File and disk encryption Milan Brož, xbroz@fi.muni.cz Faculty of Informatics, Masaryk University Storage encryption 2 | PV204 File and disk encryption Lecture ● File and disk encryption ● Distributed storage encryption ● Abstraction layers ● Confidentiality and integrity protection ● Encryption modes ● Key management ● Attacks and common issues ● Laboratory ● We will focus on low-level architecture in this lesson MOTIVATION & STORAGE LAYERS OVERVIEW File and disk encryption | PV204 File and disk encryption3 Motivation Offline, "Data at Rest" protection notebook, server or external drives, data in cloud, backups Key removal = easy data disposal Confidentiality protection - often enforced policy to encrypt portable devices - prevents data leaks (stolen device) Data integrity protection? (not often yet) 4 | PV204 File and disk encryption Overview (Distributed) Storage Stack layers accessing storage through blocks (sectors) distributed => storage + network layer Full Disk Encryption (FDE) - self-encrypted drives, (software) sector-level encryption Filesystem-level encryption - general-purpose filesystem with encryption - cryptographic file systems 5 | PV204 File and disk encryption Storage stack & encryption layers 6 | PV204 File and disk encryption Userspace Application Application specific cloud API, ... OS kernel or drivers in userspace Virtual file-system (directories, files, …) File-system encryption Specific file-system (NTFS, ext4, XFS, APFS…) Volume Management (partitions, on-demand allocation, snapshots, deduplication, …) Disk (sector) encryption Block layer (sectors I/O) Storage transport (USB, SCSI, SAS, SATA, FC, NVMe…) HW-based encryption self-encrypted drives, inline (slot) encryption, chipset-based encryption Device drivers “Hardware” Hardware (I/O controllers, disks, NAND chips, …) 7 | PV204 File and disk encryption Software Defined Storage (SDS) • commodity hardware with abstracted storage/network logic • encryption is “just” one logic function • usually combination with classic storage (and encryption) • Distributed storage – storage + network layer ● must use also network layer encryption ● note differences in network and storage encryption (replay attack resistance, integrity protection, …) 8 | PV204 File and disk encryption Distributed Storage, Cloud & Encryption Distributed storage – add network layer • Shared volumes (disk encryption below) • Clustered file-system (fs encryption) • Distributed object store (object encryption) • Cloud data storage - REST API (not part of this lecture) ● DropBox, Microsoft OneDrive, Google Drive Amazon S3, ... Cloud storage – common features Deduplication – avoid to store repeated data Compression special case: zeroed blocks Data snapshots (in time) COW (copy on write) 9 | PV204 File and disk encryption Cloud storage & encryption Encryption with storage backend, network access and compression & deduplication & snapshots … Encryption on client side (end-to-end) - inefficiency for deduplication/compression ~ in future homomorphic encryption? Encryption on server side - confidentiality for clients is lost - server can access decrypted data 10 | PV204 File and disk encryption Full Disk Encryption (FDE) Block device – disk sector level • disk, partition, disk image • ciphertext device / virtual plaintext device • atomic unit is sector (512 bytes, 4k, 64k) • consecutive sector numbers • sectors encrypted independently One key decrypts the whole device • media (volume) key – one per device • unlocking passphrases / keys / tokens 11 | PV204 File and disk encryption Filesystem-level Encryption 12 | PV204 File and disk encryption File / Directory • atomic unit is filesystem block (~ compare sector in FDE) • blocks are encrypted independently • Generic filesystems with encryption • some metadata can be kept in plaintext (name, size, …) • Cryptographic filesystems • metadata encrypted • ~ stacked layer over generic filesystem Multiple keys / multiple users File vs. disk encryption Full disk encryption + for notebook, external drives (offline protection) + no user decision later what to encrypt, transparency + hibernation partition and swap encryption - more users – whole disk accessible - key disclosure – complete data leak - usually no integrity protection +/- self-encrypted drives – you have to trust hw Examples: Opal2 (SED), LUKS, VeraCrypt, BitLocker, FileVault 13 | PV204 File and disk encryption File vs. disk encryption Filesystem based encryption + multiple users +/- user can decide what to encrypt + copied files keeps encryption in-place + more effective (encrypts used blocks only) + should provide integrity protection (not always!) - more complicated sw, usually more bugs - unusable for swap partitions Examples: Linux fscrypt API, ZFS, APFS (Apple fs) 14 | PV204 File and disk encryption Examples of HW-based encryption • Self-encrypting drives (SED), Opal2 standard • Encryption on the same chip providing media access • Inline encryption • Slots for keys (through OS context) • Chipset-based encryption • Encryption on controller chip (e.g. USB bridge) • Hardware acceleration • AES-NI, accelerators, ASICs, GPUs, … • Secure hardware / tokens • HSM, TPM, SmartCards, ... 15 | PV204 File and disk encryption Opal2 - self-encrypting drive • Trusted Computing Group (TCG) standard ● many optional features, usually implemented only mandatory ● single user mode or multiple users ● locking ranges ● shadow boot record (MBR) ● PSID reset • Used for SSD or NVMe drives • Opal - full media encryption • Pyrite - only authentication, no data encryption • (other variants - Opalite, enterprise Ruby) 16 | PV204 File and disk encryption DATA ENCRYPTION File and disk encryption | PV204 File and disk encryption17 Disk encryption algorithms primitives l Symmetric encryption l block ciphers l cipher block mode + initial vector / tweaks l l Key management and key storage l Random Number Generators (RNG) l Key Derivation Functions (KDF) l l Deniable encryption / Steganography 18 | PV204 File and disk encryption Data confidentiality & integrity 19 | PV204 File and disk encryption Confidentiality Data are available only to authorized users Integrity Data are consistent Data has not been modified by unauthorized user => all modifications must be detected Note: replay attack (revert to old valid data) detection cannot be provided without separate trusted store Data integrity / authenticated encryption Poor man's authentication (= no authentication) • User is able to detect unexpected change • Very limited, cannot prevent old content replacement Integrity – additional overhead • Where to store integrity data? • Encryption + separate integrity data • Authenticated modes (combines both) • Tamper Evident Counter (TEC) • Merkle tree 20 | PV204 File and disk encryption DATA ENCRYPTION MODES File and disk encryption | PV204 File and disk encryption21 Symmetric encryption (examples) AES, Cammelia, Adiantum, Serpent, Twofish, (Specks, Kuznyechik, …) Encryption-only modes • Storage encryption mostly CBC, XTS • Length-preserving encryption, block tweak Authenticated modes (encryption + integrity) • Integrity protection often on higher layer. 22 | PV204 File and disk encryption Standards IEEE 1619 – encryption modes for storage NIST Special Publications (SP) – ciphers,modes, KDF, password handling, ... TCG Opal2 – self-encrypted drives IEEE 1667 – authentication FIPS 140-2, 140-3, Common Criteria (CC) 23 | PV204 File and disk encryption Propagation of plaintext changes 24 | PV204 File and disk encryption A change in plaintext should transform to randomly-looking change in the whole ciphertext sector. Solutions? • Ignore it, and decrease granularity of change => change location inside ciphertext sector • Use wide mode (encryption block size = sector size) • requires at least 2x encryption loop • modes are patent encumbered • Use additional operations • Elephant diffuser in Windows Bitlocker • Google Adiantum (cipher composition) Encryption example output 25 | PV204 File and disk encryption plaintext ciphertext Wrongly used encryption – patterns, leaks 26 | PV204 File and disk encryption ECB mode AES-XTS & constant IV Cipher-Block-Chaining (CBC) mode • Blocks cannot be encrypted in parallel • Blocks can be decrypted in parallel • Tweak must be non-predictable (watermarking!) 27 | PV204 File and disk encryption CBC encryption 28 | PV204 File and disk encryption ciphertext disk / file-system block … block tweak plaintext disk / file-system block … AES block CBC decryption 29 | PV204 File and disk encryption ciphertext disk / file-system block … block tweak plaintext disk / file-system block … XOR-Encrypt-XOR (XEX / XTS) mode • Encryption / decryption can run in parallel • Two keys – 512-bit key means AES-256 • Tweak can be predictable nonce – sector number (offset) • Ciphertext stealing not needed for common sector sizes • Used in most of FDE systems today (2023) • It is not a wide mode! • Trade-off for performance XTS mode encryption/decryption 31 | PV204 File and disk encryption ciphertext disk / file-system block … block tweak CBC vs XTS change propagation 32 | PV204 File and disk encryption • XTS is trade-off for performance • For storage, data always aligned to encryption blocks XTS: no ciphertext stealing • Initial vector/tweak is important • CBC is phased out today AES-XTS IV mode – sector# vs random 33 | PV204 File and disk encryption IV is sector number randomized IV Every 64 byte changed (ciphertext differences) Adiantum • Low-end mobile device disk / file encryption • Wide “mode” • HBSB composition: • Hash – NHPoly1305) • Block Cipher – AES • Stream Cipher – XChaCha12,20 • Hash – NHPoly1305 • Key derivation KAES|| KNHPoly = XChaCha(K,1|0..0) 34 | PV204 File and disk encryption KAES KNHPoly K Block # https://eprint.iacr.org/2018/720 https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html disk / fs block Steganography / deniable encryption Plausible deniability: existence of encrypted data is deniable if adversary cannot prove that it exists Steganography hiding data in another data object Steganographic file-systems Deniable disk encryption 35 | PV204 File and disk encryption Trivial example: VeraCrypt hidden disk • FAT linear allocation (other fs are very problematic) • Hide another disk in unallocated space 36 | PV204 File and disk encryption Deniable encryption problems Side-channels tracking activity that cannot be explained for decoy system • Software: link to recently open documents, … Suspicious parameters (FAT), disabled TRIM, … • Hardware: internal SSD block allocations (access to “unused” areas) Incompatibility with new drives (TRIM) Note: flash storage HW is much more complicated (NAND chips management, wear-leveling, ...). With low-level access you can detect suspicious patterns. Note: Also see shufflecake.net another try for plausible deniability. 37 | PV204 File and disk encryption TRIM / discard and encryption • TRIM informs SSD drive about unused space • Unused space is detectable • Pattern recognition (fs type) example 38 | PV204 File and disk encryption KEY MANAGEMENT File and disk encryption | PV204 File and disk encryption39 Long-term key generation and key store Encryption key (~ Media Encryption Key – MEK) • Used to encrypt device • change means complete reencryption • Usually generated by a secure RNG Unlocking key (~ Key Encryption Key – KEK) • Key wrap (MEK remains the same) • Can be derived from passphrase • PBKDF2 (Password Based Key Derivation) • scrypt, Argon2 (memory-hard KDFs) dictionary and brute-force resistance 40 | PV204 File and disk encryption Key storage Outside of encrypted device / filesystem • Another device, file, token, SmartCard, TPM, HSM • On a key server (network) • Protected by another key – key wrap, key encapsulation On the same disk (with encrypted data) • Metadata on-disk – key slots Integration with key management tools • LDAP, Active Directory, ... Combination of above 41 | PV204 File and disk encryption Key removal and recovery Key removal (wipe of key) = data disposal • intended (secure disk disposal) • unintended (error) => complete lost of data Key recovery • trade-off between security and user-friendly approach • metadata backups • multiple metadata copies • Key Escrow (key backup to different system) • recovery key to regenerate encryption key 42 | PV204 File and disk encryption ATTACK EXAMPLES File and disk encryption | PV204 File and disk encryption43 Attacks always get better, they never get worse. • Against algorithm design • wrongly used encryption mode, IV • To implementation • insufficient entropy (broken RNG) • weak derivation from weak passwords • side channels • Obtaining key or passphrase in open form • Cold Boot • “Black bag analysis” - Malware, key-logger • social engineering, “Rubber-hose cryptoanalysis” 44 | PV204 File and disk encryption Integrity attacks No integrity protection • Inserted random block => undetected data corruption • Inserted block from other part of disk • Random error (RAM bit flip) => “silent data corruption” Weak integrity protection • Inserted previous content of (ciphertext) block => replay attack 45 | PV204 File and disk encryption Integrity attacks 46 | PV204 File and disk encryption FDE attacks – real-world examples • Some chipsets use ECB mode • Weak key derivation (brute-force possible) • Trivial unlocking mode (1-bit password is ok/bad) • Weak key-escrow (backup key in EEPROM) • SED – switch power attacks • SED – ransomware and unconfigured passphrase • Cold boot – key in memory • Key loggers • Weak RNG (key is not random) • LUKS2 reencryption (forced decryption) 47 | PV204 File and disk encryption LAB 48 | PV204 File and disk encryption Laboratory – FDE attack examples Basic understanding of FDE VeraCrypt, LUKS, (BitLocker, FileVault2) Scanning memory image for encryption key ColdBoot attack principle HW key-logger attack Why you have to trust your HW Optional: flawed algorithm and watermarking Revealing legacy TrueCrypt hidden disk existence (CBC) 49 | PV204 File and disk encryption