Security in NVMe Enterprise SSDs

Similar documents
FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

Hitachi Virtual Storage Platform (VSP) Encryption Board. FIPS Non-Proprietary Cryptographic Module Security Policy

FDE itc: Encryption Engine (EE) cpp Functional and Assurance Requirements

FIPS Security Policy. for Marvell Semiconductor, Inc. Solaris 2 Cryptographic Module

Seagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy

Oracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1

CAT862 Dolby JPEG 2000/MPEG-2 Media Block IDC Security Policy. Version 3 June 30, 2010

This Security Policy describes how this module complies with the eleven sections of the Standard:

SecureDoc Disk Encryption Cryptographic Engine

Connecting Securely to the Cloud

Dolphin DCI 1.2. FIPS Level 3 Validation. Non-Proprietary Security Policy. Version 1.0. DOL.TD DRM Page 1 Version 1.0 Doremi Cinema LLC

Oracle Solaris Userland Cryptographic Framework Software Version 1.0 and 1.1

Dolphin Board. FIPS Level 3 Validation. Security Policy. Version a - Dolphin_SecPolicy_000193_v1_3.doc Page 1 of 19 Version 1.

FIPS SECURITY POLICY FOR

SEL-3021 Serial Encrypting Transceiver Security Policy Document Version 1.9

Secure Cryptographic Module (SCM)

Cisco Desktop Collaboration Experience DX650 Security Overview

UEFI and the Security Development Lifecycle

BCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.

Provisioning secure Identity for Microcontroller based IoT Devices

Seagate Secure TCG Enterprise SSC Self-Encrypting Drives FIPS 140 Module. Security Policy. Security Level 2. Rev. 0.

FIPS Security Policy

Who s Protecting Your Keys? August 2018

Security Policy Document Version 3.3. Tropos Networks

Barco ICMP FIPS Non-Proprietary Security Policy

Hewlett-Packard Development Company, L.P. NonStop Volume Level Encryption (NSVLE) Product No: T0867 SW Version: 2.0

Meru Networks. Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2. Revision Date: June 24, 2009

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Symantec Corporation

Sony Security Module. Security Policy

In today s business environment, data creates value so it s more important than ever to protect it as a vital business asset

Dell SonicWALL. NSA 220, NSA 220W and NSA 240. FIPS Non-Proprietary Security Policy

Atmel Trusted Platform Module June, 2014

Seagate Secure TCG Enterprise and TCG Opal SSC Self-Encrypting Drive Common Criteria Configuration Guide

1. OVERVIEW RELEASE ITEMS HOW TO APPLY ADDITIONAL FUNCTIONS AND CHANGE FUNCTIONS FROM PREVIOUS EDITION...

Seagate Secure TCG Enterprise SSC Self-Encrypting Drives FIPS 140 Module Security Policy

Delivering High-mix, High-volume Secure Manufacturing in the Distribution Channel

Cryptography and the Common Criteria (ISO/IEC 15408) by Kirill Sinitski

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN Access Points

Supporting Document Mandatory Technical Document. Full Drive Encryption: Encryption Engine September Version 2.0

Hughes Network Systems, LLC Hughes Crypto Kernel Firmware Version: FIPS Non-Proprietary Security Policy

Security Policy for FIPS KVL 3000 Plus

FIPS Non-Proprietary Security Policy

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Non-Proprietary Security Policy Version 1.1

SSD AES ENCRYPTION. Application Note. Document #AN0009 Viking SSD AES Encryption Rev. B. Purpose of this Document

IOS Common Cryptographic Module (IC2M)

Security Policy: Astro Subscriber Motorola Advanced Crypto Engine (MACE)

ARM Security Solutions and Numonyx Authenticated Flash

Dolby IMS-SM FIPS Level 2 Validation. Nonproprietary Security Policy Version: 4

SECURITY CRYPTOGRAPHY Cryptography Overview Brochure. Cryptography Overview

M2351 Trusted Boot. Application Note for 32-bit NuMicro Family

Bluefly Processor. Security Policy. Bluefly Processor MSW4000. Darren Krahn. Security Policy. Secure Storage Products. 4.0 (Part # R)

Seagate Momentus Thin Self-Encrypting Drives TCG Opal FIPS 140 Module Security Policy

EgoSecure GmbH. EgoSecure Full Disk Encryption (FDE) Cryptographic Module. FIPS Security Policy

Mapping Between collaborative Protection Profile for Full Drive Encryption Encryption Engine, Version 2.0, 09-September-2016

econet smart grid gateways: econet SL and econet MSA FIPS Security Policy

Cisco VPN 3002 Hardware Client Security Policy

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

IEEE Std and IEEE Std 1363a Ashley Butterworth Apple Inc.

Security Policy: Astro Subscriber Encryption Module Astro Spectra, Astro Saber, Astro Consolette, and Astro XTS3000. Version

CryptoAuthentication Firmware Protection

Dell Software, Inc. Dell SonicWALL NSA Series SM 9600, SM 9400, SM 9200, NSA FIPS Non-Proprietary Security Policy

Hydra PC FIPS Sector-based Encryption Module Security Policy

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

SMPTE Standards Transition Issues for NIST/FIPS Requirements

SafeNet LUNA EFT FIPS LEVEL 3 SECURITY POLICY

Cambium Networks Ltd PTP 700 Point to Point Wireless Ethernet Bridge Non-Proprietary FIPS Cryptographic Module Security Policy

IBM 4768 PCIe Cryptographic Coprocessor with Common Cryptographic Architecture (CCA) PCI-HSM Security Policy

Multi-Host Sharing of NVMe Drives and GPUs Using PCIe Fabrics

Motorola PTP 600 Series Point to Point Wireless Ethernet Bridges

Telkonet G3 Series ibridge/extender Security Policy

Cipher Suite Configuration Mode Commands

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

Juniper Networks Pulse Cryptographic Module. FIPS Level 1 Security Policy Version: 1.0 Last Updated: July 19, 2013

RFS7000 SERIES Wireless Controller. FIPS Cryptographic Module Security Policy

Technical Brief Distributed Trusted Computing

Titan silicon root of trust for Google Cloud

Supporting Document Mandatory Technical Document. Full Drive Encryption: Encryption Engine. September Version 1.

Seagate Secure TCG Enterprise SSC Self-Encrypting Drives FIPS 140 Module. Security Policy. Security Level 2. Rev. 1.0 May 11, 2015

IBM System Storage TS1140 Tape Drive Machine Type 3592, Model E07. Security Policy

FIPS Security Policy UGS Teamcenter Cryptographic Module

OVAL + The Trusted Platform Module

Enova X-Wall MX+ Frequently Asked Questions FAQs Ver 1.0

Elaine Barker and Allen Roginsky NIST June 29, 2010

CoSign Hardware version 7.0 Firmware version 5.2

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

Cambium PTP 600 Series Point to Point Wireless Ethernet Bridges FIPS Security Policy

CSPN Security Target. HP Sure Start HW Root of Trust NPCE586HA0. December 2016 Reference: HPSSHW v1.3 Version : 1.3

Prepared by the Fortress Technologies, Inc., Government Technology Group 4023 Tampa Rd. Suite Oldsmar, FL 34677

BlackBerry Dynamics Security White Paper. Version 1.6

Dyadic Security Enterprise Key Management

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

IBM LTO Generation 6 Encrypting Tape Drive. FIPS Non-Proprietary Security Policy

Imprivata FIPS Cryptographic Module Non-Proprietary Security Policy Version: 2.9 Date: August 10, 2016

Inside the World of Cryptographic Algorithm Validation Testing. Sharon Keller CAVP Program Manager NIST ICMC, May 2016

Lexmark PrintCryption TM (Firmware Version 1.3.1)

XenApp 5 Security Standards and Deployment Scenarios

STS Secure for Windows XP, Embedded XP Security Policy Document Version 1.4

Transcription:

Security in NVMe Enterprise SSDs Radjendirane Codandaramane, Sr. Manager, Applications, Microsemi August 2017 1

Agenda SSD Lifecycle Security threats in SSD Security measures for SSD August 2017 2

SSD Life Cycle - Vendor perspective Paradigm shift - Secure the SSD from beginning to end of life Design & Manufacture Use & Retire Deliver & Deploy August 2017 3

SSD Security And Threats Secure the Data Protect the user data Secure the Product Protect from unauthorized access and the Critical Security Parameters (CSP) Secure the Design Hardware SSD Data, CSP Firmware Protect from Cloning, IP Stealing August 2017 4

Security Measures for SSDs 1. Secure Boot 2. Authentication 3. Key Management 4. Data Encryption 5. Physical Security August 2017 5

1. Secure Boot Validate Boot Loader Validate Firmware Primary Boot Loader Secondary Boot Loader Firmware Verify the Boot Image and Firmware came from trusted source and has not been tampered with Establish a root of trust at the time of design & manufacturing Signature Verification (e.g. CRC, SHA, RSA), Encrypted Image (e.g. CBC) August 2017 6

Secure Boot Flow Example Design Center Manufacturing Field FW Image Hashing (SHA) Digest Signing (RSA) Signed Digest Key Generator Private Key FW Image Encrypting (CBC) Firmware Image + Signature Public Key Protected FW Image Programming Signed Digest Boot Process (Power, FW Upgrade) Verifying (RSA) Digest Halt Decrypting (CBC) Compare August 2017 7 FAIL FW Start Protected FW Image FW Image Hashing (SHA) PASS Digest

2. Authentication Validate Server / User Server / User SSD Verify the authorized system / users are accessing the service Establish a Authentication Key at the time of Manufacturing or deployment Authentication using HMAC, SHA-2, Key Unwrapping etc. Authentication key may be used for wrapping Data Encryption Keys (DEK) August 2017 8

3. Key Management Keys maybe generated and stored locally, or provisioned from the host Server / User TRNG SSD Key is the Key to overall security determines the security strength, instant secure erase, different keys for different user data Flexibility - Keys either locally generated using TRNG (True Random Number Generator) or provisioned and managed through an external Key Server Scalability is an important factor for enterprise applications Securely store and manage the keys - Key Wrapping and Unwrapping functions, establish root of trust from manufacturing or deployment time August 2017 9

Flash Array Key Management Server / Array Controller OS App App App File System Block Layer IOCTL Key Mgmt Client Network Stack Local Key Storage NIC Ethernet External Key Server Provides trusted key storage Interfaces SSDs to IO Stack & Key Mgmt Client NVMe Driver Cryptographic Boundary Server Security Send / Security Receive PCIe Storage Switch Use of enterprise class Key Management methods Large scale SSDs (e.g. NVMe Over Fabrics) High availability use cases

4. Data Encryption Data in the media is encrypted Server / User Data Data TRNG SSD Data Data Protect the user data-at-rest Encryption / Decryption using standard algorithm (XTS-AES) with 256 bit keys No performance degradation Power on and On-demand Self-test August 2017 11

5. Physical Protection Server / User Data Data TRNG SSD Data Data Protect from snooping, tampering, backdoor access etc. Cross check any exposure of CSP, loopholes due to error conditions during design itself Establish a secure supply chain FIPS compliant design August 2017 12

Summary Secure the SSD in all phases of life Protect the Design, Product and User Data Secure Boot, Authentication, Key Management, Data Encryption and Physical protection are the key security features of an enterprise SSD August 2017 13

Thanks!! August 2017 Microsemi offers range of products for Flash Security (Come and visit us at booth #213) www.microsemi.com 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback