Encrypting stored data

Similar documents
Software Vulnerability Assessment & Secure Storage

Expert Reference Series of White Papers. BitLocker: Is It Really Secure? COURSES.

MU2b Authentication, Authorization and Accounting Questions Set 2

TPM v.s. Embedded Board. James Y

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Forensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation

SafeGuard Enterprise user help. Product version: 8.0

SecureDoc Disk Encryption Cryptographic Engine

PASSWORDS & ENCRYPTION

Using SimplySecure to Deploy, Enforce & Manage BitLocker

File Encryption. Steven M. Bellovin

Table of Contents. Table of Figures. 2 Wave Systems Corp. Client User Guide

Advanced Crypto. Introduction. 5. Disk Encryption. Author: Prof Bill Buchanan. Bob. Alice. Eve.

Platform Configuration Registers

Sophos Central Device Encryption. Administrator Guide

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Integral Memory PLC. Crypto Dual (Underlying Steel Chassis) and Crypto Dual Plus (Underlying Steel Chassis) FIPS Security Policy

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Veeam Endpoint Backup

Configuring File Server Resource Manager (FSRM)

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

BitLocker Group Policy Settings

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

Pass, No Record: An Android Password Manager

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

FDE itc: Encryption Engine (EE) cpp Functional and Assurance Requirements

SafeGuard Enterprise. user help. Product Version: 8.1

InfoWatch CryptoStorage. User Guide

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

SafeGuard Easy Administrator help. Product version: 6.1

Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 7 Application Password Crackers

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

WHITE PAPER. Authentication and Encryption Design

CIS 4360 Secure Computer Systems. Trusted Platform Module

Enova X-Wall MX Frequently Asked Questions FAQs Ver. 4

PGP Whole Disk Encryption Training

Information Security Theory vs. Reality

COMP091 Operating Systems 1. File Systems

User Guide. IronKey Workspace Models: W700 Updated: September 2013 IRONKEY WORKSPACE W700 USER GUIDE

Lecture Embedded System Security Trusted Platform Module

BitLocker Encryption for non-tpm laptops

CNIT 124: Advanced Ethical Hacking. Ch 9: Password Attacks

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Android Bootloader and Verified Boot

Block Cipher Operation

Image rescue Quick Start Guide

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

CS530 Authentication

This Security Policy describes how this module complies with the eleven sections of the Standard:

Check Point GO R75. User Guide. 14 November Classification: [Public]

How To Reinstall Grub In Windows 7 Without Losing Data And Programs

Secret-in.me. A pentester design of password secret manager

How to Build a Culture of Security

ms-help://ms.technet.2004apr.1033/win2ksrv/tnoffline/prodtechnol/win2ksrv/howto/efsguide.htm

Computer Security: Principles and Practice

Trusted Computing and O/S Security. Aggelos Kiayias Justin Neumann

Vendor: CompTIA. Exam Code: Exam Name: CompTIA A+ Certification Exam (902) Version: Demo

CSC 474 Network Security. Authentication. Identification

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

ZENworks 2017 Update1 Full Disk Encryption Emergency Recovery Reference. July 2017

FIPS SECURITY POLICY FOR

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

User Authentication. Modified By: Dr. Ramzi Saifan

Information protection BitLocker Overview of BitLocker Device Encryption in Windows 10 BitLocker frequently asked questions (FAQ) Prepare your

User Authentication. Modified By: Dr. Ramzi Saifan

TestOut PC Pro - English 6.0.x COURSE OUTLINE. Modified

MODULE NO.28: Password Cracking

Veritas System Recovery Disk Help

Functional Documentation for "NFC CSP Light" Version 1.0

Windows 2000/XP History, and Data Management

Veeam Endpoint Backup

CSE 127: Computer Security Cryptography. Kirill Levchenko

Network Security Issues and Cryptography

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

Trusted Computing and O/S Security

SafeNet LUNA EFT FIPS LEVEL 3 SECURITY POLICY

Hiddn SafeDisk. Installation Manual. Version April //

PGP Whole Disk Encryption for Windows Quick Start Guide Version 9.10

Unicorn: Two- Factor Attestation for Data Security

Index. Mike Halsey and Andrew Bettany 2015 M. Halsey and A. Bettany, Windows File System Troubleshooting, DOI /

SEAhawk and Self Encrypting Drives (SED) Whitepaper

Authentication. Steven M. Bellovin January 31,

Backup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.

Salesforce1 Mobile Security White Paper. Revised: April 2014

Extending Security Functions for Windows NT/2000/XP

McAfee Drive Encryption Interface Reference Guide. (McAfee epolicy Orchestrator)

Veritas System Recovery Disk Help

HDDkey The KEY for your undisturbed sleep...

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Computer Security: Principles and Practice

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Authentication. Steven M. Bellovin September 26,

Windows 10 and the Enterprise. Craig A. Brown Prepared for: GMIS

Peerless Drive System User's Manual

FIPS Level 1 Validation March 31, 2011 Version 1.12

Creating Trust in a Highly Mobile World

Transcription:

Encrypting stored data Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014

1. Scenarios 2. File encryption Outline 3. Encrypting file system 4. Full disk encryption 5. Data recovery Simple application of cryptography and a good example of how difficult it is to build secure system This lecture is uses Windows as an example. The same principles and questions apply to competing file and disk encryption products Acknowledgement: These slides are partly based on Microsoft material. 2

Scenarios for data encryption Lost and stolen laptops Contain confidential data and access credentials Physically compromised servers Contain business secrets, customer data and PII Unauthorized insiders have physical access Decommissioned hard disks Secure decommissioning is expensive Hardware recycling is typically done in the cheapest and fastest way: no time for secure disk wipe Old PCs from the US are shipped to China for recycling 3

Scenarios: Data encryption lost and stolen laptop computers stolen servers decommissioning hard disks Risk of disclosure of confidential data The obvious solution: encrypt data on disk But computer security is never quite so simple: Security often conflicts with usability Security often conflicts with reliability; plan for data recovery is needed System design mistakes or programming errors could compromise data 4

FILE ENCRYPTION

Simple file encryption 1. User enters passphrase 2. Passphrase hashed with a cryptographic hash function to produce a key 3. File encrypted with the key E.g. AES in CBC mode Decryption with the same key Examples: crypt(1), GPG 1 ***** ** d70f3 619a 209b SHA-1 2 3 Our plan is. % gpg --output ciphertext.gpg --symmetric plaintext.doc Enter passphrase: 6

Limitations of file encryption User action needed, and users are lazy Automated use (scripting) hard to implement because where do you store the secret passphrase? Brute-forcing the passphase possible Can be mitigate with a slow hash (e.g. PBKDF2) Encrypting a file normally creates an encrypted copy; what happens to the old plaintext file? No guarantee that the plaintext is not left on the disk Word processors and other software create temporary files and backup copies Unencrypted versions and fragments of the file may be left in locations that the user does not even know about There are tools for deleting temporary files and for wiping free disk space, but none is completely reliable Cloud storage keep all old data

Wiping files Deleting a file simply marks the space free but does not erase the contents: raw data is still on the disk Overwriting a file does not always erase the old contents: File system may organize data in unexpected ways: backups, revision control, copy on write, journal, etc. Solid state disks (SSD) write in complex patterns Wiping all empty disk space by overwriting Deletes most data but no guarantee Disk drive behavior is not always controllable by the file system driver: bad block replacement, optimizations Magnetic data remanence: magnetic medium may retain traces of previous contents even after overwritten Physical destruction: grinding disks, heating magnetic medium above Curie temperature Flash memory (SSD) fragments may retain data 8

ENCRYPTING FILE SYSTEM

Windows encrypting file system (EFS) Encryption is a file attribute Possible to enable encryption for all files in a folder new files encrypted Files are readable only when the user is logged in Encryption and decryption are transparent to applications Similar products exist for Unix 10

EFS key 1 Windows User Username name: Password: ********* Log on to: Domain management OK Cancel Shut Down... Options << *) DPAPI = Data Protection application programming interface PBKDF2 1. User logs in, enters password 2. Hashed to produce key 3. Used to decrypt User s Master Key 4. Used to decrypt User s Private EFS Key 5. Used to decrypt File Encryption Key (FEK) 6. Used to encrypt on write and decrypt on read User profile User profile $EFS alternate data stream Encrypted File d70f3 619a2 09b15 2 key RSA 3 User s DPAPI* Master Key 4 User s Private EFS Key AES or 3DES 5 FEK 6 Plaintext file Our plan is. 11

EFS limitations Encrypts contents of specific files only User login credentials (password) needed for decryption System has no access to encrypted files unless user logs in System cannot index files without the user password Backups contain encrypted files, not the plaintext When encrypting plaintext files, the original file is not wiped, just deleted; the data remains on the disk User should create files in an encrypted folder Transparent decryption e.g. data decrypted transparently when copying to a file share over network or to an un-encrypted FAT partition Some data is not encrypted: folder and file names temp files, earlier unencrypted versions, printer spool registry, system files and logs page file can now be encrypted but requires policy configuration Hibernation file may contain decryption keys 12

EFS and password cracking EFS security depends on the secrecy of user password Password hashes are stored in a database on the disk Password are vulnerable to brute-force attacks NT hash and historical LM hash use no salt and are therefore especially vulnerable Rainbow tables (Hellman90, Oechslin03) Attacker can boot to another OS, extract the password hashes from the hard disk and crack the user password Note: resetting user or admin password does not enable access to encrypted files EFS supports smart cards as an alternative login method

Trojans, root kits etc. EFS data is vulnerable to Trojans, viruses and key loggers Attacker with access to hardware can compromise OS and install a root kit or key logger Note that these problems do not apply to lost or stolen laptops

EFS summary Encrypts single files and folders; leaves a lot of information unencrypted Requires care from user User must understand what is encrypted and what else happens to the data User of a non-domain computer must backup keys or risk data loss Security depends on a strong password System cannot access encrypted files for admin tasks like backup and indexing Hibernation breaks the security Apart from the hibernation issue, EFS would be pretty secure way of encrypting all files on a data disk (D:) 15

FULL DISK ENCRYPTION 16

Full disk encryption Entire disk is encrypted: Protects all information on disk Easier to use correctly than EFS Products are available from various hardware and software vendors including hard disk manufacturers Password, key or physical token required to boot or to mount disk; thereafter transparent Usability and reliability issues? Requires user/admin to be present at boot time In software-based products: Password must be strong enough to resist brute-force guessing Hibernation is a problem Hardware solution would be better 17

Trusted platform module Trusted hardware enables some things that otherwise would be impossible Trusted platform module (TPM) is a smart-cardlike module on the computer motherboard or, preferably, embedded in the CPU Holds crypto keys and platform measurements in platform configuration registers (PCR) Useful TPM operations: TMP_Seal: encrypt data in any platform configuration TPM_Unseal: decrypt the data, but only if the platform configuration is the same as when sealing

Windows BitLocker Full-volume encryption in Windows Uses TPM for key management Optional PIN input and/or USB dongle at boot time System volume must be NTFS, data disks can also be FAT Sealing the entire system partition: Encrypt data with a symmetric key Seal the key; store sealed key on disk; unseal when booting TPM checks the OS integrity before unsealing the key Can boot to another OS but then cannot unseal the Windows partition cannot bypass OS access controls For a stolen laptop, forces the thief to hardware attack against TPM 19

BitLocker partitions Windows partition contains: Volume metadata with MAC Encrypted OS Encrypted page file Encrypted temp files Encrypted data Encrypted hibernation file Encrypted Windows partition Boot partition 1.5 GB Boot partition contains: MBR OS loader Boot utilities

BitLocker keys 1 Storage Root Key (SRK) inside TPM Encrypted keys in volume metadata 2 Volume Master Key (VMK) 3 Full Volume Encryption Key (FVEK) Encrypted data d70f3 619a2 09b15 4 and bring milk Plaintext data Separate VMK/FVEK adds flexibility how?

Algorithms and key sizes Storage root key (SRK) is a 2048-bit RSA key Volume master key (VMK) is a 256-bit symmetric key Full volume encrypt key (FVEK) is a 128 or 256-bit symmetric key The disk in encrypted with AES-CBC Initialization vector (IV) derived from sector number (because there is no space for storing a random IV in the disk block) No integrity check Adding a MAC would increase the data size Disk sectors are pre-processed with a proprietary diffuser algorithm Makes attacks against integrity more difficult; the whole sector is encrypted as if it was one cipher block (512..8192 bytes)

Software authentication with TPM Measuring platform configuration: Module n computes hash of module n+1 and extends the hash into a platform configuration register (PCR) in TPM Module n transfers control to module n+1 At any point, PCRs contain a cumulative fingerprint (hashes) of all software loaded up to that point Sealing and unsealing data: TPM binds selected PCR values to the sealed secrets TPM unseals secrets only if these PCR values have not changed If attacker tampers with the OS or the boot process, the OS cannot unseal the data Originally designed as a DRM feature: Decrypt music only for untampered OS and media player Slightly different from traditional secure boot: does not prevent booting to any OS or system configuration Another feature based on the TPM and platform measurements is attestation i.e. proving host integrity to another host server across the Internet 23

Pre-OS Secure boot with TPM Static OS Dynamic OS CRTM BIOS measure and load MBR load volume metadata, unseal VMK, verify MAC 1 on metadata, decrypt FVEK NTFS boot sector NTFS boot block Boot manager decrypt, verify signature and load PCRs on TPM OS loader 2 Windows 1 MAC keyed with VMK. 2 Different loaders for boot, resume etc.

Which PCR values are used for sealing? *PCR 00: CRTM, BIOS and Platform Extensions (PCR 01: Platform and Motherboard Configuration and Data) *PCR 02: Option ROM Code (PCR 03: Option ROM Configuration and Data) *PCR 04: Master Boot Record (MBR) Code (PCR 05: Master Boot Record (MBR) Partition Table) (PCR 06: State Transitions and Wake Events) (PCR 07: Computer-Manufacturer Specific) *PCR 08: NTFS Boot Sector *PCR 09: NTFS Boot Block *PCR 10: Boot Manager *PCR 11: BitLocker Critical Components If any of the *-values has changed, the decryption key will not be unlocked and a recovery password is needed BitLocker keys will be unlocked before OS upgrade

BitLocker modes TPM only: Unsupervised boot (VMK unsealed if the PCR values correct) Attacker can boot stolen laptop but not log in security depends on OS access controls Very attractive mode of operation enabled by TPM but see the following slides! TPM and PIN: TPM requires a PIN during the secure boot TMP will be locked after a small number of incorrect PINs Attacker must break the TPM hardware to decrypt the disk Attacker may also sniff communication between chips on a live system TPM (and PIN) and USB stick: Secure boot and strong keys on a physical token high security USB stick without TPM Traditional software-based full-disk encryption; no secure boot Network unlock Server can reboot if on the same network with AD 26

edrive 1 Obtain the Authentication Key e.g. by unsealing it Offloading the data encryption and decryption (AES) to hardware on the drive (in Windows 8 and Server 2012) Encrypted key on the drive 2 3 Authentication Key: sent to the drive, decrypts the Data Encryption Key Data Encryption Key (DEK) never leaves the drive Encrypted data d70f3 619a2 09b15 4 and bring milk Plaintext data Separate VMK/FVEK adds flexibility how?

Secure path issues The PIN input is not secure if the attacker can hack the hardware Attacker can modify the BIOS or by replace the computer without the user s knowledge Key logger on external keyboard can capture the PIN Similarly, a hacked computer can capture the keys on the USB stick Malware can also fake the reboot process and ask for the PIN This requires the attacker to have access to the computer twice: first to install the Trojan, then to use the captured PIN Inside attacker, e.g. IT support Not a problem for lost and stolen computers 28

Cold boot attack Laptop memory is designed for low power consumption slow refresh rate data stays in memory for seconds after power loss Data remanence in DRAM: Pull out memory from a running computer and plug it into a reader Some bits will be random but some will retain their values might be possible to recover most bits of a cryptographic key in the memory Use cold spray or liquid nitrogen to reduce data loss Cold boot attack: Reboot into minimal hacker OS from USB stick or CD Memory power lost only for a fraction of a second during reboot memory contents remain almost unchanged Lessons: Breaks full-disk encryption if attacker has access to the running computer Sleeping laptop = running laptop most laptops vulnerable Breaks BitLocker in TPM-only mode even if it is powered down OS access controls, e.g. screen lock, do not stop a physical attacker from gaining access to memory and files 29

DATA REVOCERY

Need for data recovery If the decryption key is lost, encrypted files will be lost If Admin resets user password, EFS files cannot be read Password reset and hacking tools have the same effect User can change the password back to the old one if remembered Backup files become unreadable if the user s old (archived) private key s is lost Can happen when rebuilding or cleaning user profile BitLocker risks: installing Linux boot loader, replacing the motherboard, TPM boot PIN forgotten or mistyped many times, moving disk to another computer Good idea to backup decryption keys

Data recovery in EFS Windows domain has a data recovery agent (DRA) FEK is encrypted also with DRA public key Domain Admin is the default DRA Other DRAs can be defined in a Group Policy in the domain Standalone machine has no default DRA Latest password reset disk also recovers EFS private key User may also export the user s EFS certificate (including the private key) to a backup disk Local Admin can configure a DRA on the local machine (see cipher.exe) Questions: Local Admin cannot read the users encrypted files without the user passwords; can the Admin get around this? Win 2000 had local Admin as default DRA for non-domain machines; why was this not a good idea? 32

Data recovery in EFS File encryption key (FEK) is encrypted with one or more recovery agents public keys The same mechanism is used for sharing encrypted files between users Recovery Agent s Private EFS Key User s Private EFS Key Plaintext file Our plan is. FEK File attribute Encrypted File d70f3 619a2 09b15 FEK Plaintext file Our plan is. 33

Data recovery in BitLocker Recovery password: User can print a 48-digit recovery password or store it on a USB stick, CD or remote disk; it is actually a 128-bit key BitLocker encrypts the VMK with the recovery password and stores it with the volume metadata (in the same way as the TMP-sealed VMK) Multiple backups of volume metadata are stored in the volume in case a part of the volume is corrupted User can save the recovery key to Microsoft account (online) Organizational recovery policy: Windows Domain Admin can require the recovery password to be uploaded to the Active Directory Installing another OS for dual boot will trigger recovery User can accept the new boot configuration after entering the recovery password

Exercises What secure methods are there for erasing magnetic hard drives and tapes, USB stick or solid-state drives (SSD), and paper documents? How to delete a specific file from a computer securely without erasing the whole disk? What security properties does GPG file encryption or EFS provide that fulldisk encryption does not? How vulnerable is EFS to password guessing? Why do EFS and BitLocker have so many levels of keys? Are some unnecessary? Compare the security of software-based full-disk encryption and the TPM approach against brute-force password guessing How to mitigate the risk of cold-boot attacks (both against BitLocker and more generally)? Explain what effect do powering down the laptop computer, hibernation and sleep mode have on the cold boot attack? Transparent operation (happens without the user or application even knowing) improves usability of data encryption, but are there risks associated with the transparency? How would you design the encryption of files in cloud strorage? 35

Online: Related reading Halderman et al., Lest We Remember: Cold Boot Attacks on Encryption Keys. http://citp.princeton.edu/memory/ Stallings and Brown: Computer security, principles and practice, 2008, chapter 10.5 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback