PV204 Security technologies File and disk encryption Milan Brož xbroz@fi.muni.cz Petr Švenda svenda@fi.muni.cz Faculty of Informatics, Masaryk University Data storage encryption •Lecture –File and disk encryption –Distributed storage encryption –Abstraction layers, hardware acceleration –Cryptography basic principles –Confidentiality and integrity protection –Encryption modes –Key management –Tool examples –Attacks and common issues •Lab – disk encryption attack examples 2 | PV204 File and disk encryption MOTIVATION & STORAGE LAYERS OVERVIEW File and disk encryption | PV204 File and disk encryption 3 Motivation Offline, "Data at Rest" protection notebook, external drives, data in cloud, backups Key removal = easy data disposal Confidentiality protection company policy to encrypt all mobile devices prevents data leaks (stolen device) Integrity protection (not often yet) 4 | PV204 File and disk encryption Overview (Distributed) Storage Stack layers accessing storage through blocks (sectors) near future: non-volatile byte-addressable memory distributed => adding network layer Full Disk Encryption (FDE) self-encrypted drives (software) sector-level encryption Filesystem-level encryption general-purpose filesystem with encryption cryptographic file systems 5 | PV204 File and disk encryption Storage stack & encryption layers 6 | PV204 File and disk encryption Userspace Application (Application specific) OS kernel Virtual file-system (directories, files, …) File-system encryption Specific file-system (NTFS, ext4, XFS, …) Volume Management (partitions, on-demand allocation, snapshots, deduplication, …) Disk encryption Block layer (sectors I/O) Storage transport (USB, SCSI, SAS, SATA, FC, …) HW-based disk encryption self-encrypted drives, chipset-based encryption, hardware security module Device drivers “Hardware” Hardware (I/O controllers, disks, …) Clustered and distributed storage Clustered => cooperating nodes Distributed => storage + network Software Defined Storage/Network (SDS, SDN) - commodity hardware with abstracted storage/network logic - encryption is “just” one logic function - usually combination with classic storage (and encryption) 7 | PV204 File and disk encryption Distributed storage & encryption Shared volumes (redundancy) => disk encryption Clustered file-system => file-system encryption Distributed Object Store -Direct object encryption or -Underlying storage encryption 8 | PV204 File and disk encryption Cloud storage & encryption Many users with shared storage backend Compression & Deduplication & Snapshots … Encryption on client side (end-to-end) - efficiency for deduplication/compression is lost ~ in future homomorphic encryption? Encryption on server side - confidentiality for clients is partially lost - server has access to plaintext 9 | PV204 File and disk encryption Full Disk Encryption (FDE) Block device – transparent disk sector level •Disk, partition, VM disk image •Ciphertext device / virtual plaintext device •Atomic unit is sector (512 bytes, 4k, 64k) •Consecutive sector numbers •Sectors encrypted independently l One key decrypts the whole device •Media (volume) key – one per device •Unlocking passphrases/keys •Usually no integrity support (only confidentiality) 10 | PV204 File and disk encryption Filesystem-level Encryption 11 | PV204 File and disk encryption File/Directory •Atomic unit is filesystem block •Blocks are encrypted independently •Generic filesystems with encryption •Some metadata can be kept in plaintext (name, size, …) •Cryptographic filesystems •Metadata encrypted •~ stacked layer over generic filesystem Multiple keys / multiple users File vs. disk encryption Full disk encryption + for notebook, external drives (offline protection) + transparent for filesystem + no user decision later what to encrypt + hibernation partition and swap encryption - more users – whole disk accessible - key disclosure – complete data leak - usually no integrity protection 12 | PV204 File and disk encryption File vs. disk encryption Filesystem based encryption + multiple users +/- user can decide what to encrypt + copied files keeps encryption in-place + more effective (only really used blocks) + should provide integrity protection (not always!) - more complicated sw, usually more bugs - unusable for swap partitions 13 | PV204 File and disk encryption File vs. disk encryption Combination of disk & file encryption Distributed storage •Must use also network layer encryption •Difference in network and storage encryption (replay attack resistance, integrity protection, …) 14 | PV204 File and disk encryption CRYPTOGRAPHY File and disk encryption | PV204 File and disk encryption 15 Cryptography algorithms primitives lSymmetric encryption lblock ciphers lcipher block mode lhash algorithms lKey management lRandom Number Generators (RNG) lKey Derivation Functions (KDF) lAsymmetric cryptography lDeniable encryption / Steganography 16 | PV204 File and disk encryption Data confidentiality & integrity 17 | PV204 File and disk encryption Confidentiality Data are available only to authorized users. Integrity Data are consistent. Data has not been modified by unauthorized user. => All modifications must be detected. Note: replay attack (revert to old snapshot) detection cannot be provided without separate trusted store (TEC – Tamper Evident Counter, Merkle tree root hash, …) Data integrity / authenticated encryption Poor man's authentication (= no authentication) •User is able to detect unexpected change •Very limited, cannot prevent old content replacement • Integrity – additional overhead •Where to store integrity data? •Encryption + separate integrity data •Authenticated modes (combines both) • 18 | PV204 File and disk encryption DATA ENCRYPTION MODES File and disk encryption | PV204 File and disk encryption 19 Symmetric encryption (examples) AES, Serpent, Twofish, Specks, Camellia, Kuznyechik, Adiantum • Encryption-only modes •Storage encryption mostly CBC, XTS •Length-preserving encryption, block tweak • Authenticated modes (encryption + integrity) •Integrity protection often on higher layer. Storage standards like IEEE 1619 and FIPS/NIST 20 | PV204 File and disk encryption Propagation of plaintext changes • 21 | PV204 File and disk encryption A change in the plaintext sector should transform to randomly-looking change in the whole ciphertext sector. Solutions: •Ignore it J and decrease granularity of change => change location inside ciphertext sector •Use wide mode (encryption block size = sector size) •requires at least 2x encryption loop •modes are patent encumbered •Additional operations •Elephant diffuser in Windows Bitlocker •Google Adiantum (cipher composition) Encryption example – AES-XTS • 22 | PV204 File and disk encryption plaintext ciphertext Wrongly used modes – ciphertext patterns • 23 | PV204 File and disk encryption ECB mode AES-XTS & constant IV Cipher-Block-Chaining (CBC) mode •Blocks cannot be encrypted in parallel •Blocks can be decrypted in parallel •Tweak must be non-predictable (watermarking!) 24 | PV204 File and disk encryption ciphertext disk / file-system block … block tweak plaintext disk / file-system block … AES block XOR-Encrypt-XOR (XEX/XTS) mode •Encryption/decryption can be run in parallel •Tweak can be predictable nonce – sector number (offset) 25 | PV204 File and disk encryption ciphertext disk / file-system block … block tweak CBC and XTS change propagation •xxx 26 | PV204 File and disk encryption AES-XTS IV mode – sector# vs random • 27 | PV204 File and disk encryption IV is sector number randomized IV Every 64 byte changed (ciphertext differences) Adiantum •Low-end mobile device disk / file encryption •Wide “mode” •HBSB composition: •Hash – NHPoly1305) •Block Cipher – AES •Stream Cipher – XChaCha12,20 •Hash – NHPoly1305 •Key derivation KAES|| KNHPoly = XChaCha(K,1|0..0) 28 | PV204 File and disk encryption KAES KNHPoly K Block # https://eprint.iacr.org/2018/720 https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html disk / fs block Steganography / deniable encryption Plausible deniability: existence of encrypted file/disk is deniable if adversary cannot prove that it exists Steganography hiding data in another data object • Steganographic file-systems Deniable disk encryption 29 | PV204 File and disk encryption Trivial example: VeraCrypt hidden disk •FAT linear allocation •Hide another disk in unallocated space 30 | PV204 File and disk encryption Deniable encryption problems Side-channels tracking activity that cannot be explained for decoy system •Software: link to recently open documents, … Suspicious parameters (FAT), disabled TRIM, … •Hardware: internal SSD block allocations (access to “unused” areas) Social engineering / “rubber hose” analysis Incompatibility with new drives (TRIM) • • 31 | PV204 File and disk encryption TRIM / discard and encryption •TRIM informs SSD drive about unused space •Unused space is detectable •Pattern recognition example •Incompatible with deniable encryption • 32 | PV204 File and disk encryption http://4.bp.blogspot.com/-uxlTIKZAseE/Tkg-UjNCBiI/AAAAAAAAADg/bvsfj3SoLJ4/s1600/fig_II_C.png KEY MANAGEMENT File and disk encryption | PV204 File and disk encryption 33 Key generation Encryption key (~ Media Encryption Key – MEK) •Used to encrypt device •change means complete reencryption •Usually generated by a secure RNG Unlocking key (~ Key Encryption Key – KEK) •Independent key change (MEK remains the same) •Can be derived from passphrase •PBKDF2 (Password Based Key Derivation) •scrypt, Argon2 (memory-hard KDFs) •Can use key wrapping • 34 | PV204 File and disk encryption Key storage Outside of encrypted device / filesystem •Another device, file, token, SmartCard, TPM, HSM •On a key server (network) •Protected by another key (KEK). On the same disk (with encrypted data) •metadata (header) •brute force and dictionary attack resistance Integration with key management tools •LDAP, Active Directory, ... Combination of above • 35 | PV204 File and disk encryption Key removal and recovery Key removal (wipe of key) = data disposal •intended (secure disk disposal) •unintended (error) => complete lost of data • Key recovery •Trade-off between security and user-friendly approach •Metadata backups •Multiple metadata copies •Key Escrow (key backup to different system) •Recovery key to regenerate encryption key • 36 | PV204 File and disk encryption COMMON TOOLS File and disk encryption | PV204 File and disk encryption 37 Examples of HW-based encryption •Self-encrypting drives (SED), OPAL standard •Encryption on the same chip providing media access • •Chipset-based encryption •Encryption on controller chip (e.g. USB bridge) •Hardware acceleration •AES-NI, accelerators, ASICs, GPUs, … • •Secure hardware / tokens •HSM, TPM, SmartCards, ... 38 | PV204 File and disk encryption Examples of HW-based encryption 39 | PV204 File and disk encryption SATA disk Encryption on USB-bridge Examples of tools – filesystem encryption Windows EFS Linux leCryptfs – stacked encrypted file-system fscrypt API – support in ext4, F2FS, UBIFS l ZFS (Solaris and ports) lsupports GCM/CCM authenticated modes 40 | PV204 File and disk encryption Examples of tools – full disk encryption Windows Bitlocker lOptionally eDrive – self-encrypting drives lCombination with secure boot and TPM VeraCrypt Linux LUKS / dm-crypt / dm-verity (Android) MacOS FileVault 41 | PV204 File and disk encryption ATTACK EXAMPLES File and disk encryption | PV204 File and disk encryption 42 Attacks always get better, they never get worse. •Against algorithm design •Wrongly used encryption mode •Insufficient initialization vector •To implementation •Insufficient entropy (broken RNG) •Weak derivation from weak passwords •Side channels •Obtaining key or passphrase in open form •Cold Boot •“Black bag analysis” - Malware, key-logger •Social engineering •“Rubber-hose cryptoanalysis” 43 | PV204 File and disk encryption Integrity attacks No integrity protection •Inserted random block => undetected data corruption •Inserted block from other part of disk •Random error (RAM bit flip) => “silent data corruption” Weak integrity protection •Inserted previous content of (ciphertext) block => replay attack 44 | PV204 File and disk encryption Example: Sony PlayStation attack •No need to know the exact key value •Device works as decryption service •Make disk image •Write your own file •Make second image and make diff (location file) •Insert data you want into file’s place •Start PS and ask for your file –Decrypted new data –Key is same for all blocks 45 | PV204 File and disk encryption Example: Disk encryption •Some chipsets use ECB mode •Weak key derivation (brute-force possible) •Trivial unlocking mode (1-bit password is ok/bad) •Weak key-escrow (backup key in EEPROM, …) •SED – switch power attacks •SED – ransomware and unconfigured passphrase •Cold boot – key in memory •Key loggers •Weak RNG (key is not random) … 46 | PV204 File and disk encryption LAB 47 | PV204 File and disk encryption Laboratory – FDE attack examples Basic understanding of some tools and hw VeraCrypt, LUKS, chip-based encryption Scanning memory image for encryption key ColdBoot attack principle • Optional: flawed algorithm and watermarking Revealing TrueCrypt hidden disk existence (CBC) l HW key-logger attack 48 | PV204 File and disk encryption