HOST-403_final

E l ti fEvolution of Secure Storage James Hughes Huawei Technologies Co., Ltd. Session ID: HOST-403 Session Classification: Advanced Agenda Storage Security? Storage Security vs Network SecurityStorage Security vs Network Security E i ti S t d S l Att kExisting Systems and Sample Attacks Long Term Prediction of Adoption 24 StorageStorage Security? Agenda Why are we here? What is “Storage Security”What is Storage Security A sampling of issues No clear answer What to do?What to do? Encrypt your data Your OS vendor must help 44 Why Are We Here? CNN Moments Laptops in amusement parksLaptops in amusement parks Laptops at airports and borders Disks bought as scrap RAID disks stolenRAID disks stolen LANL Thumb drive Tapes lost in an armored vehicle Changing the auditable for the unauditable 5-9s of offsite archive reliability Tapes lost inside the datacenter p 55 Why now? California law on data disclosure CEO to jail (never enforced?)CEO to jail (never enforced?) Companies fined for data disclosure Blue Cross violated state insurance regulations Th t i f i dThe tension of privacy and commerce When in doubt, don’t keep it Data loss will always be herey Accidents Crimes 66 Conflict Between Data Protection from loss (backup)from loss (backup) Data Protection from disclosure Whi h ld h ?Which would you choose? Either or Both? Backup/Archivep using independent keys 77 Segregate Private Information? Doesn’t scale Not possible?Not possible? 88 Storage Encryption Changes a large secret All of your data on your siteAll of your data on your site Into a small secret Key If d t f ll i t th h dIf data falls into the wrong hands “The First Secret” separates authorized from attacker 99 What is the status? Tactical improvements It is not possible to process encrypted dataIt is not possible to process encrypted data BAND-AID® strategy First secret problem Need for enterprise key managementNeed for enterprise key management 100k keys in the clear Rogue employee St t i i tStrategic improvements Will take time 1010 What we know about the past Raid is not an information security measure 8+1 1/9 of the data is in the clear on each drive8+1, 1/9 of the data is in the clear on each drive Not spread by byte, 4k at a time Hacking, Viruses are known problems Disk wiping is a human intensive process Potential for mistakes; Broken drives? Encryption Appliances?Encryption Appliances? DRM is an impossible dream? Insiders are and continue to be a threat 1111 “Prediction is very difficult,Prediction is very difficult, especially about the future.” Niels Bohr 1212 What we know about the Future Cryptography built into the hardware Sun Niagara, Intel Westmere* Algorithms being improved IEEE P1619 family Storage encryption built into the OSStorage encryption built into the OS BitLocker, Encrypted ZFS Identity Management Maturing K t i till d hKey management is still ad hoc Forensics will get harder Humans will still be in the processHumans will still be in the process Key Management Data Destruction 13 *According to Wikipedia 13 Storage Configurations Local disk SCSI eSATA USB Protection from media loss Physical tampering 1414 Storage Configurations Network Files Data Stored at File Server File Server protects the disks 1515 Storage Configurations Network Files Tunnel protects the network File Server protects the disks Three times the work 1616 Storage Configurations Network Files Data encrypted by network filer client 1717 Storage Configurations Remote Disks Encrypted in driver or HBA 1818 StorageStorage Security vs NetworkNetwork Securityy Storage Security vs Network Security Storage is a network with a potential infinite latency D-H key agreement not possibleD H key agreement not possible Storage Reader may not exist when written Requires OOB key communication 2020 Security Attributes of Secure Storage Privacy Algorithm and Birthday boundsAlgorithm and Birthday bounds Ciphertext feedthrough Integrity M ll bilit f i h t tMalleability of ciphertext Cut and paste Authentication Key management Non repudiation 2121 Key Management Requirements are simple “Don't lose the keys”Don t lose the keys “Don't give the keys to the wrong people” C bi thi ith th OOB k i tCombine this with the OOB key requirement Many organizations working on this Companies, Standards, etc.p , , 2222 ExistingExisting Systems d S land Sample AttacksAttacks Existing Systems and Sample Attacks Existing systems Mac OSX FilevaultMac OSX Filevault Vista Bitlocker Tape encryption (various vendors) F t re S stemsFuture Systems Encrypted ZFS (OpenSolaris project) http://opensolaris.org/os/project/zfs-crypto/ 2424 Mac OSX Filevault and others Algorithm and Birthday bounds Leaks information after the birthday bounds.Leaks information after the birthday bounds. 64 bit block ciphers insufficient CBC implementation No room for integrity fieldNo room for integrity field Cut and paste Malleability of ciphertext Ciphertext feedthrough Selective Replay 2525 Feedthrough 2626 Splice attack 2727 Malleability 2828 Vista BitLocker, P1619.0, P1619.1 Tweaked block cipher Like adding public info to key, e.g. Sector numberLike adding public info to key, e.g. Sector number Still no integrity field Large block PRP Eliminates pre io s attacksEliminates previous attacks Allows determining if data is returned Detect A→B and then later B→A Replay of individual blocks (P1619.0) Replay of individual sectors (BitLocker, .1) 2929 Long TermLong Term Prediction f Ad tiof Adoption Tape encryption Tape offers variable blocksize Room for integrity fieldRoom for integrity field LTO, IBM, and Sun Implement AES in CCM or GCM mode All f t t d i ill t i thi f tAll future tape drives will contain this feature Similar to tape compression 3131 ZFS encryption ZFS is a log structured file system Utilizing copy on writeUtilizing copy on write Data is not overwritten Data not just stored in sectors http //en ikipedia org/ iki/ZFShttp://en.wikipedia.org/wiki/ZFS Room for an integrity field Complete Merkle treep Validating the entire filesystem Hashes for level x stored in level x-1 3232 ZFS tree uberuber md md md md d1 d2 d3 d4 3333 ZFS tree uberuber md md md md d1 d2 d3 d4d2' d3' 3434 ZFS tree uberuber md mdmd md mdmd md d1 d2 d3 d4d2' d3' 3535 ZFS tree uberuber md mdmd md mdmd md d1 d2 d3 d4d2' d3' 3636 ZFS tree uberuber mdmd md md d1 d4d2' d3' 3737 ZFS tree uberuber mdmd md md d1 d4d2' d3' 3838 ZFS Overwriting a file 7 times does not erase the data Encrypted data keeps hashes in the MetaData TreeEncrypted data keeps hashes in the MetaData Tree When the user is not logged in, the administrator can not see the data Backup should be in the clear or under a separately managed key so that users are not vulnerable to key lossloss 3939 Feedthrough Malleability Cut Paste CipherBlock Reply Sector Reply Disk Replay Filevault ✔ ✖ ✖ ✖ ✖ ✖ P1619.1 ✔ ✔ ✔ ✖ ✖ ✖ P1619.2 ✔ ✔ ✔ ✖ ✖ ✖ BitLocker/TPM ✔ ✔ ✔ ✔ ✖ ✖ eTape ✔ ✔ ✔ ✔ ✔ ✖ eZFS ✔ ✔ ✔ ✔ ✔ ✖ eZFS/TPM ✔ ✔ ✔ ✔ ✔ ✔ 4040 Performance vs Trends in Computers Measured AES, 100MB/s, on Laptop This is only going to go upThis is only going to go up Single disk performance 40MB/s Relatively constant (until Flash) Fi t h l tFirst access has latency Subsequent access access in RAM buffer This level of performance is “free”p In the OS is “free” “Security is an expectation, not a market” 4141 Single Socket Crypto Performance J. Hughes, G. Morton, J. Pechanec, C. Schuba, L. Spracklen, B. Yenduri, Transparent Multi-core Cryptographic Support on Niagara CMT Processors, Proceedings of the Second International Workshop on Multicore Software Engineering (IWMSE09), co- located with the 31st International Conference on Software Engineering (ICSE) May 16 24 2009 Vancouver Canada pdf 4242 located with the 31st International Conference on Software Engineering (ICSE), May 16-24, 2009, Vancouver, Canada, pdf Deployment Strategy Two pronged attack Existing machines that contain sensitive informationExisting machines that contain sensitive information This not adequate as all machines get sensitive stuff New machines Make Storage Security a requirement for new systemsMake Storage Security a requirement for new systems 4343 Long Term Prediction of Adoption Computers are fast enough OS vendors will add for freeOS vendors will add for free Storage Encryption Technology is maturing At least password protected Th iThere is no reason not to encrypt In the future, not encrypting your storage will be like using telnetstorage will be like using telnet instead of ssh 4444 Areas for Future Research Non-Repudiation Secure and Reliable Human authenticationSecure and Reliable Human authentication Affordable Tamper Responsive Hardware Key management for machine hibernation Encrypted boot 4545 Conclusion Storage contains personal information Storage Security vs Network SecurityStorage Security vs Network Security Security Attributes of Secure Storage Existing Systems and Sample Attacks Performance vs Trends in Computers Long Term Prediction of Adoption Areas for Future ResearchAreas for Future Research 4646 Apply Categorize your storage Servers, laptops, thumb drives, tapes, desktopsServers, laptops, thumb drives, tapes, desktops Categorize the keys that you already have SSH 509 PGP l t tiSSH, x509, PGP, laptop encryption Create a long term plang p Including key management Create standards for new deploymentsCreate standards for new deployments Include encrypted storage 4747 Fin 4848