #ep!oye# y mu!tip!e /en#ors in storageencryption conte:t
●
*(I+ ob0ects and attrib)tes
●
. 1ects o$ $our types
–
(ymmetric keys) pu !ic keys) pri/ate keys) certi$icates
●
O=0 attri utes
–
I#enti$ier) state) initia!i4ation time) acti/ation time) #eacti/ation time 222
●
3ccess-contro! speci$ic attri utes
–
3CA) usage 222
●
"M( accesse# y remote users o/er network
*(I+ operations
● ●
Create*i#) parameters- → ." %eri/e*i#) parentPi#) au:P#ata- → ." (tore*i#) c!earPkey- → ." Import*unwrappingPkeyPi#) wrappe#Pkey- → ." Rea#*i#- → c!earPkey E:port*i#) wrappingPkeyPi#- → wrappe#Pkey Rea# attri utes*i#- → Qattri utesR (et attri utes*i#) QnewPattri utesR- → ." (earch*i#) con#ition- → Qi#sR %estroy*i#- → ." -- #e!etes key) ut !ea/es attri utes intact %e!ete*i#- → ." -- #e!etes key an# attri utes *i$ possi !e-
● ●
● ●
● ●
● ● ●
Most ops2 are straight$orwar#) ut some in/o!/e cryptography2
/ccess control model or *(I+
●
Ksers
– –
%etermine# y user registry *e2g2) A%3+(pecia! users5 any) creator
●
+ermissions
–
+er-o 1ect
●
3#min) %eri/e) %estroy) E:port) Rea#) Rea#3ttri utes) Knwrap) >rap Create) (tore
–
+er-user
●
●
E/er o 1ect o has an ac! attri ute
o2ac! ⊂ Q*u) p- G u ∈ Ksers) p ∈ +ermissionsR
/ key server is a crypto /+I
●
"ey ser/er e:ecutes cryptographic operations (o $ar) cryptographic security 3+Is ha/e een !inke# to secure har#ware tokens *IBM CC3) +"C( S11 222>e e:ten# the stu#y o$ cryptographic security 3+Is to
– –
●
●
"ey-management systems on a network 3ccesse# y mu!tip!e users
$ryptographic tokens!
Cryptographic processors Hardware security modules (HSM)
●
Crypto co-processor in tamper-proo$ enc!osure "eys ne/er !ea/e token in c!ear E:ecutes a!! Kser cryptographic operations with keys
Token
3#min
●
●
Kser Kser
$ommercial crypto tokens
L+ 3ta!!a 3:170
IBM IT7=
nCipher,Tha!es netL(M
In$ineon T+M
Tamper-resistant an# -responsi/e accor#ing to 'I+( 1I0-2) up to Ae/e! I
Why cryptographic tokens!
8Cryptographic keys must not !ea/e secure L>28
●
Intro#uce a separation etween5
– –
3#ministration o$ keys → security o$$icer 3#ministration o$ ser/ers → ser/er operator → 'ewer opportunities $or insi#er attacks
●
'oun# in many corporate en/ironments
–
Uo/ernment) $inance) te!ecom 222
●
But a!so in your pocket
–
(martcar#s) (IM car#s) transport tickets 222
Interacting with a token
●
Kser u authenticates to token
u ∈ Qsecurity-o$$icer) app!icationR
●
u in/okes operations through Crypto 3+I
– –
.perations on pay!oa#
●
Encrypt) #ecrypt) sign) /eri$y 222 Create) store) rea#V) up#ateV key %eri/e key $rom a parent key >rap key , e:port Knwrap key , import V Restricte# to a#minW
"ey-management operations
● ● ● ●
●
(tan#ar#i4e# inter$aces
– –
+"C( S11 BEMC,R(3E Common cryptographic architecture *CC3- BIBME
+roblems with crypto /+Is %1&
●
Aegacy 3+I po!icies are o$ten 8un#erspeci$ie#8
–
&e/erthe!ess) they aim to protect keys
●
+ure!y !ogica! attacks → 3+I attacks
–
E:pose a protecte# key B3n#erson) Bon#) C!u!owE
●
E:amp!e attack on +"C( S11
– – –
Sensitive keys must not e e:pose# in c!ear +"C( S11 #enies rea# operation y user u ≠ a#min i$ key k is sensitive But a!!ows u to wrap k un#er a non-sensitive key # → user u wraps k un#er # an# rea#s # → this e:poses k in c!ear
+roblems with crypto /+Is %2&
●
>hyM >hy is access contro! with simp!e rea#,write permissions not enough to protect keysM Because keys may #epen# cryptographica!!y on other keys
–
●
●
.n!y cryptographic operations create such #epen#encies
●
+ropose to keep track o$ #epen#encies with a mo#e! $or strict access control BCachin) Chan#ran) C(' D0?E
3ependencies among keys
a c g e $ # h
i
●
"ey k #epen#s on a key p ⇔
– –
"ey k was #eri/e# $rom p
●
"ey k was wrappe# un#er p
●
#eri/e*a)c-) #eri/e*a)#-) #eri/e*a)e- 222 wrap*c)g-) wrap* )e- 222
New attrib)tes or keys
●
strict ∈ Q$a!se) trueR
–
%etermines i$ o 1ect go/erne# y 8strict po!icy8
●
#epen#ents ⊆ . 1ects
–
.ther o 1ects whose cryptographic /a!ue can e compute# $rom the cryptographic /a!ue o$ the o 1ect
●
ancestors ⊆ . 1ects
–
.ther o 1ects on which the o 1ect #epen#s
●
rea#ers ⊆ Ksers
–
Ksers who ha/e e:ecute# rea#*k- $or some key k such that o 1ect ∈ k2#epen#ents
Basic and strict policies
●
I$ o2strict F true) then o ene$its $rom strict security po!icy .therwise) o un#er!ies asic access-contro! po!icy (trict security po!icy respects #epen#encies etween keys in access #ecisions
●
●
Basic a)thori.ation
Basic authori4ation ru!e o$ permission p $or user u on o 1ect o5
B3(IC3KTL*u) p) o- F *any) p- ∈ o2ac! or *u F o2creator and *creator) p- ) p- ∈ o2ac! or *u) p- ∈ o2ac!2
Implementation o read
Con#ition $or user u to e:ecute rea#*o-5
o2strict F $a!se and B3(IC3KTL*u) Rea#) o- or o2strict F true and ∀ 9 ∈ o2#epen#ents) B3(IC3KTL*u) Rea#) 9-
E$$ect5
if o2strict F true then ∀ 9 ∈ o2#epen#ents) 92rea#ers ← 92rea#ers ∪ QuR
Implementation o export
Con#ition $or user u to e:ecute e:port*o) w-5
o2strict F $a!se and B3(IC3KTL*u) E:port) o- or o2strict F true and w2strict F true and B3(IC3KTL*u) E:port) o- and B3(IC3KTL*u) >rap) w- and ∀ / ∈ w2rea#ers) ∀ 9 ∈ o2#epen#ents) B3(IC3KTL*/) Rea#) 9- and w ∉ o2#epen#ents
E$$ect5
if o2strict F true then ∀ / ∈ w2rea#ers) o2rea#ers ← o2rea#ers ∪ Q/R w2#epen#ents ← w2#epen#ents ∪ o2#epen#ents o2ancestors ← o2ancestors ∪ w2ancestors
Kse authenticate# encryption $or key wrapping
Implementation o import
Con#ition $or u to e:ecute import*w) wrappe#- in strict mo#e5
B3(IC3KTL*u) Knwrap) w- and w2rea#ers F ∅ and w2strict F true and W∃ key in %B with same #igest as o) where o F unwrap*wrappe#-
E$$ect5
w2#epen#ents ← w2#epen#ents ∪ o2#epen#ents o2ancestors ← o2ancestors ∪ w2ancestors
Importe# key must not yet e:ist in the system
3estroy and delete
Con#ition $or u to e:ecute #estroy*o-5
B3(IC3KTL*u) %estroy) w-
%estroys on!y the cryptographic materia!) !ea/es the o 1ect attri utes in %B
Con#ition $or u to e:ecute #e!ete*o-5
B3(IC3KTL*u) 3#min) w-
%estroys the o 1ect an# its attri utes) ut only if o2#epen#ents F ∅2
Notes
●
Mo#e! o$ Cachin-Chan#ran *C(' D0?- has on!y one key ser/er
– –
(er/er shou!# keep a g!o a! history Mu!tip!e ser/ers nee# to synchroni4e state
●
+rototype imp!ementation at IBM Zurich
– –
3!! keys an# #epen#ency #ata store# in %B Compact representation) in#epen#ent o$ history
●
Re9uires system to track a!! operations E:perience with prototype shows it is e$$icient
–
●
&o e:posure to rea! wor!# yet
4e erences
●
Christian Cachin) &ishanth Chan#ran2 83 secure cryptographic token inter$ace28 In Proc. Computer Security Foundations (CSF)) 200?2 Mathias B1Xrk9/ist) Christian Cachin) Ro ert Laas) Hiao-Cu Lu) 3ni! "urmus) RenY +aw!it4ek) an# Marko @uko!ic2 8%esign an# imp!ementation o$ a key-!i$ecyc!e management system28 In Proc. Financial Cryptography) 20102 .3(I( "ey Management Interopera i!ity +rotoco! *"MI+Technica! Committee) 8"ey Management Interopera i!ity +rotoco! @ersion 1218 .3(I( (tan#ar#) 20132
https5,,www2oasis-open2org,committees,#ocuments2phpMwgPa re/Fkmip
●
●
Christian Cachin
IBM Research - Zurich
10 May 2013
Overview
●
Encryption in storage systems Tweaka !e encryption Integrity protection "ey management
●
●
●
Encryption in storage systems
Traditional storage systems: Inside the box
app $s ino#e !k h a
%irect-attache# storage
Networked storage systems
app $s $s
ino#e
app $s ino#e ino#e !k h a net !k net .B(-(C(I h a *T10-
app $s ino#e !k net !k net h a
net net &'() CI'( *TC+,I+-
'C) i(C(I
NAS
(Network-attached Storage)
OBS
(Object Storage)
SAN
(Storage-area Network)
Storage-device models
'i!e ser/er
rea# 0 write #ata in $i!e create 0 #estroy $i!e #irectory operations $i!e,#ir- ase# access contro! - space a!!ocation - ackup ops
. 1ect storage #e/2 B!ock #e/ice
- rea# 0 write ytes in o 1ect - create 0 #estroy o 1ect -- o 1ect-!e/e! access contro! - space a!!ocation - ackup ops - rea# 0 write !ocks --- #e/ice-!e/e! access contro! ---
Tweakable encryption
Block cipher
●
%eterministic) key-#epen#ent trans$ormation
– – – –
.ne input !ock to one output !ock 3E() %E() B!ow$ish 222 B!ocks si4e5 typica!!y 126 its *17 ytes"ey si4e5 typica!!y 126 its an# more
●
'orma!!y !ock cipher imp!ements a pseu#oran#om permutation *+R+–
3ppears !ike a ran#om permutation to any computationa!!y oun#e# o ser/er *who #oes not ha/e the key-
●
Mo#e o$ operation *8chaining8 mo#e- re9uire#
–
E!ectronic-co#e ook mo#e *ECB- means no chaining
Why a block-cipher mode o operation!
+!ainte:t as itmap picture
Encrypte# in ECB mo#e
Encrypte# in secure mo#e o$ operation
"ncryption at the block layer
● ●
●
;%e/ice-!e/e!< encryption o$ =12- yte sectors Transparent to storage system → no e:tra space a/ai!a !e to chaining mo#e IEEE (I(> stan#ar#i4ation5 +171?, 21 , 22
app $s ino#e !k E
#sing $B$ mode
I@ +1 +2
"
E
C1
"
E
C2
222
I@
● ●
Ran#om I@ re9uire#) ut there is no space to store → %eri/e I@ $rom sector a##ress
– –
IV = EK( disk id || sector address ) IV = EHash(K)( disk id || sector address )
● ●
Aeaks !ocation o$ $irst up#ate# !ock within sector 3ttack possi !e i$ a#/ersary may in/oke #ecryption $or some sectors) ut not $or others
Tweakable encryption %Tw"&
Tra#itiona!
+
Tweaka !e
+
" *secret-
E
C
"
E
C
T *pu !ic-
E"*- is +R+
●
E")T*- is a +R+ $or e/ery T
E"*- is a +R+) #eterministic a$ter picking "
–
●
Tweaka !e E")T*- is a $ami!y o$ in#epen#ent permutations) in#e:e# y T BAisko/) Ri/est) >agner) CRC+T. D02E
–
(ame permutation in e/ery instance
T F a##ress o$ !ock
Narrow-block Tw"
+1 +!ainte:t +i s GG i 222 +n
"
E
Ci
222
Tweake# !ock F cipher !ock *17 ytes-
C1
Cn
Cipherte:t in #isk sector s
●
E/ery !ock in sector encrypte# in#epen#ent!y
–
● ●
Aeaks on!y that !ock has een up#ate# 8Better8 security against acti/e attacks
Tweak is sector a##ress s p!us !ock in#e: i
Narrow-block Tw" mode
s +i
"2 αi
E
"1
E
9
+i
●
HT(-3E( mo#e ase# on HEH
– – –
BRogaway) 3(I3CRC+T D0IE
● ●
Sta!dardi/ed b0 IEEE 1%2%3 a!d NIS4 S1 &---5&E 6sed i! (ractice (e.g.' 4r7ecr0(t' #8E ,or disk dri*es)
Tweak F sector s GG !ock in#e: i "ey " F "1 GG "2 i! "#($%$&)' (ri)iti*e e+e)e!t' i e,,icie!t ,or i=-'%'$...
Wide-block Tw"
● ● ●
.ne tweake# !ockcipher encryption per sector Tweak is sector a##ress s Aeaks on!y that sector has een up#ate#
+1 222 +!ainte:t 222 222 +n
"
E
C1 222 222 222 Cn
s
Tweake# !ock F #isk sector *=12 ytes-
Cipherte:t in #isk sector s
Wide-block Tw"
●
+ropose# imp!ementations are s!ower than 3E(
– –
EME2-3E(5 2: 3E( HCB-3E(5 1: 3E( J 2: "#($%$&)-)7+t.
●
(tan#ar#i4e# as IEEE +171?22 *2010./erhea# consi#ere# to e *too- cost!y
–
●
&o practica! #ep!oyment so $ar
$omparison
CBC mode Passive adversary - Aoca!i4e changes in encrypte# $i!e Active adversary - Trigger contro!!e# change o$ p!ainte:t Situation in practice 'irst change# !ock in sector TwE narrow 3!! !ocks that change# TwE wide >ho!e sector * est possi !e-
Change one !ock &one 0 mo/e !ocks
&one
%ep!oye#
%ep!oye#
&ot use#
How realistic are active attacks - Encryption in .( kerne!) attack re9uires access to store# its - Kn!ike!y $or !aptops - More p!ausi !e $or /irtua! #isk images on c!ou# storage
!ntegrity protection
Integrity protection or one client
● ●
●
(torage consists o$ n #ata items :1) 222) :n C!ient accesses storage /ia integrityprotection !ayer – Kses sma!! truste# memory to store short re$erence hash /a!ue / *together with encryption keysIntegrity !ayer operations – Rea# item an# /eri$y w2r2t2 / – >rite item an# up#ate / accor#ing!y
Integrity
Truste# memory
C!ient
'ash trees or integrity checking %(erkle trees&
root L0 L00 L01 L10 L1 L11
● ●
+arent no#e is hash o$ its chi!#ren Root hash /a!ue commits a!! #ata !ocks – Root hash in truste# memory – Tree is on e:tra untruste# storage To /eri$y :i) recompute path $rom :i to root with si !ing no#es an# compare to truste# root hash To up#ate :i) recompute new root hash an# no#es a!ong path $rom :i to root
●
:1
:2
:3
:I
Rea# 0 write operations nee# work .*!og n● Lash operations ● E:tra storage accesses
●
()lti-client integrity protection
●
(ing!e-c!ient so!ution
– – –
Re!ies on hash /a!ue / (tore# !oca!!y in truste# memory Changes a$ter e/ery up#ate operation &ee# to synchroni4e truste# memories E/ery c!ient associate# with a pu !ic,pri/ate key pair >rite operation pro#uces signature σ on hash / C!ient stores signature an# hash *σ) /- on c!ou# This approach permits rep!ay attacks 222 +re/ente# using truste# coor#2 ser/ice
●
Mu!tip!e c!ientsM
–
●
(o!ution with #igita! signatures
– – –
Integrity
●
Rep!ay attacks
– –
C!ient
C!ient
C!ient
()lti-client integrity protection and orking attacks
●
(er/er may present #i$$erent /iews to separate# c!ients
– – –
E2g2) not show the most recent >RITE operation to a rea#er Creates a 8$ork8 etween their histories C!ients cannot pre/ent this without communication
BMa4ieres) (hasha) +.%C D02E5
●
Kse $ork !ineari4a i!ity
–
I$ ma!icious ser/er $orks the /iews o$ two c!ients once) then → their /iews are $orke# e/er a$ter → they ne/er again see each others up#ates
●
E/ery inconsistency or integrity /io!ation resu!ts in a $ork
– –
Best achie/a !e guarantee $or storage on untruste# ser/er 'orks can e #etecte# on a 8cheap8 !ow-security e:terna! channe!
●
–
+rototype imp!ementation in @E&K(
Kse on!y a semi-truste# coor#inator BCachin et a!2) (I3M N2 Comput) 2011E
B(hraer et a!2) CC(> 2011E
*ey management
Today - +roprietary key mgmt,
Enterprise Cryptographic En/ironments
Portals Production Database Replica CRM Staging nterprise Applications
Collaboration & Content Mgmt Systems 'P% &A%
File Server
Disk Arrays Backup System eCommerce Applications Business Analytics Backup Disk
$A%
Backup Tape Dev!Test "b#uscation
Ke0 :a!age)e!t S0ste)
Ke0 :a!age)e!t S0ste)
Ke0 :a!age)e!t S0ste)
Ke0 :a!age)e!t S0ste)
Ke0 :a!age)e!t S0ste)
Ke0 :a!age)e!t S0ste)
Ke0 :a!age)e!t S0ste)
Ke0 :a!age)e!t S0ste)
-)t)re - Standardi.ed key management
E!ter(rise ;r0(togra(hic E!*iro!)e!ts
Portals Production Database Replica CRM Staging nterprise Applications
Collaboration & Content Mgmt Systems 'P% &A%
File Server
Disk Arrays
$A% eCommerce Applications
Backup System Backup Disk Business Analytics
Dev!Test "b#uscation
Backup Tape
"ey #anagement !nteroperability Protocol
Enterprise "ey Management
O/SIS *ey (anagement Interoperability +rotocol %*(I+&
●
.3(I(222M HMA C!ient-ser/er protoco! %e$ines o 1ects with attri utes) p!us operations
–
●
●
. 1ects5 symmetric keys) pu !ic,pri/ate keys) certi$icates) thresho!# key-shares 222 3ttri utes5 i#enti$iers) type) !ength) !i$ecyc!e-state) !i$ecyc!e #ates) !inks to other o 1ects 222 .perations5 create) register) attri ute han#!ing 222
–
–
O/SIS *(I+
●
"MI+ #ra$t spec prepare# y in#ustry group
– –
L+) IBM) R(3-EMC) nCipher,Tha!es) Broca#e) (eagate) A(I) &et3pp IBM- an# IBM Zurich-!e# *e#itor an# TC co-chair-
●
.3(I( "MI+ Technica! Committee *200?– –
"MI+ /120 re!ease# in .ct2 2010 "MI+ /121 re!ease# in 'e 2 2013
●
http5,,www2oasis-open2org,committees,kmip, To#ay #ep!oye# y mu!tip!e /en#ors in storageencryption conte:t
●
*(I+ ob0ects and attrib)tes
●
. 1ects o$ $our types
–
(ymmetric keys) pu !ic keys) pri/ate keys) certi$icates
●
O=0 attri utes
–
I#enti$ier) state) initia!i4ation time) acti/ation time) #eacti/ation time 222
●
3ccess-contro! speci$ic attri utes
–
3CA) usage 222
●
"M( accesse# y remote users o/er network
*(I+ operations
● ●
Create*i#) parameters- → ." %eri/e*i#) parentPi#) au:P#ata- → ." (tore*i#) c!earPkey- → ." Import*unwrappingPkeyPi#) wrappe#Pkey- → ." Rea#*i#- → c!earPkey E:port*i#) wrappingPkeyPi#- → wrappe#Pkey Rea# attri utes*i#- → Qattri utesR (et attri utes*i#) QnewPattri utesR- → ." (earch*i#) con#ition- → Qi#sR %estroy*i#- → ." -- #e!etes key) ut !ea/es attri utes intact %e!ete*i#- → ." -- #e!etes key an# attri utes *i$ possi !e-
● ●
● ●
● ●
● ● ●
Most ops2 are straight$orwar#) ut some in/o!/e cryptography2
/ccess control model or *(I+
●
Ksers
– –
%etermine# y user registry *e2g2) A%3+(pecia! users5 any) creator
●
+ermissions
–
+er-o 1ect
●
3#min) %eri/e) %estroy) E:port) Rea#) Rea#3ttri utes) Knwrap) >rap Create) (tore
–
+er-user
●
●
E/er o 1ect o has an ac! attri ute
o2ac! ⊂ Q*u) p- G u ∈ Ksers) p ∈ +ermissionsR
/ key server is a crypto /+I
●
"ey ser/er e:ecutes cryptographic operations (o $ar) cryptographic security 3+Is ha/e een !inke# to secure har#ware tokens *IBM CC3) +"C( S11 222>e e:ten# the stu#y o$ cryptographic security 3+Is to
– –
●
●
"ey-management systems on a network 3ccesse# y mu!tip!e users
$ryptographic tokens!
Cryptographic processors Hardware security modules (HSM)
●
Crypto co-processor in tamper-proo$ enc!osure "eys ne/er !ea/e token in c!ear E:ecutes a!! Kser cryptographic operations with keys
Token
3#min
●
●
Kser Kser
$ommercial crypto tokens
L+ 3ta!!a 3:170
IBM IT7=
nCipher,Tha!es netL(M
In$ineon T+M
Tamper-resistant an# -responsi/e accor#ing to 'I+( 1I0-2) up to Ae/e! I
Why cryptographic tokens!
8Cryptographic keys must not !ea/e secure L>28
●
Intro#uce a separation etween5
– –
3#ministration o$ keys → security o$$icer 3#ministration o$ ser/ers → ser/er operator → 'ewer opportunities $or insi#er attacks
●
'oun# in many corporate en/ironments
–
Uo/ernment) $inance) te!ecom 222
●
But a!so in your pocket
–
(martcar#s) (IM car#s) transport tickets 222
Interacting with a token
●
Kser u authenticates to token
u ∈ Qsecurity-o$$icer) app!icationR
●
u in/okes operations through Crypto 3+I
– –
.perations on pay!oa#
●
Encrypt) #ecrypt) sign) /eri$y 222 Create) store) rea#V) up#ateV key %eri/e key $rom a parent key >rap key , e:port Knwrap key , import V Restricte# to a#minW
"ey-management operations
● ● ● ●
●
(tan#ar#i4e# inter$aces
– –
+"C( S11 BEMC,R(3E Common cryptographic architecture *CC3- BIBME
+roblems with crypto /+Is %1&
●
Aegacy 3+I po!icies are o$ten 8un#erspeci$ie#8
–
&e/erthe!ess) they aim to protect keys
●
+ure!y !ogica! attacks → 3+I attacks
–
E:pose a protecte# key B3n#erson) Bon#) C!u!owE
●
E:amp!e attack on +"C( S11
– – –
Sensitive keys must not e e:pose# in c!ear +"C( S11 #enies rea# operation y user u ≠ a#min i$ key k is sensitive But a!!ows u to wrap k un#er a non-sensitive key # → user u wraps k un#er # an# rea#s # → this e:poses k in c!ear
+roblems with crypto /+Is %2&
●
>hyM >hy is access contro! with simp!e rea#,write permissions not enough to protect keysM Because keys may #epen# cryptographica!!y on other keys
–
●
●
.n!y cryptographic operations create such #epen#encies
●
+ropose to keep track o$ #epen#encies with a mo#e! $or strict access control BCachin) Chan#ran) C(' D0?E
3ependencies among keys
a c g e $ # h
i
●
"ey k #epen#s on a key p ⇔
– –
"ey k was #eri/e# $rom p
●
"ey k was wrappe# un#er p
●
#eri/e*a)c-) #eri/e*a)#-) #eri/e*a)e- 222 wrap*c)g-) wrap* )e- 222
New attrib)tes or keys
●
strict ∈ Q$a!se) trueR
–
%etermines i$ o 1ect go/erne# y 8strict po!icy8
●
#epen#ents ⊆ . 1ects
–
.ther o 1ects whose cryptographic /a!ue can e compute# $rom the cryptographic /a!ue o$ the o 1ect
●
ancestors ⊆ . 1ects
–
.ther o 1ects on which the o 1ect #epen#s
●
rea#ers ⊆ Ksers
–
Ksers who ha/e e:ecute# rea#*k- $or some key k such that o 1ect ∈ k2#epen#ents
Basic and strict policies
●
I$ o2strict F true) then o ene$its $rom strict security po!icy .therwise) o un#er!ies asic access-contro! po!icy (trict security po!icy respects #epen#encies etween keys in access #ecisions
●
●
Basic a)thori.ation
Basic authori4ation ru!e o$ permission p $or user u on o 1ect o5
B3(IC3KTL*u) p) o- F *any) p- ∈ o2ac! or *u F o2creator and *creator) p- ) p- ∈ o2ac! or *u) p- ∈ o2ac!2
Implementation o read
Con#ition $or user u to e:ecute rea#*o-5
o2strict F $a!se and B3(IC3KTL*u) Rea#) o- or o2strict F true and ∀ 9 ∈ o2#epen#ents) B3(IC3KTL*u) Rea#) 9-
E$$ect5
if o2strict F true then ∀ 9 ∈ o2#epen#ents) 92rea#ers ← 92rea#ers ∪ QuR
Implementation o export
Con#ition $or user u to e:ecute e:port*o) w-5
o2strict F $a!se and B3(IC3KTL*u) E:port) o- or o2strict F true and w2strict F true and B3(IC3KTL*u) E:port) o- and B3(IC3KTL*u) >rap) w- and ∀ / ∈ w2rea#ers) ∀ 9 ∈ o2#epen#ents) B3(IC3KTL*/) Rea#) 9- and w ∉ o2#epen#ents
E$$ect5
if o2strict F true then ∀ / ∈ w2rea#ers) o2rea#ers ← o2rea#ers ∪ Q/R w2#epen#ents ← w2#epen#ents ∪ o2#epen#ents o2ancestors ← o2ancestors ∪ w2ancestors
Kse authenticate# encryption $or key wrapping
Implementation o import
Con#ition $or u to e:ecute import*w) wrappe#- in strict mo#e5
B3(IC3KTL*u) Knwrap) w- and w2rea#ers F ∅ and w2strict F true and W∃ key in %B with same #igest as o) where o F unwrap*wrappe#-
E$$ect5
w2#epen#ents ← w2#epen#ents ∪ o2#epen#ents o2ancestors ← o2ancestors ∪ w2ancestors
Importe# key must not yet e:ist in the system
3estroy and delete
Con#ition $or u to e:ecute #estroy*o-5
B3(IC3KTL*u) %estroy) w-
%estroys on!y the cryptographic materia!) !ea/es the o 1ect attri utes in %B
Con#ition $or u to e:ecute #e!ete*o-5
B3(IC3KTL*u) 3#min) w-
%estroys the o 1ect an# its attri utes) ut only if o2#epen#ents F ∅2
Notes
●
Mo#e! o$ Cachin-Chan#ran *C(' D0?- has on!y one key ser/er
– –
(er/er shou!# keep a g!o a! history Mu!tip!e ser/ers nee# to synchroni4e state
●
+rototype imp!ementation at IBM Zurich
– –
3!! keys an# #epen#ency #ata store# in %B Compact representation) in#epen#ent o$ history
●
Re9uires system to track a!! operations E:perience with prototype shows it is e$$icient
–
●
&o e:posure to rea! wor!# yet
4e erences
●
Christian Cachin) &ishanth Chan#ran2 83 secure cryptographic token inter$ace28 In Proc. Computer Security Foundations (CSF)) 200?2 Mathias B1Xrk9/ist) Christian Cachin) Ro ert Laas) Hiao-Cu Lu) 3ni! "urmus) RenY +aw!it4ek) an# Marko @uko!ic2 8%esign an# imp!ementation o$ a key-!i$ecyc!e management system28 In Proc. Financial Cryptography) 20102 .3(I( "ey Management Interopera i!ity +rotoco! *"MI+Technica! Committee) 8"ey Management Interopera i!ity +rotoco! @ersion 1218 .3(I( (tan#ar#) 20132
https5,,www2oasis-open2org,committees,#ocuments2phpMwgPa re/Fkmip
●
●
