An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

Similar documents
An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

A Vendor Agnostic Overview. Walt Hubis Hubis Technical Associates

SCSI Security Nuts and Bolts. Ralph Weber, ENDL Texas

Data Deduplication Methods for Achieving Data Efficiency

ADVANCED DEDUPLICATION CONCEPTS. Thomas Rivera, BlueArc Gene Nagle, Exar

ADVANCED DATA REDUCTION CONCEPTS

Interoperable Cloud Storage with the CDMI Standard. Mark Carlson, SNIA TC and Oracle Co-Chair, SNIA Cloud Storage TWG

Cloud Archive and Long Term Preservation Challenges and Best Practices

Cloud Storage Securing CDMI. Eric A. Hibbard, CISSP, CISA, ISSAP, ISSMP, ISSEP, SCSE Hitachi Data Systems

A Promise Kept: Understanding the Monetary and Technical Benefits of STaaS Implementation. Mark Kaufman, Iron Mountain

Facing an SSS Decision? SNIA Efforts to Evaluate SSS Performance. Ray Lucchesi Silverton Consulting, Inc.

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

Deploying Public, Private, and Hybrid. Storage Cloud Environments

SRM: Can You Get What You Want? John Webster, Evaluator Group.

Multi-Cloud Storage: Addressing the Need for Portability and Interoperability

Tom Sas HP. Author: SNIA - Data Protection & Capacity Optimization (DPCO) Committee

Mobile and Secure Healthcare: Encrypted Objects and Access Control Delegation

Trends in Data Protection and Restoration Technologies. Mike Fishman, EMC 2 Corporation

Storage Virtualization II Effective Use of Virtualization - focusing on block virtualization -

LTFS Bulk Transfer Standard PRESENTATION TITLE GOES HERE

Interoperable Cloud Storage with the CDMI Standard. Mark Carlson, SNIA TC and Oracle Chair, SNIA Cloud Storage TWG

Hewlett-Packard Development Company, L.P. NonStop Volume Level Encryption (NSVLE) Product No: T0867 SW Version: 2.0

Virtualization Practices:

Best Current Practices and Implementing the FC Security Protocol (FC-SP)

The File Systems Evolution. Christian Bandulet, Sun Microsystems

SRM: Can You Get What You Want? John Webster Principal IT Advisor, Illuminata

Effective Storage Tiering for Databases

Tiered File System without Tiers. Laura Shepard, Isilon

Blockchain Beyond Bitcoin. Mark O Connell

The Role of WAN Optimization in Cloud Infrastructures. Josh Tseng, Riverbed

PRESENTATION TITLE GOES HERE. Understanding Architectural Trade-offs in Object Storage Technologies

Storage Virtualization II. - focusing on block virtualization -

Apples to Apples, Pears to Pears in SSS performance Benchmarking. Esther Spanjer, SMART Modular

The Nasuni Security Model

FDE itc: Encryption Engine (EE) cpp Functional and Assurance Requirements

Notes & Lessons Learned from a Field Engineer. Robert M. Smith, Microsoft

Everything You Wanted To Know About Storage (But Were Too Proud To Ask) The Basics

DELL EMC DATA DOMAIN ENCRYPTION

in Transition to the Cloud David A. Chapa, CTE EVault, a Seagate Company

Scaling Data Center Application Infrastructure. Gary Orenstein, Gear6

Storage Performance Management Overview. Brett Allison, IntelliMagic, Inc.

WHAT HAPPENS WHEN THE FLASH INDUSTRY GOES TO TLC? Luanne M. Dauber, Pure Storage

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Oracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1

Virtualization Practices: Providing a Complete Virtual Solution in a Box

Tutorial. A New Standard for IP Based Drive Management. Mark Carlson SNIA Technical Council Co-Chair

Storage in combined service/product data infrastructures. Craig Dunwoody CTO, GraphStream Incorporated

LEVERAGING FLASH MEMORY in ENTERPRISE STORAGE

This Security Policy describes how this module complies with the eleven sections of the Standard:

Architectural Principles for Networked Solid State Storage Access

Internet Engineering Task Force (IETF) Request for Comments: 7192 Category: Standards Track April 2014 ISSN:

TRUSTED COMPUTING GROUP TRUSTED STORAGE SPECIFICATION. Michael Willett, Seagate Technology

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

ECE 646 Lecture 8. Modes of operation of block ciphers

UNCLASSIFIED INFORMATION TECHNOLOGY SECURITY GUIDANCE

Dyadic Security Enterprise Key Management

SECURE CLOUD BACKUP AND RECOVERY

Oracle Solaris Userland Cryptographic Framework Software Version 1.0 and 1.1

SAS: Today s Fast and Flexible Storage Fabric. Rick Kutcipal President, SCSI Trade Association Product Planning and Architecture, Broadcom Limited

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN Access Points

Overview and Current Topics in Solid State Storage

Overview and Current Topics in Solid State Storage

Securing Data-at-Rest

SAS: Today s Fast and Flexible Storage Fabric

An Inside Look at Imminent Key Management Standards. Matt Ball, Oracle Corporation

Restoration Technologies

Use Cases for iscsi and FCoE: Where Each Makes Sense

Planning For Persistent Memory In The Data Center. Sarah Jelinek/Intel Corporation

The Evolution of File Systems

Juniper Network Connect Cryptographic Module Version 2.0 Security Policy Document Version 1.0. Juniper Networks, Inc.

SecureDoc Disk Encryption Cryptographic Engine

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Executive Summary SOLE SOURCE JUSTIFICATION. Microsoft Integration

How to create a synthetic workload test. Eden Kim, CEO Calypso Systems, Inc.

ISO INTERNATIONAL STANDARD. Road vehicles Extended data link security. Véhicules routiers Sécurité étendue de liaison de données

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

ACOS5-64. Functional Specifications V1.04. Subject to change without prior notice.

High Availability Using Fault Tolerance in the SAN. Wendy Betts, IBM Mark Fleming, IBM

Overview. SSL Cryptography Overview CHAPTER 1

Application Recovery. Andreas Schwegmann / HP

Expert Insights: Expanding the Data Center with FCoE

Symantec Corporation

Vaultive and SafeNet KeySecure KMIP Integration Guide v1.0. September 2016

ISO/IEC INTERNATIONAL STANDARD

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

The Benefits of Solid State in Enterprise Storage Systems. David Dale, NetApp

Felix Xavier CloudByte Inc.

Storage Security Standards: What Are They and What Do they Mean to Storage Consumers? Andrew Nielsen CISSP, CISA, ISSAP, ISSMP SNIA Security TWG

Juniper Networks Pulse Cryptographic Module. FIPS Level 1 Security Policy Version: 1.0 Last Updated: July 19, 2013

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

Ron Emerick, Oracle Corporation

FIPS Security Policy

Seagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy

Who s Protecting Your Keys? August 2018

Key Management Interoperability Protocol (KMIP)

Trends in Data Protection and Restoration Technologies. Jason Iehl, NetApp

Advanced iscsi Management April, 2008

Crypto Library. Microchip Libraries for Applications (MLA) Copyright (c) 2012 Microchip Technology Inc. All rights reserved.

INF3510 Information Security University of Oslo Spring Lecture 3 Key Management and PKI. Audun Jøsang

INFORMATION SECURITY & IT COMPLIANCE. Frank Bunn, Symantec Roger Cummings, Symantec

Transcription:

An Introduction to Key Management for Secure Storage Walt Hubis, LSI Corporation

SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material in presentations and literature under the following conditions: Any slide or slides used must be reproduced in their entirety without modification The SNIA must be acknowledged as the source of any material used in the body of any document containing material from these presentations. This presentation is a project of the SNIA Education Committee. Neither the author nor the presenter is an attorney and nothing in this presentation is intended to be, or should be construed as legal advice or an opinion of counsel. If you need legal advice or a legal opinion please contact your attorney. The information presented herein represents the author's personal opinion and current understanding of the relevant issues involved. The author, the presenter, and the SNIA do not assume any responsibility or liability for damages arising out of any reliance on or use of this information. NO WARRANTIES, EXPRESS OR IMPLIED. USE AT YOUR OWN RISK. 2

Abstract As secure storage becomes more pervasive throughout the enterprise, the focus quickly moves from implementing encrypting storage devices to establishing effective key management policies. Without the proper generation, distribution, storage, and recovery of key material, valuable data will be eventually compromised. Worse, without proper management of key information, data can be completely lost. This session explores the fundamental issues and technologies that impact key management for disk, tape, array, and other storage devices. Major issues associated symmetric encryption keys are presented, along with practical advice on effective key management issues and practices. 3

The Key Management Problem 4

The Key Management Problem 5

The Key Management Problem 6

Data At Rest Random Access Devices Disk Drives Sequential Access Devices Tape Drives Other Media Optical Media Data in Flight is Still Important! Check out SNIA Tutorial: Self-Encrypting Drives 7

Data At Rest Data-in-Flight (DIF) Data-At-Rest (DAR) Storage System Security (SSS) Storage Resource Management (SRM) Source: Introduction to Storage Security, A SNIA Security Whitepaper, September 9, 2009 Storage Element Data-At-Rest (DAR) Storage Resource Management (SRM) Storage System Security (SSS) Data-in-Flight (DIF) Description Protecting the confidentiality, integrity and/or availability of data residing on servers, storage arrays, NAS appliances and other media Securely provisioning, monitoring, tuning, reallocation, and controlling the storage resources so that data may be stored and retrieved. Securing embedded operating systems and applications as well as integration with IT and security infrastructure (e.g., external authentication services, centralized logging and firewalls Protecting the confidentiality, integrity and/or availability of data as they are transferred across the storage network, the LAN, and the WAN. Also applies to management traffic 8

Key Management Many Key Uses Private signature key Public signature verification key Symmetric authentication key Private authentication key Public authentication key Symmetric data encryption key Symmetric key wrapping key Symmetric and asymmetric random number generation keys Symmetric master key Private key transport key Public Key Transport Key Symmetric Key Agreement Key Private Static Key Agreement Key Public Static Key Agreement Key Private Ephemeral Key Agreement Key Public Ephemeral Key Agreement Key Symmetric Authorization Key Private Authorization Key Public Authorization Key Source: NIST Special Publication 800-57: Recommendation for Key Management Part 1: General 9

Key Management Encryption Algorithms AES 128 Bit Key 192 Bit Key 256 Bit Key DES 56 Bit Key 3DES 168 Bit Key Encryption Algorithm Modes Electronic Codebook Mode (ECB) Cipher Block Chaining Mode (CBC) Cipher Feedback Mode (CFB) Output Feedback Mode (OFB) Counter Mode (CTR) Galois/Counter Mode (GCM) LRW Encryption XOR-Encrypt-XOR (XEX) XEX-TCB-CTS (XTS) CBC-Mask-CBC (CMC) ECB-Mask-ECB (EME) 10

Key Management Key and Data Lifetime Forever Assure Access to Data Years from Now For a Limited Time Period Ephemeral Milliseconds, Seconds Weeks, Months, Years What Happens at End of Life? Mandatory Re-Encryption Destruction of Data Destruction of Key 11

Key Management Policies Who Can Establish Keys? Who Can Delete Keys? What is the Lifetime of a Key? Can the Key be Archived? Are the Keys Changed Periodically? Are Keys Automatically Deleted or Archived? Who Else Can Use the Key? 12

Key Management Auditing Track the Key over it s Lifetime Who Created the Key and When? Who Changed the Key and When? Who Created a Copy of the Key and When? Where are the Copies of the Key Who Deleted the Key and When? 13

Key Management Threats Confidentiality Key Disclosure Data Accessible to Anyone Integrity Key has Been Modified Data Accessible by None Archive Key has Been Lost Availability Key Cannot be Accessed 14

Key Management Goals Backup/Restore Key Material Archival and Retention of Key Material Distribution of Key Material Expiration, Deletion, and Destruction of Key Material Audit of Key's Life Cycle Reporting Events and Alerts 15

Keying Material 16

Keys Two Major Types of Encryption Symmetric Keys Asymmetric Keys Storage Systems May Use Both Asymmetric Keys to Exchange Symmetric Keys Symmetric Keys to Encrypt/Decrypt Data Check out SNIA Tutorial: ABC s of Data Encryption 17

Symmetric Keys One Key Used for Both Encryption and Decryption Requires Lower Computing Power 18

Asymmetric Key Uses Private and Public Key Pair Can t be Derived from Each Other Data Encrypted with One Can Only Be Decrypted With the Other Requires Greater Computing Power 19

Encryption Strength 20

Key Formats Key Formats Any and All Key Formats Must Be Managed Keys are Viewed as Objects Key Material Key Data Key Information: Metadata Storage Generally Uses Symmetric Keys A Secure Key Exchange Assumed Easier to Implement Less Client Resources 21

Key Wrapping Used to Move Keys Backup Archiving Source: AES Key Wrap Specification (http://csrc.nist.gov/cryptotoolkit/kms/key-wrap.pdf) 22

Pass Phrase Used to Generate Key Encryption Key Pass Phrase Hashing Algorithm Key Encryption Key Backup Media AES Encryption Key 23

Basic Key Metadata Value The Actual Key Unique Identifier (GUID) Unique Within a Domain (Name Space) The Domain May be World Wide Unique May be a Globally Unique Identifier World Wide Unique Name May be a Hierarchy Important for Identifying Keys that are Moved Across Domains Across Companies Across Countries 24

Optional Key Metadata Name User readable name, not necessarily Unique Creator name Domain name Parent GUID Previous version GUID Version string 25

Optional Key Metadata Timestamps Creation Modified Valid Time Expiration Time Policies Use of key Key type Access rights - who can: Access Modify Disable Destroy Vendor-Specific Metadata 26

Key Management Components 27

Key Management Components Client-Server View The Key The Key Server The Key Transport Channel Secure Channel Authentication In-Band Out of Band Key Exchange Protocol 28

Client-Server View Client User or Consumer of Keys Server Provider of Keys 29

Client-Server Authentication Client and Server Must Authenticate Assures Identity Secrets or Certificates Pre-Shared Keys or PKI Communications are Secure Channel Encryption 30

Key Clients - Lightweight Limited Resources Limited Computational Requirements Limited Memory Requirements Applications Disk Drives Tape Drives, Libraries Array Controllers Simple Protocol Fixed Fields and Values Similar to SCSI CDBs 31

Key Clients - Complex Unlimited Resources Applications Key Servers Data Bases Objects File Servers May Use a Complex Protocol Requires Complex Protocol Parser 32

Key Server Key Server Software Application Generic Hardware Platform Dedicated Hardware Servers Hardened Multiple Key Servers Key Management Between Servers Policy Management Accounting Validation Backup 33

Key Clients and Servers - Disk Typical KM Scenario Client: Host PC Passes Key to Drive 34

Key Clients and Servers - Disk Client is the Drive Drive or Subsystem Requests Key Directly from Server 35

Key Clients and Servers - Tape Manual Key Management 36

Key Clients and Servers - Tape Automated Key Management 37

Key Clients and Servers - Tape Automated Key Management 38

Host Based Key Management Cryptographic Unit HBA Software

Key Clients and Servers - Enterprise 40

KMS Protocol Two Primary Operations Set key Server Client Get key Client Server Optional Operations Find key Update key Replicate key Disable key Destroy key Access rights Get service info Audit log functions 41

Key Management Standards for Storage 42

Key Management Standards for Storage 43

Key Management Standards for Storage 44

For More Information NIST Special Publication 800-57: Recommendation for Key Management (http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-part1- revised2_mar08-2007.pdf) ISO/IEC 11770 Parts 1-3: Information technology - Security techniques - Key management (http://webstore.ansi.org/ ) FIPS 140-2: SECURITY REQUIREMENTS MODULES (http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) Trusted Computing Group (https://www.trustedcomputinggroup.org/home) IEEE P1619.3: Security in Storage Workgroup (SISWG) Key Management Subcommittee (http://siswg.net/) OASIS Enterprise Key Management Infrastructure (EKMI) Technical Committee (http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=ekmi) IETF: Provisioning of Symmetric Keys (KEYPROV) (http://www.ietf.org/html.charters/keyprov-charter.html) 45

Q&A / Feedback Please send any questions or comments on this presentation to SNIA: tracksecurity@snia.org Many thanks to the following individuals for their contributions to this tutorial. SNIA Education Committee Larry Hofer CISSP Eric Hibbard CISSP Mark Nossokoff Blair Semple SNIA SSIF SNIA Security TWG 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback