Beruflich Dokumente
Kultur Dokumente
Christian Cachin
IBM Research - Zurich
10 May 2013
Overview
%irect-attache# storage
'C) i(C(I
NAS
(Network-attached Storage)
OBS
(Object Storage)
SAN
(Storage-area Network)
Storage-device models
'i!e ser/er
rea# 0 write #ata in $i!e create 0 #estroy $i!e #irectory operations $i!e,#ir- ase# access contro! - space a!!ocation - ackup ops
Tweakable encryption
Block cipher
.ne input !ock to one output !ock 3E() %E() B!ow$ish 222 B!ocks si4e5 typica!!y 126 its *17 ytes"ey si4e5 typica!!y 126 its an# more
3ppears !ike a ran#om permutation to any computationa!!y oun#e# o ser/er *who #oes not ha/e the key-
;%e/ice-!e/e!< encryption o$ =12- yte sectors Transparent to storage system no e:tra space a/ai!a !e to chaining mo#e IEEE (I(> stan#ar#i4ation5 +171?, 21 , 22
app $s ino#e !k E
"
E
C1
"
E
C2
222
I@
Aeaks !ocation o$ $irst up#ate# !ock within sector 3ttack possi !e i$ a#/ersary may in/oke #ecryption $or some sectors) ut not $or others
Tweaka !e
+
" *secret-
E
C
"
E
C
T *pu !ic-
E"*- is +R+
Tweaka !e E")T*- is a $ami!y o$ in#epen#ent permutations) in#e:e# y T BAisko/) Ri/est) >agner) CRC+T. D02E
T F a##ress o$ !ock
Narrow-block Tw"
+1 +!ainte:t +i s GG i 222 +n
"
E
Ci
222
C1
Cn
Aeaks on!y that !ock has een up#ate# 8Better8 security against acti/e attacks
"2 i
"1
9
+i
Sta!dardi/ed b0 IEEE 1%2%3 a!d NIS4 S1 &---5&E 6sed i! (ractice (e.g.' 4r7ecr0(t' #8E ,or disk dri*es)
Tweak F sector s GG !ock in#e: i "ey " F "1 GG "2 i! "#($%$&)' (ri)iti*e e+e)e!t' i e,,icie!t ,or i=-'%'$...
Wide-block Tw"
.ne tweake# !ockcipher encryption per sector Tweak is sector a##ress s Aeaks on!y that sector has een up#ate#
+1 222 +!ainte:t 222 222 +n
"
E
C1 222 222 222 Cn
Wide-block Tw"
$omparison
CBC mode Passive adversary - Aoca!i4e changes in encrypte# $i!e Active adversary - Trigger contro!!e# change o$ p!ainte:t Situation in practice 'irst change# !ock in sector TwE narrow 3!! !ocks that change# TwE wide >ho!e sector * est possi !e-
&one
%ep!oye#
%ep!oye#
&ot use#
How realistic are active attacks - Encryption in .( kerne!) attack re9uires access to store# its - Kn!ike!y $or !aptops - More p!ausi !e $or /irtua! #isk images on c!ou# storage
!ntegrity protection
(torage consists o$ n #ata items :1) 222) :n C!ient accesses storage /ia integrityprotection !ayer Kses sma!! truste# memory to store short re$erence hash /a!ue / *together with encryption keysIntegrity !ayer operations Rea# item an# /eri$y w2r2t2 / >rite item an# up#ate / accor#ing!y
Integrity
Truste# memory
C!ient
+arent no#e is hash o$ its chi!#ren Root hash /a!ue commits a!! #ata !ocks Root hash in truste# memory Tree is on e:tra untruste# storage To /eri$y :i) recompute path $rom :i to root with si !ing no#es an# compare to truste# root hash To up#ate :i) recompute new root hash an# no#es a!ong path $rom :i to root
:1
:2
:3
:I
Rea# 0 write operations nee# work .*!og n Lash operations E:tra storage accesses
(ing!e-c!ient so!ution
Re!ies on hash /a!ue / (tore# !oca!!y in truste# memory Changes a$ter e/ery up#ate operation &ee# to synchroni4e truste# memories E/ery c!ient associate# with a pu !ic,pri/ate key pair >rite operation pro#uces signature on hash / C!ient stores signature an# hash *) /- on c!ou# This approach permits rep!ay attacks 222 +re/ente# using truste# coor#2 ser/ice
Mu!tip!e c!ientsM
Integrity
Rep!ay attacks
C!ient
C!ient
C!ient
E2g2) not show the most recent >RITE operation to a rea#er Creates a 8$ork8 etween their histories C!ients cannot pre/ent this without communication
BMa4ieres) (hasha) +.%C D02E5
I$ ma!icious ser/er $orks the /iews o$ two c!ients once) then their /iews are $orke# e/er a$ter they ne/er again see each others up#ates
Best achie/a !e guarantee $or storage on untruste# ser/er 'orks can e #etecte# on a 8cheap8 !ow-security e:terna! channe!
*ey management
File Server
Disk Arrays Backup System eCommerce Applications Business Analytics Backup Disk
$A%
File Server
Disk Arrays
Dev!Test "b#uscation
Backup Tape
.3(I(222M HMA C!ient-ser/er protoco! %e$ines o 1ects with attri utes) p!us operations
. 1ects5 symmetric keys) pu !ic,pri/ate keys) certi$icates) thresho!# key-shares 222 3ttri utes5 i#enti$iers) type) !ength) !i$ecyc!e-state) !i$ecyc!e #ates) !inks to other o 1ects 222 .perations5 create) register) attri ute han#!ing 222
O/SIS *(I+
L+) IBM) R(3-EMC) nCipher,Tha!es) Broca#e) (eagate) A(I) &et3pp IBM- an# IBM Zurich-!e# *e#itor an# TC co-chair-
"MI+ /120 re!ease# in .ct2 2010 "MI+ /121 re!ease# in 'e 2 2013
*(I+ operations
Create*i#) parameters- ." %eri/e*i#) parentPi#) au:P#ata- ." (tore*i#) c!earPkey- ." Import*unwrappingPkeyPi#) wrappe#Pkey- ." Rea#*i#- c!earPkey E:port*i#) wrappingPkeyPi#- wrappe#Pkey Rea# attri utes*i#- Qattri utesR (et attri utes*i#) QnewPattri utesR- ." (earch*i#) con#ition- Qi#sR %estroy*i#- ." -- #e!etes key) ut !ea/es attri utes intact %e!ete*i#- ." -- #e!etes key an# attri utes *i$ possi !e-
Ksers
+ermissions
+er-o 1ect
3#min) %eri/e) %estroy) E:port) Rea#) Rea#3ttri utes) Knwrap) >rap Create) (tore
+er-user
"ey ser/er e:ecutes cryptographic operations (o $ar) cryptographic security 3+Is ha/e een !inke# to secure har#ware tokens *IBM CC3) +"C( S11 222>e e:ten# the stu#y o$ cryptographic security 3+Is to
$ryptographic tokens!
Cryptographic processors Hardware security modules (HSM)
Crypto co-processor in tamper-proo$ enc!osure "eys ne/er !ea/e token in c!ear E:ecutes a!! Kser cryptographic operations with keys
Token
3#min
Kser Kser
L+ 3ta!!a 3:170
IBM IT7=
nCipher,Tha!es netL(M
In$ineon T+M
3#ministration o$ keys security o$$icer 3#ministration o$ ser/ers ser/er operator 'ewer opportunities $or insi#er attacks
.perations on pay!oa#
Encrypt) #ecrypt) sign) /eri$y 222 Create) store) rea#V) up#ateV key %eri/e key $rom a parent key >rap key , e:port Knwrap key , import V Restricte# to a#minW
"ey-management operations
(tan#ar#i4e# inter$aces
Sensitive keys must not e e:pose# in c!ear +"C( S11 #enies rea# operation y user u a#min i$ key k is sensitive But a!!ows u to wrap k un#er a non-sensitive key # user u wraps k un#er # an# rea#s # this e:poses k in c!ear
>hyM >hy is access contro! with simp!e rea#,write permissions not enough to protect keysM Because keys may #epen# cryptographica!!y on other keys
+ropose to keep track o$ #epen#encies with a mo#e! $or strict access control BCachin) Chan#ran) C(' D0?E
#epen#ents . 1ects
.ther o 1ects whose cryptographic /a!ue can e compute# $rom the cryptographic /a!ue o$ the o 1ect
ancestors . 1ects
rea#ers Ksers
Ksers who ha/e e:ecute# rea#*k- $or some key k such that o 1ect k2#epen#ents
I$ o2strict F true) then o ene$its $rom strict security po!icy .therwise) o un#er!ies asic access-contro! po!icy (trict security po!icy respects #epen#encies etween keys in access #ecisions
Basic a)thori.ation
Basic authori4ation ru!e o$ permission p $or user u on o 1ect o5
B3(IC3KTL*u) p) o- F *any) p- o2ac! or *u F o2creator and *creator) p- ) p- o2ac! or *u) p- o2ac!2
Implementation o read
Con#ition $or user u to e:ecute rea#*o-5
o2strict F $a!se and B3(IC3KTL*u) Rea#) o- or o2strict F true and 9 o2#epen#ents) B3(IC3KTL*u) Rea#) 9-
E$$ect5
if o2strict F true then 9 o2#epen#ents) 92rea#ers 92rea#ers QuR
Implementation o export
Con#ition $or user u to e:ecute e:port*o) w-5
o2strict F $a!se and B3(IC3KTL*u) E:port) o- or o2strict F true and w2strict F true and B3(IC3KTL*u) E:port) o- and B3(IC3KTL*u) >rap) w- and / w2rea#ers) 9 o2#epen#ents) B3(IC3KTL*/) Rea#) 9- and w o2#epen#ents
E$$ect5
if o2strict F true then / w2rea#ers) o2rea#ers o2rea#ers Q/R w2#epen#ents w2#epen#ents o2#epen#ents o2ancestors o2ancestors w2ancestors
Implementation o import
Con#ition $or u to e:ecute import*w) wrappe#- in strict mo#e5
B3(IC3KTL*u) Knwrap) w- and w2rea#ers F and w2strict F true and W key in %B with same #igest as o) where o F unwrap*wrappe#-
E$$ect5
w2#epen#ents w2#epen#ents o2#epen#ents o2ancestors o2ancestors w2ancestors
%estroys on!y the cryptographic materia!) !ea/es the o 1ect attri utes in %B
Notes
(er/er shou!# keep a g!o a! history Mu!tip!e ser/ers nee# to synchroni4e state
3!! keys an# #epen#ency #ata store# in %B Compact representation) in#epen#ent o$ history
Re9uires system to track a!! operations E:perience with prototype shows it is e$$icient
4e erences
Christian Cachin) &ishanth Chan#ran2 83 secure cryptographic token inter$ace28 In Proc. Computer Security Foundations (CSF)) 200?2 Mathias B1Xrk9/ist) Christian Cachin) Ro ert Laas) Hiao-Cu Lu) 3ni! "urmus) RenY +aw!it4ek) an# Marko @uko!ic2 8%esign an# imp!ementation o$ a key-!i$ecyc!e management system28 In Proc. Financial Cryptography) 20102 .3(I( "ey Management Interopera i!ity +rotoco! *"MI+Technica! Committee) 8"ey Management Interopera i!ity +rotoco! @ersion 1218 .3(I( (tan#ar#) 20132
https5,,www2oasis-open2org,committees,#ocuments2phpMwgPa re/Fkmip