Secure storage

PapersAES-CBC + Elephant diffuserA Disk Encryption Algorithm for Windows VistaNiels Ferguson, Microsoft, niels@microsoft.comAugust 2006

How to Manage Persistent State in DRM SystemsWilliam Shapiro and Radek VingralekAugust 2001

Presentation by Petri Yllö 30.3.2007

read and write

Overview, example system model

• Confidentiality imple-mented with encryption

• Integrity options– Implicit: meaningful

decryption output– Explicit: Message

Authentication Code (MAC) stored with data records

• Reply attack detected by comparing counters

Hard diskencrypted data

MACcopy of counter

RAMvolatile memory

TPM (persistent)one way counterencryption key

ROMboot start code

encryption application

security perimeter

attack

BitLocker

• Enterprise and Ultimate editions of Windows Vista• Target: protect data on lost laptop’s HD.• Protects logical OS volume.• Requires another 1,5 GB “system volume”.• Cryptographic keys stored on TPM, USB or PIN• TPM is primary option. Easiest for user, but

enables hardware-based attacks.• OS decryption available, once OS kernel is

loaded.

Attack model• The attacker has many known (but not chosen)

plaintext/ciphertext pairs for different sectors.• The attacker has the ciphertexts for a large number of

chosen plaintexts for different sectors. The plaintexts are chosen before the attacker gets access to the laptop.

• The attacker has access to a slow decryption function for some of the sectors.

• The attacker gets several ciphertexts of plaintexts for the same sector with a known (but not chosen) difference.

• The attacker succeeds if he can modify a ciphertext such that the corresponding plaintext change has some non-random property.

Secure boot• TPM v1.2 PCR’s are used to keep track of the code that runs.• Encryption key is sealed against a particular set of PCR values.

1. At power-up the processor starts running the BIOS from ROM (secure code).

2. Extends the BIOS PCR with the entire BIOS code and proceeds with the rest of the BIOS startup.

3. MBR of the hard disk, extends the boot sector PCR with the sector's data, and then executes the code in the boot sector.

4. All newly-loaded code before the switch point is first measured using an extend function before it is executed.

5. At the switch point the TPM unseals the BitLocker volume encryption key.

6. After the switch, all further data is read from the encrypted volume.

• Any change to the code, requires that the keys be re-sealed to the new PCR values. Switch to using BitLocker encryption at the first opportunity.

Authentication of the data on the disk • No practical solution to add MAC to each

encrypted block. – Encryption per sector basis– No extra room for additional data

• Poor-man’s authentication– Changes in the ciphertext will crash the

machine rather than helping the attacker

• Second line of defense ignored: digital signatures on executables

The Cipher: AES-CBC + Elephant diffuser

• Advanced Encryption Standard (AES) was adopted in 2001 as a successor to DES

• In Cipher Block Chaining (CBC) mode, the plaintext is XORed with an Initial Vector (IV) and then encrypted.

• By default sector and AES keys 128 bit, 256 bit version also available

• Diffuser added to make manipulation attacks harder.• At least as secure as AES-CBC• 30 clock cycles/byte on Pentium 4, faster than peak

data rate from disk• An option with only AES-CBC is available for those few

customers that have formal requirements to only use government-approved encryption algorithms.

The cipher IVs:= E(KAES, e(s))

Ks := E(Ksec, e(s)) ||

E(Ksec, e’(s))

Diffuser

Decrypt A: for i = 0,1,2,,,,n * Acycles - 1 : di ← di + (di-2 XOR (di-5 <<< R(a)i mod 4))

Encrypt A: for i = n * Acycles – 1,,,,2,1,0 : di ← di - (di-2 XOR (di-5 <<< R(a)i mod 4))

Decrypt B: for i = 0,1,2,,,,n * Bcycles - 1 : di ← di + (di+2 XOR (di+5 <<< R(b)i mod 4))

Encrypt B: for i = n * Bcycles - 1,,,,,2,1,0 : di ← di - (di+2 XOR (di+5 <<< R(b)i mod 4))

DRM Systems• Secure binding of digital content to a contract• The contract conditionally grants the user the right

to access the content and it enforces consequences• Typically distributed systems, with content delivered

from servers.• Persistent data includes

– The content itself.– Certificates used for authentication and authorization in

the DRM system.– Account balances or usage counters.– Start dates used by subscription contracts.– Auxiliary data used to support efficient or disconnected

operation of clients (such as content decryption keys).

DRM Requirements• Fault tolerance

– Atomicity, isolation, durability

• Security– Secrecy, tamper-detection, prevent reply attack

• Performance

• Resource consumption

• Scalability

Mechanisms 1• Server based data repositories (locker

services)– Physically secured– Accidental corruption reduced– Performance penalty– No offline content consumption

Mechanisms 2: Secure memories

Merkle tree – on line tamper detector• Tree structure for better performance with limited secure

memory

Mechanisms 3: Secure audit logs

• Log user transactions in a local secured log• Encryption to provide data secrecy• Linear chain of hash links to every element

in the log provide tamper detection.• The hash of the end of the log is periodically

sent to a remote server• Sequence numbers in the log are used to

prevent the replay attack.• Truncation entries after last sent to a remote

server could go undetected.

Mechanisms 4: Secure file systems

• Secrecy: encrypted file systems

• Tamper detection– SFS-RO many users access read-only files

• Uses a tree of hashes to verify the content• The root inode, is signed with the private key of the

file system

– Protected File System (PFS)• cryptographic hashes over all data and meta-data

blocks to detect any tampering• no protection against replay attacks.

– SUNDR no protection against replay attack

Mechanisms 5: Secure database TDB

• Log-structured Merkle tree implementation• Secrecy by encryption of chunks with a secret key from ROM• Tamper-detection by signing the commit chunks with a secret key from ROM• Replay attack is prevented by adding the one-way counter to the commit chunk • Fine grained recovery based on transactions• Transactions committed by adding a commit chunk to the log• Location map is updated to stable memory only at a checkpoint

Mechanisms 6: GnatDb

• For small databases simplified store at the cost of performance

• Location map is an array

DRM Conclusion• Avoid persistent state requirement in clients• Access to named records and transactional

semantics for updates• Ideally wanted a database system that provided

both secrecy and tamper detection• Best choice: TDB or GnatDB for small devices• Log structured storage benefits

1. tamper-detection2. atomic updates3. copy-on-write snapshots for fast backups4. concentrating all writes in a few blocks5. traffic analysis harder