Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Transcription

1 Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions

2 Topic Prerequisites Security concepts Security-related concepts (e.g., entropy) Virtualization and Cloud Computing concepts Symmetric-key, Asymmetric-key, PKI cryptographic concepts Understanding of cryptographic algorithms (e.g., RSA, ECDSA, ECDH, AES, SHA256, HMAC/SHA256, PRNGs) Understanding Transport Layer Security (TLS) Cryptographic security standards (e.g., PKCS#11) 2

3 Agenda Problem Statement and Examples Key Terms and Concepts Trusted Cloud Hardware Advanced Cryptographic Solutions Conclusions 3

4 Problem Statement Requirements Security is of paramount importance Security almost always involves cryptography 4

5 Problem Statement (cont.) Problems Homemade cryptography is bad 5

6 Problem Statement (cont.) Problems Proper cryptography is nontrivial 6

7 Problem Statement (cont.) Problems Cryptographic keys/operations on end points is risky 7

8 Problem Statement (cont.) End Points Large population of Mobile Devices Virtual Machines (VM) Embedded Devices/Sensors Assumed to be untrusted 8

9 Problem Statement (cont.) End Points and Risks High probability of compromise Flaws, vulnerabilities, and malware, at various layers Ownership layer Hardware layer OS layer Hypervisor layer VM and Application layer Not the best place to generate keys/secrets Not the best place to store keys/secrets 9

10 Examples: Mobile Devices: Usage Scenarios and Requirements Outgoing Cryptographic signature (sender's authenticity) signing private keys (e.g., PGP, GPG, S/MIME) 10

11 Examples: Mobile Devices: Usage Scenarios and Requirements Incoming Decryption for sensitive data decryption private keys (e.g., PGP, GPG, S/MIME) 11

12 Examples: Mobile Devices: Usage Scenarios and Requirements Create/View protected data Online/offline storage Symmetric encryption, decryption and signing Shared symmetric keys Asymmetric decryption and signing Private keys 12

13 Examples: Mobile Devices: Compromise Scenarios Attacker gets physical access to the mobile device Attacker gets backup data/image of the smartphone Directed crypto attacks Steals keys Affects the crypto subsystems Plain design/implementation vulnerabilities In RNG layer Other layers 13

14 Examples: VMs: Usage Scenarios and Requirements HTTPS Server Decrypt HTTPS traffic HTTPS/SSL/TLS private keys, depending on SSL/TLS cipher-suite 14

15 Examples: VMs: Usage Scenarios and Requirements Audit logging Symmetric encryption and HMAC Shared symmetric keys Asymmetric decryption and signing Private keys 15

16 Examples: VMs: Compromise Scenarios Attacker gets to VM using vulnerability or misconfiguration in hypervisor/vm layer Attacker copies VM using insecure backup of VM image/snapshot Directed crypto attacks Steals data and keys Affects the crypto subsystems of the device Plain design/implementation vulnerabilities In hypervisor layer In VM layer In hardware layer E.g., Xen security bug prompts AWS Cloud reboot 16

17 Examples: Embedded Devices: Usage Scenarios, Requirements Status/sensor information from embedded devices Sign with private key Encrypt with shared symmetric key 17

18 Examples: Embedded Devices: Usage Scenarios, Requirements Verification and decryption of software/firmware updates Verification and decryption of commands Verify with public key Decrypt with shared symmetric key 18

19 Examples: Embedded Devices: Compromise Scenarios Attacker gets physical access to the embedded device Attacker gets a software/firmware image for the device Directed crypto attacks Steals data and keys Affects the crypto subsystems of the device Knows weak crypto subsystems of the device Plain design/implementation vulnerabilities More end nodes = More problems + More complexity 19

20 Agenda Problem Statement and Examples Key Terms and Concepts Trusted Cloud Hardware Advanced Cryptographic Solutions Conclusions 20

21 Key Terms and Concepts Trusted system A system whose failure may break a specified security policy Trusted Computing (TC) Technologies and standards intended to make computers safer, more reliable and less prone to viruses and malware, through hardware enhancements and associated software modifications Specified by Trusted Computing Group (TCG) 21

22 Key Terms and Concepts Trusted Platform Module (TPM) Specialized security chip on an endpoint device/system Stores RSA keys specific to the endpoint system vtpm for virtualized environments Tamper resistant 22

23 Key Terms and Concepts Trusted Platform Module (TPM) Function Secure random number generation Keys storage and derivation Used by OSes for: Data encryption Secure/authenticated boot and root of trust Hardware/platform authentication Cannot be added later (usually) Not scalable: 1 TPM = 1 endpoint device/system 23

24 Key Terms and Concepts TCB = Trusted Computing Base: set of all HW/FW/SW components critical to system's security TEE = Trusted Execution Environment: secure area (code, data) of the main processor TSS = TCG Software Stack: software layer for application developers to use functions provided by a TPM TBS = TPM Base Services: software component that allows the Windows operating system and applications to use services provided by the TPM 24

25 Key Terms and Concepts Example of how TSS, TBS, TPM and sensitive crypto material (e.g., OpenVPN keys) stack and interact 25

26 Key Terms and Concepts Hardware Security Module (HSM) Specialized security HW (e.g., plug-in card/dongle, external appliances) vhsm for virtualized environments CloudHSM for cloud setups Dongle HSM for mobility solutions Tamper resistant 26

27 Key Terms and Concepts Hardware Security Module (HSM) Function Secure random number generation Securely generates, stores and manages cryptographic keys and material for strong authentication and encryption Performs symmetric and asymmetric cryptoprocessing Can be added later, easy to scale 27

28 Trusted Cloud Hardware HSM deployed in Clouds Secure and Scalable Clean APIs Validated HSM HW Lower cost, easier maintenance 28

29 Trusted Cloud Hardware HSM deployed in Clouds Secure and Scalable Clean APIs Validated HSM HW Lower cost, easier maintenance From: Amazon AWS Documentation 29

30 Trusted Cloud Hardware Cloud HSM roles and responsabilities From: Amazon AWS Documentation 30

31 Agenda Problem Statement and Examples Key Terms and Concepts Trusted Cloud Hardware Advanced Cryptographic Solutions Conclusions 31

32 Advanced Cryptographic Solutions Cryptography as a Service (CaaS) Computing on Encrypted Data (Searchable Encryption) Attestation 32

33 CaaS (Cryptography as a Service) Cryptographic operations performed by a CaaS provider on behalf of a device-at-risk via web services APIs Cryptographic keys are stored within the CaaS provider Devices do not possess these keys at any time much lower benefit for attacker Fits well with the Cloud Computing and Virtualization paradigms Variants Software-only (riskier) Hardware-enhanced (safer, higher security, higher costs) 33

34 Examples: CaaS From Cryptography as a Service by Peter Robinson, RSAC

35 CaaS Advantages Improved security No important key or data on end points Important key and data securely stored and managed by CSP, HSM Performance Offload crypto-processing to dedicated HSM hardware Scalable HSM arrays and web API calls in CaaS 35

36 CaaS Disadvantages All end nodes must authenticate to CaaS first Requires network connectivity Certain scenarios do not allow connectivity DoS on the Trusted Cloud Hardware provider More complex of the architecture Higher costs and hardware requirements Latency and performance penalty/overhead due to web APIs 36

37 Computing on Encrypted Data A direction in: Privacy-Preserving Computation (PPC) Multi-Party Computation (MPC) Searchable Encryption (SE) Symmetric Searchable Encryption (SSE) Public-key Encryption with Keyword Search (PEKS) Private-key Searchable Encryption Homomorphic Encryption (HE) Honey Encryption 37

38 Computing on Encrypted Data Why? Untrusted third-party search modules Untrusted remote/cloud storage Storage outsourcing, mail gateways Risk of plain-text data compromise 38

39 Computing on Encrypted Data Requirements Store data externally Store data encrypted Search data easily Avoid downloading everything then decrypt Allow different entities to search data without providing access to plain-text Protect Retrieved data Search query Search query result 39

40 Computing on Encrypted Data Challenges Public key algorithms too slow for large data Main interest in symmetric searchable encryption Classic encryption hides all the information Server cannot/shouldn't search Client must search 40

41 Computing on Encrypted Data Challenges Client must search Client must download entire document/data collection Require Secure Indexes (SI) and two-layer searches performed via trapdoors A secure index is a data structure that allows a querier with a ``trapdoor'' for a word x to test in O(1) time only if the index contains x 41

42 Computing on Encrypted Data Advantages Improved privacy Improved security If nodes are compromised, only encrypted data is leaked, no important keys and materials are leaked, thanks to (Cloud-)HSM 42

43 Computing on Encrypted Data Disadvantages Not standardized yet (NIST, FIPS) Searching stored documents linear with size of DB Adaptive attackers with search-queries can infer existing and future data 43

44 Examples: Computing on Encrypted Data Homomorphic Encryption 44

45 Examples: Computing on Encrypted Data Searchable Strong Encryption From Powerful Encryption and Key Management for Cloud Applications and Databases with CipherCloud and Gemalto 45

46 Attestation The process of making a claim about properties of a target system by supplying evidence to a verifier system Target system's TPM creates a nearly unforgeable hash key summary of the hardware and software configuration This allows a third party (Cloud, HSM) to verify that the software has not been changed 46

47 Attestation: CaaS and HSM Endpoint attestation Attest: device hardware, (parts of) software/memory Uses device attestation certificates E.g., TPM AIK = Attestation Identity Key CaaS/(Cloud)HSM confirms device manufacturer, model, serial number CaaS/(Cloud)HSM confirms device is not tampered with 47

48 Examples: Attestation Local attestation From Txt Introduction by SVG 48

49 Examples: Attestation Remote attestation From Vpn-info.com. Introduction to Trusted Platform Module. 49

50 Examples: Attestation VMs attestation in Cloud (e.g., Intel TXT/SGX) From: Intel TXT 50

51 Examples: Attestation Device attestation on Internet (e.g., ARM TrustZone) From: Samsung Knox ISV SDK 51

52 Examples: Attestation Untrusted components attestation (device, VM) From: SoftLayer brochure 52

53 Agenda Problem Statement and Examples Key Terms and Concepts Trusted Cloud Hardware Advanced Cryptographic Solutions Conclusions 53

54 Conclusions Cryptographic keys and operations on end nodes are risky Software-only solutions have limitations and vulnerabilities Hardware enhancements, such as TPM, HSM, can provide strong guarantees for trusted computing HSMs in particular are a scalable way towards trusted cloud hardware 54

55 Conclusions Trusted cloud hardware is a basic building block towards advanced cryptographic solutions CaaS paradigm can assure strong crypto primitives and guarantees even to the most limited end nodes with connectivity Searchable Encryption can assure that critical data is usable and still safe even after compromise, as critical crypto keys never leave trusted cloud hardware Attestation can assure that a platform is either in a trusted state (secure), or detected as untrusted (compromised) 55

56 Thank you! 56

57 End to end example 57

58 End to end example Time: Manufacturing Device is programmed with Device ID (e.g., serial number) Start-up Entropy (e.g., devices contrained) Manufacturer public key (used for verification of software/firmware/configuration updates) Manufacturer puts bootstrap information onto device 58

59 End to end example Time: Installation Device gets software update: Signed by private key of manufacturer (e.g., verify) Contains provider public key Device can verify (control) messages from cloud Provider can decrypt (data) messages from device Provider puts more bootstrap information onto device 59

60 End to end example Time: Installation Device authenticates to CaaS CaaS sends to device Signed by private key of provider Additional entropy (e.g., from (Cloud-)HSM) to support strong crypto Server's ephemeral EC details for ECDH key agreement Can be encrypted with initial symmetric key (e.g., device id + pin) 60

61 End to end example Time: Installation Device sends to CaaS Encrypted with public key of provider Device's public key Device's ephemeral EC details fro ECDH agreement Device and CaaS use ECDH to derive a shared symmetric AES key Device has public key of provider CaaS has the public key of device Device and CaaS can communicate securely 61

62 End to end example Time: Usage CaaS/server to device: AES symmetric encrypted control message Signed by CaaS with CaaS private key Verified by device with CaaS public key Device to CaaS/server: AES symmetric encrypted status message Signed by device with device private key Verified by CaaS with device public key 62

63 End to end example VM has NO keys CaaS/server has keys Device has keys Device keys generated with help of CaaS/HSM 63