Hitachi Virtual Storage Platform (VSP) Encryption Adapter ...
The evolving storage encryption market · 2007-11-11 · The evolving storage encryption market...
Transcript of The evolving storage encryption market · 2007-11-11 · The evolving storage encryption market...
Presented at the THIC Meeting at the National Center for Atmospheric Research, 1850 Table Mesa Drive, Boulder CO
80305-5602 August 21-22, 2007
The evolving storage encryption market
Alexander (Sandy) S tewartSun M icroSystems
1 S torageTek Drive, Louisville, CO 80028Phone:+1-303-673-2775 FAX: +1-303-661-5743
E-mail: alexander.stewart@ sun.com
Ciphers, Keys and Confusion• A cipher is an algorithm for performing encryption
(and the reverse, decryption) — a series of well-defined steps that can be followed as a procedure. > Symmetric Cryptography - a.k.a Secret Key Cryptography
> Same key used to encrypt and decrypt messages> Problem is how to share key
> Asymmetric Cryptography - a.k.a Public Key Cryptography> Different, mathematically linked keys for encryption and
decryption> Problem is process is computationally intensive
Symmetric Key Cryptography> rot13
> Algorithm is to rotate alphabet by “n,” Key “n” = 13> “get well soon” = “trg jryy fbba”> Brute force attack requires <25 iterations> Trivial to decipher using word structure
> “Crytpoquip”> One letter substituted for another, key is definition of substitution> “get well soon” = “axo dxpp ywwr”> Brute force attack requires 4x 1026 iterations> Easy to decipher using word structure
> AES (Advanced Encryption Standard)> Message hashed using long key> “get well soon” = “dfcd3454bbea7”> Brute force attack requires 3.67x1060 iterations when 256-bit key used> No known alternative to brute force attack
Symmetric Key Cryptography
Key Sharing>Algorithm must be shared – not an issue>Key must be securely shared
− Independent secure communication● Face-to-face whispered conversation● Physically secured code-book● Nested encrypted communication● Hybrid approach using Public Keys to protect key
transmissions
Key ProtectionRaw Key Values from CD or MARS Card
Wrap Key (Media Key⊕Split Key)Communications Key
Communications Key(Wrap Key(Media Key⊕ Split Key))
Media KeySplit KeyWrap KeyCommunications Key
Media KeySplit KeyWrap KeyCommunications Key
= Volatile Memory= Non-volatile Memory
Asymmetric Key CryptographyHistory> First invented (secretly) in early 1970’s by Ellis,
Cocks and Williamson of UK GCHQ> First published disclosure 1976 by Dr. Whit
Diffie (Sun Fellow) and Martin Hellman> Examples
>Diffie-Hellman key exchange>RSA (Rivest, Shamir, Adleman)>Elliptic Curve>ElGamal
Asymmetric Key CryptographyHow does it work> Pairs of mathematically linked key values are
created – Public Key and Private Key>The Public key may be widely distributed
− The public key is used by anyone wishing to send you a secure message
>Your Private key must be kept secret− You use your private key to decrypt any secure message
sent to you− A message encrypted using your public key can only be
decrypted using your private key− Many people can send you messages encrypted using
your public key but cannot read messages from other people encrypted using that public key
Asymmetric Key CryptographyKey Pairs> The paired values are linked mathematically but
it is not practicable to derive one from the other> RSA
>Two large prime numbers form the key pairs>The mathematical linkage is the exponentiation
modulo of the product of these numbers> Elliptic curve
>The two key pairs are the x/y coordinates of a defined elliptic curve
Example
Drawing ©Wikipedia
Man-in-the-middle attack
Alice Bob
Eric
Message encrypted with Alice’s public key
Alice’s public key
Alice’s public key Eric’s public key
Message encrypted with Eric’s public key
Message encrypted with Alice’s public key
Decrypt, read or tamper, re-encrypt
Substitute public key from Eric’s key pair
Certificates and Certificate AuthoritiesA Certificate binds a public key to a particular entity
> X.509 uses designated a set of Certificate Authorities who issue certificates> PGP (Pretty Good Privacy) establishes a web of trust model where anyone can issue a certificate
> The structure of a user’s X.509 v3 digital certificate is as follows:> Certificate
− Version − Serial Number − Algorithm ID − Issuer − Validity
● Not Before ● Not After
− Subject − Subject Public Key Info
● Public Key Algorithm ● Subject Public Key
− Issuer Unique Identifier (Optional) − Subject Unique Identifier (Optional) − Extensions (Optional)
> Certificate Signature Algorithm > Certificate Signature
> The Certificate Authority has their own X.509 certificate that is used to validate the user’s certificate
©Wikipedia
Asymmetric vs. Symmetric Comparison> Asymmetric keys solve the problem of secure key
communication> Asymmetric key algorithms are much more computationally
intensive> Asymmetric key encryption requires significantly longer keys to
achieve the same level of security as symmetric encryption
Optimum uses of Asymmetric KeysSecure transmission of short messages
> Credit card transactions using SSL/TLS protocolsDigital Signature
> Proves that message comes from a trustable source> Provide source with your public key> Source hashes long message and attaches an encrypted (using
your public key) version of the hash to the message> On receipt, perform a separate hash of the message and compare
it to the decrypted received hashHybrid implementation with symmetric cryptography> Plays to the strengths of both technologies> Use Asymmetric Cryptography to securely share Symmetric Keys
Where do we go from here?• Bulk encryption for Disk and Tape products is well
under control• Key Management is the issue
> Vendor specific systems exist> IBM tailored to an IBM environment> Sun independent of environment
> Backup Application Vendors are slow to engage> Diligent efforts ongoing to define a compatible Key
Management Protocol
Alphabet Soup• NIST – National Institute of Science and
Technology• FIPS – Federal Information Processing Standard• IEEE 1619 – IEEE Encryption Working Groups
> 1619.1> 1619.2> 1619.3
• TCG – Trusted Computing Group• T10/T11 SCSI Protocols
Who is buying encryption• Sun/STK Customers Upgrade for Encryption:
> Large Grocery Chain in Northern CA> Large Office Supply Retailer> Information Management Services Company> Large Power (including Nuclear) Company> Large Consumer Financial Services Company> Major Finance House, Japan> National Bank, Turkey> National Bank, Poland> etc.