Storage encryption... what about data integrity?

Similar documents
Security features for UBIFS. Richard Weinberger sigma star gmbh

CS155. Cryptography Overview

Misuse-resistant crypto for JOSE/JWT

PKCS #11 Message-Based Encryption and Decryption

Secure storage in OP-TEE. Jens Wiklander

Authenticated Encryption in TLS

CS408 Cryptography & Internet Security

Authenticated Encryption

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Feedback Week 4 - Problem Set

Protecting your system from the scum of the universe

Advanced Security for Systems Engineering VO 09: Applied Cryptography

Concrete cryptographic security in F*

Android Bootloader and Verified Boot

Message authentication codes

Data-at-Rest Encryption

Confessions of a security hardware driver maintainer

CS155. Cryptography Overview

CS 161 Computer Security

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Encryption. INST 346, Section 0201 April 3, 2018

Protecting your system from the scum of the universe

Authenticated Encryption

Security: Cryptography

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

PKCS #11 Message-Based Encryption and Decryption

Computer Security: Principles and Practice

Content of this part

Introduction to Symmetric Cryptography

Security with VA Smalltalk

Advanced security notions for the SSH secure channel: theory and practice

Storage Encryption: A Cryptographer s View. Shai Halevi IBM Research

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

A Surfeit of SSH Cipher Suites

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

Permutation-based Authenticated Encryption

Hitachi Virtual Storage Platform (VSP) Encryption Board. FIPS Non-Proprietary Cryptographic Module Security Policy

Encrypted Data Deduplication in Cloud Storage

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

Winter 2011 Josh Benaloh Brian LaMacchia

COMP4109 : Applied Cryptography

ECE 646 Lecture 8. Modes of operation of block ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

PROTECTING CONVERSATIONS

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

SecureDoc Disk Encryption Cryptographic Engine

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

05 - WLAN Encryption and Data Integrity Protocols

UNIT - IV Cryptographic Hash Function 31.1

FIPS Security Policy

Deep Tech Analysis to AES-GCM in TLS 1.2 and IPSec-v3. Richard Wang and Ed Morris May 20, 2016 International Crypto Module Conference

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Implementing Cryptography: Good Theory vs. Bad Practice

Message Authentication Codes and Cryptographic Hash Functions

Cryptographic Concepts

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013

Lecture 1 Applied Cryptography (Part 1)

FIPS Level 1 Validation March 31, 2011 Version 1.12

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CSC 474/574 Information Systems Security

Wheesht: an AEAD stream cipher.

Encrypted Local, NAS iscsi/fcoe Storage with ZFS

VerifyFS in Btrfs Style (Btrfs end to end Data Integrity)

AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM

CSCE 715: Network Systems Security

Data Integrity. Modified by: Dr. Ramzi Saifan

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

CIS 4360 Secure Computer Systems Symmetric Cryptography

Oracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1

Cryptography and Network Security

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

Cryptography Overview

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

IPSec Transform Set Configuration Mode Commands

Solutions to exam in Cryptography December 17, 2013

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Linux Kernel Cryptographic API for fun and profit

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

POWER7+ Accelerated Encryption and Random Number Generation for Linux

There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has

Secure Storage with Encrypted file systems

Key Encryption as per T10/06-103

Summary on Crypto Primitives and Protocols

1-7 Attacks on Cryptosystems

S. Erfani, ECE Dept., University of Windsor Network Security

Computer Security CS 526

CIS 6930/4930 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Cryptographic Checksums

Practical Aspects of Modern Cryptography

Block Cipher Modes of Operation

Stream Ciphers. Stream Ciphers 1

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

SSL/TLS. How to send your credit card number securely over the internet

Cryptographic Hash Functions

Transcription:

Centre for Research on Cryptography and Security Storage encryption... what about data integrity? Milan Brož mbroz@redhat.com DevConf, Brno January 28, 2017

Agenda Data integrity what it is? Encryption / confidentiality / no integrity protection? Methods / examples Integrity in the Full Disk Encryption context Demo (dm-crypt / dm-integrity)

Problem: data corruption Silent data corruption unintentional, random change (flaky cables, memory errors, data misplacement) Unauthorized change of data intentional modification (by an attacker) Both above can propagate further if undetected.

Data integrity (~data-at-rest storage) Provides data consistency Corruption detection during the entire data life-cycle Silent data corruption => (meta)data checksums Unauthorized change of data => message authentication (MAC), auth. tag if encryption in place => authenticated encryption

Integrity protection Integrity corruption detection Requires additional storage space to store checksum or authentication tag Error correction (detect & repair data) Even more additional space (redundancy) So... why we need it? Isn t it in hardware already? Can we detect unauthorized modification? Can it prevent also "reply attacks"?

Non-authenticated integrity protection Parity, checksums example: CRC32 no problem if collision exists (collision = two messages with the same checksum) Cryptographic hash algorithms example: sha256 (sha256sum command) finding collision should infeasible in reasonable time Anyone can calculate and verify

Authenticated integrity protection Keyed cryptographic hash example: HMAC only authenticated user can calculate and verify Authenticated encryption (AE) modes example: AES-GCM note: CAESAR crypto competition provides both confidentiality and integrity AE with additional data (AEAD) authenticates also additional metadata

Examples for storage integrity (OSS) Block device: dm-verity (Android secure boot) Filesystems btrfs, ZFS, bcachefs,...... (Application level databases, archives,...)

Our case: LUKS / Full Disk Encryption Length-preserving encryption Plaintext and ciphertext of the same size (sector) Provides confidentiality Data available only to authorized users Provides no data integrity protection Except "poor man authentication" garbage after decryption can be detected

(note) Change propagation in FDE Small (bit) change in ciphertext => pseudo-random change in plaintext typically 16 bytes (cipher block) up to whole sector Small (bit) change in plaintext => should propagate to the whole sector (best case) in reality, only part of sector changes Error / data corruption is the same case!

Authenticated encryption with LUKS Inspired by "an academic" idea is it feasible? Need metadata per-sector for authentication tag. We already have key management LUKS dm-integrity module provides metadata per-sector dm-crypt module adds authentication encryption (AEAD) stores authentication tag and nonce or IV to dm-integrity additional metadata

dm-integrity Separate and new device-mapper target Emulates per-sector metadata (like DIF in hardware just size is configurable) Uses interleaved metadata sectors Provides atomic updates of sector+metadata Two modes 1) Provides metadata to another target (dm-crypt) 2) Standalone mode (built-in checksum)

dm-integrity Layout on disk principle Additional metadata space

dm-crypt extension Adds AEAD algorithms for FDE Built on top of kernel cryptographic API algorithm agnostic we can use whatever is available! Combination of existing modes (XTS) and HMAC or specifically designed AEAD - GCM, GCM-SIV (draft) [just for demo!] - Chacha20-poly1305

dm-crypt AEAD extension AEAD sector request ----- AAD ------- ------ DATA ------- -- AUTH TAG -- (authenticated) (auth+encryption) sector_le IV sector in/out tag in/out <cryptography_corner> The devil is in the detail nonce (Initialization Vector)! Sector inicialization vector / nonce must not be reused. (fatal attacks to some modes like GCM) Random IV IV is regenerated after every write even with same data => IND-CPA (encryption oracle) bonus: no more change localization with XTS-random </cryptography_corner>

Demonstration LUKS encrypted Fedora - with authenticated encryption cryptsetup extensions - dm-integrity and dm-crypt stack

Conclusion We implemented authenticated encryption in LUKS. It can be quite easily adopted to existing systems. There is a quite high price for it performance (and decreased storage size). Changes need to be merged to upstream kernel. Userspace is based on LUKS2. (Coming one day, really! :) Example concept, not a Panacea!... Integrity protection on other layers... if you want it, send a patch, thx :-)

Centre for Research on Cryptography and Security Thanks for your attention. Q & A? mbroz@redhat.com xbroz@fi.muni.cz DevConf, Brno January 28, 2017

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback