Cryptography for storage systems

Christian Cachin
IBM Research - Zurich

10 May 2013

Overview

Encryption in storage systems Tweaka !e encryption Integrity protection "ey management

Encryption in storage systems

Traditional storage systems: Inside the box

app $s ino#e !k h a

%irect-attache# storage

Networked storage systems

app $s $s
ino#e

app $s ino#e ino#e !k h a net !k net .B(-(C(I h a *T10-

app $s ino#e !k net !k net h a

net net &'() CI'( *TC+,I+-

'C) i(C(I

NAS
(Network-attached Storage)

OBS
(Object Storage)

SAN
(Storage-area Network)

Storage-device models

'i!e ser/er
rea# 0 write #ata in $i!e create 0 #estroy $i!e #irectory operations $i!e,#ir- ase# access contro! - space a!!ocation - ackup ops

. 1ect storage #e/2 B!ock #e/ice

- rea# 0 write ytes in o 1ect - create 0 #estroy o 1ect -- o 1ect-!e/e! access contro! - space a!!ocation - ackup ops - rea# 0 write !ocks --- #e/ice-!e/e! access contro! ---

Tweakable encryption

Block cipher

%eterministic) key-#epen#ent trans$ormation

.ne input !ock to one output !ock 3E() %E() B!ow$ish 222 B!ocks si4e5 typica!!y 126 its *17 ytes"ey si4e5 typica!!y 126 its an# more

'orma!!y !ock cipher imp!ements a pseu#oran#om permutation *+R+

3ppears !ike a ran#om permutation to any computationa!!y oun#e# o ser/er *who #oes not ha/e the key-

Mo#e o$ operation *8chaining8 mo#e- re9uire#

E!ectronic-co#e ook mo#e *ECB- means no chaining

Why a block-cipher mode o operation!

+!ainte:t as itmap picture

Encrypte# in ECB mo#e

Encrypte# in secure mo#e o$ operation

"ncryption at the block layer

;%e/ice-!e/e!< encryption o$ =12- yte sectors Transparent to storage system no e:tra space a/ai!a !e to chaining mo#e IEEE (I(> stan#ar#i4ation5 +171?, 21 , 22

app $s ino#e !k E

#sing $B$ mode

I@ +1 +2

"

E
C1

"

E
C2

222

I@

Ran#om I@ re9uire#) ut there is no space to store %eri/e I@ $rom sector a##ress

IV = EK( disk id || sector address ) IV = EHash(K)( disk id || sector address )

Aeaks !ocation o$ $irst up#ate# !ock within sector 3ttack possi !e i$ a#/ersary may in/oke #ecryption $or some sectors) ut not $or others

Tweakable encryption %Tw"&

Tra#itiona!
+

Tweaka !e
+

" *secret-

E
C

"

E
C

T *pu !ic-

E"*- is +R+

E")T*- is a +R+ $or e/ery T

E"*- is a +R+) #eterministic a$ter picking "

Tweaka !e E")T*- is a $ami!y o$ in#epen#ent permutations) in#e:e# y T BAisko/) Ri/est) >agner) CRC+T. D02E

(ame permutation in e/ery instance

T F a##ress o$ !ock

Narrow-block Tw"
+1 +!ainte:t +i s GG i 222 +n

"

E
Ci

222

Tweake# !ock F cipher !ock *17 ytes-

C1

Cn

Cipherte:t in #isk sector s

E/ery !ock in sector encrypte# in#epen#ent!y

Aeaks on!y that !ock has een up#ate# 8Better8 security against acti/e attacks

Tweak is sector a##ress s p!us !ock in#e: i

Narrow-block Tw" mode

s +i

"2 i

"1

9
+i

HT(-3E( mo#e ase# on HEH

BRogaway) 3(I3CRC+T D0IE

Sta!dardi/ed b0 IEEE 1%2%3 a!d NIS4 S1 &---5&E 6sed i! (ractice (e.g.' 4r7ecr0(t' #8E ,or disk dri*es)

Tweak F sector s GG !ock in#e: i "ey " F "1 GG "2 i! "#($%$&)' (ri)iti*e e+e)e!t' i e,,icie!t ,or i=-'%'$...

Wide-block Tw"

.ne tweake# !ockcipher encryption per sector Tweak is sector a##ress s Aeaks on!y that sector has een up#ate#
+1 222 +!ainte:t 222 222 +n

"

E
C1 222 222 222 Cn

Tweake# !ock F #isk sector *=12 ytes-

Cipherte:t in #isk sector s

Wide-block Tw"

+ropose# imp!ementations are s!ower than 3E(

EME2-3E(5 2: 3E( HCB-3E(5 1: 3E( J 2: "#($%$&)-)7+t.

(tan#ar#i4e# as IEEE +171?22 *2010./erhea# consi#ere# to e *too- cost!y

&o practica! #ep!oyment so $ar

$omparison
CBC mode Passive adversary - Aoca!i4e changes in encrypte# $i!e Active adversary - Trigger contro!!e# change o$ p!ainte:t Situation in practice 'irst change# !ock in sector TwE narrow 3!! !ocks that change# TwE wide >ho!e sector * est possi !e-

Change one !ock &one 0 mo/e !ocks

&one

%ep!oye#

%ep!oye#

&ot use#

How realistic are active attacks - Encryption in .( kerne!) attack re9uires access to store# its - Kn!ike!y $or !aptops - More p!ausi !e $or /irtua! #isk images on c!ou# storage

!ntegrity protection

Integrity protection or one client

(torage consists o$ n #ata items :1) 222) :n C!ient accesses storage /ia integrityprotection !ayer Kses sma!! truste# memory to store short re$erence hash /a!ue / *together with encryption keysIntegrity !ayer operations Rea# item an# /eri$y w2r2t2 / >rite item an# up#ate / accor#ing!y

Integrity
Truste# memory

C!ient

'ash trees or integrity checking %(erkle trees&

root L0 L00 L01 L10 L1 L11

+arent no#e is hash o$ its chi!#ren Root hash /a!ue commits a!! #ata !ocks Root hash in truste# memory Tree is on e:tra untruste# storage To /eri$y :i) recompute path $rom :i to root with si !ing no#es an# compare to truste# root hash To up#ate :i) recompute new root hash an# no#es a!ong path $rom :i to root

:1

:2

:3

:I

Rea# 0 write operations nee# work .*!og n Lash operations E:tra storage accesses

()lti-client integrity protection

(ing!e-c!ient so!ution

Re!ies on hash /a!ue / (tore# !oca!!y in truste# memory Changes a$ter e/ery up#ate operation &ee# to synchroni4e truste# memories E/ery c!ient associate# with a pu !ic,pri/ate key pair >rite operation pro#uces signature on hash / C!ient stores signature an# hash *) /- on c!ou# This approach permits rep!ay attacks 222 +re/ente# using truste# coor#2 ser/ice

Mu!tip!e c!ientsM

(o!ution with #igita! signatures

Integrity

Rep!ay attacks

C!ient

C!ient

C!ient

()lti-client integrity protection and orking attacks

(er/er may present #i$$erent /iews to separate# c!ients

E2g2) not show the most recent >RITE operation to a rea#er Creates a 8$ork8 etween their histories C!ients cannot pre/ent this without communication
BMa4ieres) (hasha) +.%C D02E5

Kse $ork !ineari4a i!ity

I$ ma!icious ser/er $orks the /iews o$ two c!ients once) then their /iews are $orke# e/er a$ter they ne/er again see each others up#ates

E/ery inconsistency or integrity /io!ation resu!ts in a $ork

Best achie/a !e guarantee $or storage on untruste# ser/er 'orks can e #etecte# on a 8cheap8 !ow-security e:terna! channe!

+rototype imp!ementation in @E&K(

Kse on!y a semi-truste# coor#inator BCachin et a!2) (I3M N2 Comput) 2011E

B(hraer et a!2) CC(> 2011E

*ey management

Today - +roprietary key mgmt,

Enterprise Cryptographic En/ironments

Portals Production Database Replica CRM Staging nterprise Applications

Collaboration & Content Mgmt Systems 'P% &A%

File Server

Disk Arrays Backup System eCommerce Applications Business Analytics Backup Disk

$A%

Backup Tape Dev!Test "b#uscation

mail

Ke0 :a!age)e!t S0ste)

Ke0 :a!age)e!t S0ste)

Ke0 :a!age)e!t S0ste)

Ke0 :a!age)e!t S0ste)

Ke0 :a!age)e!t S0ste)

Ke0 :a!age)e!t S0ste)

Ke0 :a!age)e!t S0ste)

Ke0 :a!age)e!t S0ste)

-)t)re - Standardi.ed key management

E!ter(rise ;r0(togra(hic E!*iro!)e!ts

Portals Production Database Replica CRM Staging nterprise Applications

Collaboration & Content Mgmt Systems 'P% &A%

File Server

Disk Arrays

$A% eCommerce Applications

Backup System Backup Disk Business Analytics

mail

Dev!Test "b#uscation

Backup Tape

"ey #anagement !nteroperability Protocol

Enterprise "ey Management

O/SIS *ey (anagement Interoperability +rotocol %*(I+&

.3(I(222M HMA C!ient-ser/er protoco! %e$ines o 1ects with attri utes) p!us operations

. 1ects5 symmetric keys) pu !ic,pri/ate keys) certi$icates) thresho!# key-shares 222 3ttri utes5 i#enti$iers) type) !ength) !i$ecyc!e-state) !i$ecyc!e #ates) !inks to other o 1ects 222 .perations5 create) register) attri ute han#!ing 222

O/SIS *(I+

"MI+ #ra$t spec prepare# y in#ustry group

L+) IBM) R(3-EMC) nCipher,Tha!es) Broca#e) (eagate) A(I) &et3pp IBM- an# IBM Zurich-!e# *e#itor an# TC co-chair-

.3(I( "MI+ Technica! Committee *200?

"MI+ /120 re!ease# in .ct2 2010 "MI+ /121 re!ease# in 'e 2 2013

http5,,www2oasis-open2org,committees,kmip, To#ay #ep!oye# y mu!tip!e /en#ors in storageencryption conte:t

*(I+ ob0ects and attrib)tes

. 1ects o$ $our types

(ymmetric keys) pu !ic keys) pri/ate keys) certi$icates

O=0 attri utes

I#enti$ier) state) initia!i4ation time) acti/ation time) #eacti/ation time 222

3ccess-contro! speci$ic attri utes

3CA) usage 222

"M( accesse# y remote users o/er network

*(I+ operations

Create*i#) parameters- ." %eri/e*i#) parentPi#) au:P#ata- ." (tore*i#) c!earPkey- ." Import*unwrappingPkeyPi#) wrappe#Pkey- ." Rea#*i#- c!earPkey E:port*i#) wrappingPkeyPi#- wrappe#Pkey Rea# attri utes*i#- Qattri utesR (et attri utes*i#) QnewPattri utesR- ." (earch*i#) con#ition- Qi#sR %estroy*i#- ." -- #e!etes key) ut !ea/es attri utes intact %e!ete*i#- ." -- #e!etes key an# attri utes *i$ possi !e-

Most ops2 are straight$orwar#) ut some in/o!/e cryptography2

/ccess control model or *(I+

Ksers

%etermine# y user registry *e2g2) A%3+(pecia! users5 any) creator

+ermissions

+er-o 1ect

3#min) %eri/e) %estroy) E:port) Rea#) Rea#3ttri utes) Knwrap) >rap Create) (tore

+er-user

E/er o 1ect o has an ac! attri ute

o2ac! Q*u) p- G u Ksers) p +ermissionsR

/ key server is a crypto /+I

"ey ser/er e:ecutes cryptographic operations (o $ar) cryptographic security 3+Is ha/e een !inke# to secure har#ware tokens *IBM CC3) +"C( S11 222>e e:ten# the stu#y o$ cryptographic security 3+Is to

"ey-management systems on a network 3ccesse# y mu!tip!e users

$ryptographic tokens!
Cryptographic processors Hardware security modules (HSM)

Crypto co-processor in tamper-proo$ enc!osure "eys ne/er !ea/e token in c!ear E:ecutes a!! Kser cryptographic operations with keys

Token
3#min

Kser Kser

$ommercial crypto tokens

L+ 3ta!!a 3:170

IBM IT7=

nCipher,Tha!es netL(M

In$ineon T+M

Tamper-resistant an# -responsi/e accor#ing to 'I+( 1I0-2) up to Ae/e! I

Why cryptographic tokens!

8Cryptographic keys must not !ea/e secure L>28

Intro#uce a separation etween5

3#ministration o$ keys security o$$icer 3#ministration o$ ser/ers ser/er operator 'ewer opportunities $or insi#er attacks

'oun# in many corporate en/ironments

Uo/ernment) $inance) te!ecom 222

But a!so in your pocket

(martcar#s) (IM car#s) transport tickets 222

Interacting with a token

Kser u authenticates to token

u Qsecurity-o$$icer) app!icationR

u in/okes operations through Crypto 3+I

.perations on pay!oa#

Encrypt) #ecrypt) sign) /eri$y 222 Create) store) rea#V) up#ateV key %eri/e key $rom a parent key >rap key , e:port Knwrap key , import V Restricte# to a#minW

"ey-management operations

(tan#ar#i4e# inter$aces

+"C( S11 BEMC,R(3E Common cryptographic architecture *CC3- BIBME

+roblems with crypto /+Is %1&

Aegacy 3+I po!icies are o$ten 8un#erspeci$ie#8

&e/erthe!ess) they aim to protect keys

+ure!y !ogica! attacks 3+I attacks

E:pose a protecte# key B3n#erson) Bon#) C!u!owE

E:amp!e attack on +"C( S11

Sensitive keys must not e e:pose# in c!ear +"C( S11 #enies rea# operation y user u a#min i$ key k is sensitive But a!!ows u to wrap k un#er a non-sensitive key # user u wraps k un#er # an# rea#s # this e:poses k in c!ear

+roblems with crypto /+Is %2&

>hyM >hy is access contro! with simp!e rea#,write permissions not enough to protect keysM Because keys may #epen# cryptographica!!y on other keys

.n!y cryptographic operations create such #epen#encies

+ropose to keep track o$ #epen#encies with a mo#e! $or strict access control BCachin) Chan#ran) C(' D0?E

3ependencies among keys

a c g e $ # h

"ey k #epen#s on a key p

"ey k was #eri/e# $rom p

"ey k was wrappe# un#er p

#eri/e*a)c-) #eri/e*a)#-) #eri/e*a)e- 222 wrap*c)g-) wrap* )e- 222

New attrib)tes or keys

strict Q$a!se) trueR

%etermines i$ o 1ect go/erne# y 8strict po!icy8

#epen#ents . 1ects

.ther o 1ects whose cryptographic /a!ue can e compute# $rom the cryptographic /a!ue o$ the o 1ect

ancestors . 1ects

.ther o 1ects on which the o 1ect #epen#s

rea#ers Ksers

Ksers who ha/e e:ecute# rea#*k- $or some key k such that o 1ect k2#epen#ents

Basic and strict policies

I$ o2strict F true) then o ene$its $rom strict security po!icy .therwise) o un#er!ies asic access-contro! po!icy (trict security po!icy respects #epen#encies etween keys in access #ecisions

Basic a)thori.ation
Basic authori4ation ru!e o$ permission p $or user u on o 1ect o5
B3(IC3KTL*u) p) o- F *any) p- o2ac! or *u F o2creator and *creator) p- ) p- o2ac! or *u) p- o2ac!2

Implementation o read
Con#ition $or user u to e:ecute rea#*o-5
o2strict F $a!se and B3(IC3KTL*u) Rea#) o- or o2strict F true and 9 o2#epen#ents) B3(IC3KTL*u) Rea#) 9-

E$$ect5
if o2strict F true then 9 o2#epen#ents) 92rea#ers 92rea#ers QuR

Implementation o export
Con#ition $or user u to e:ecute e:port*o) w-5
o2strict F $a!se and B3(IC3KTL*u) E:port) o- or o2strict F true and w2strict F true and B3(IC3KTL*u) E:port) o- and B3(IC3KTL*u) >rap) w- and / w2rea#ers) 9 o2#epen#ents) B3(IC3KTL*/) Rea#) 9- and w o2#epen#ents

E$$ect5
if o2strict F true then / w2rea#ers) o2rea#ers o2rea#ers Q/R w2#epen#ents w2#epen#ents o2#epen#ents o2ancestors o2ancestors w2ancestors

Kse authenticate# encryption $or key wrapping

Implementation o import
Con#ition $or u to e:ecute import*w) wrappe#- in strict mo#e5
B3(IC3KTL*u) Knwrap) w- and w2rea#ers F and w2strict F true and W key in %B with same #igest as o) where o F unwrap*wrappe#-

E$$ect5
w2#epen#ents w2#epen#ents o2#epen#ents o2ancestors o2ancestors w2ancestors

Importe# key must not yet e:ist in the system

3estroy and delete

Con#ition $or u to e:ecute #estroy*o-5
B3(IC3KTL*u) %estroy) w-

%estroys on!y the cryptographic materia!) !ea/es the o 1ect attri utes in %B

Con#ition $or u to e:ecute #e!ete*o-5

B3(IC3KTL*u) 3#min) w-

%estroys the o 1ect an# its attri utes) ut only if o2#epen#ents F 2

Notes

Mo#e! o$ Cachin-Chan#ran *C(' D0?- has on!y one key ser/er

(er/er shou!# keep a g!o a! history Mu!tip!e ser/ers nee# to synchroni4e state

+rototype imp!ementation at IBM Zurich

3!! keys an# #epen#ency #ata store# in %B Compact representation) in#epen#ent o$ history

Re9uires system to track a!! operations E:perience with prototype shows it is e$$icient

&o e:posure to rea! wor!# yet

4e erences

Christian Cachin) &ishanth Chan#ran2 83 secure cryptographic token inter$ace28 In Proc. Computer Security Foundations (CSF)) 200?2 Mathias B1Xrk9/ist) Christian Cachin) Ro ert Laas) Hiao-Cu Lu) 3ni! "urmus) RenY +aw!it4ek) an# Marko @uko!ic2 8%esign an# imp!ementation o$ a key-!i$ecyc!e management system28 In Proc. Financial Cryptography) 20102 .3(I( "ey Management Interopera i!ity +rotoco! *"MI+Technica! Committee) 8"ey Management Interopera i!ity +rotoco! @ersion 1218 .3(I( (tan#ar#) 20132
https5,,www2oasis-open2org,committees,#ocuments2phpMwgPa re/Fkmip