1 / 79

When Cryptography Meets Storage

2. Motivations. Cryptographic systems used for confidential storage of dataAssumptions made for other media (e.g. networks) not directly applicable to storageUsage patterns and properties affect confidentiality guarantees, especially when keys and IVs are reused over time. Introduction

perry
Download Presentation

When Cryptography Meets Storage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. 1 When Cryptography Meets Storage Sarah Diesburg, Chris Meyers, David Lary, and An-I Andy Wang Florida State University

    2. 2 Motivations Cryptographic systems used for confidential storage of data Assumptions made for other media (e.g. networks) not directly applicable to storage Usage patterns and properties affect confidentiality guarantees, especially when keys and IVs are reused over time IVs = encryption material at this pointIVs = encryption material at this point

    3. 3 Contributions Non-contributions Two-time pad problem Criticisms of particular storage systems Instead, we want to demonstrate what can go wrong when cryptography and storage constraints collide.

    4. 4 Applying Encryption to a Network Usage patterns and properties Short-lived data streams (e.g., messages) Write-once content (e.g., transactions) Uniqueness of keys and IVs achieved by cycling through large IV space before changing to new key

    5. 5 Storage Similar to a communication channel through time, but Usage patterns and properties In-place updates - if keys and IVs are generated as a function of offsets within a file or storage medium, the uniqueness of keys and IVs is compromised Example: using sector number as IV

    6. 6 Storage Content shifting - potentially a large quantity of original plaintext is encrypted via reusing the keys and IVs defined as a function of file and disk locations Backups versions of backups can violate the uniqueness of IVs and keys Content shifting = insertion into fileContent shifting = insertion into file

    7. 7 Legacy Storage Data Path Problems Single generic data type - encrypted and non-encrypted data treated similarly Sensitive data may be cached in plaintext Poor consistency guarantees versions of encrypted data may reside in memory and on disk Due to OS mechanisms (e.g., hibernation and swap) Data lifetime problemData lifetime problem

    8. 8 Legacy Storage Data Path Problems Information hiding no physical views of the underlying storage Old versions may still linger on raw storage, even though application can only see newest encrypted data

    9. 9 Two-time Pad Problem Occurs when cryptographic information is reused to generate new encrypted data Best explained with stream cipher example

    10. Stream Ciphers 10 K ? P = C Plaintext light color, ciphertext dark colorPlaintext light color, ciphertext dark color

    11. Block Cipher Modes of Operation: CFB 11 Counter Feedback Mode. Counter Feedback Mode.

    12. Block Cipher Modes of Operation: CFB 12 This is the pad.This is the pad.

    13. Block Cipher Modes of Operation: CFB 13 Another pad.Another pad.

    14. Block Cipher Modes of Operation: CFB 14 Suppose we update plaintext1. This causes ciphertext1 to be updated.Suppose we update plaintext1. This causes ciphertext1 to be updated.

    15. Block Cipher Modes of Operation: CFB 15 We see that the pads are the sameWe see that the pads are the same

    16. Block Cipher Modes of Operation: CFB 16 and they cancel, leaving the two-time pad problem.and they cancel, leaving the two-time pad problem.

    17. Block Cipher Modes of Operation: CFB 17 However, the problem does not persist for the next iteration of CFB, since the IV to the second pad is actually ciphertext1, which has changed. This means that the pads do not cancel.However, the problem does not persist for the next iteration of CFB, since the IV to the second pad is actually ciphertext1, which has changed. This means that the pads do not cancel.

    18. Block Cipher Modes of Operation: CFB 18

    19. Block Cipher Modes of Operation: OFB 19 Discuss Output Feedback Mode.Discuss Output Feedback Mode.

    20. Block Cipher Modes of Operation: OFB 20 This is the pad. It looks like a stream cipher.This is the pad. It looks like a stream cipher.

    21. Block Cipher Modes of Operation: OFB 21 Suppose we update plaintext2 with content larger than the original plaintext2. Again, this shifts previous plaintext content further down the file to be re-encrypted.Suppose we update plaintext2 with content larger than the original plaintext2. Again, this shifts previous plaintext content further down the file to be re-encrypted.

    22. Block Cipher Modes of Operation: OFB 22 We can see that the pads of the modified blocksWe can see that the pads of the modified blocks

    23. Block Cipher Modes of Operation: OFB 23 cancel, leaving the two-time pad problem.cancel, leaving the two-time pad problem.

    24. Block Cipher Modes of Operation: OFB 24 Say bullet.Say bullet.

    25. Block Cipher Modes of Operation: CTR 25 Say bullet.Say bullet.

    26. 26 Proof of Concept: DecodeXOR Built a utility to extract P and P from C ? C Mostly hashing No frequency analysis, hidden Markov models, etc. OK to include punctuations, mixed case letters, numbers, and extended ASCII characters Written in C, only 363 semicolons Relies heavily on training set Ample room for enhancements

    27. 27 DecodeXOR n-gram table representation and construction Training file 100MB of ~English content from random web pages All consecutive 2-grams encountered hashed into bitmap

    28. 28 DecodeXOR n-gram table representation and construction Training file 100MB of ~English content from random web pages All consecutive 2-grams encountered hashed into bitmap

    29. 29 DecodeXOR n-gram table representation and construction Training file 100MB of ~English content from random web pages All consecutive 2-grams encountered hashed into bitmap

    30. 30 DecodeXOR n-gram table representation and construction Training file 100MB of ~English content from random web pages All consecutive 2-grams encountered hashed into bitmap

    31. 31 DecodeXOR n-gram table representation and construction Same method extended to capture n-grams of 3 to 6 characters.

    32. 32 DecodeXOR n-gram table representation and construction Same method extended to capture n-grams of 3 to 6 characters.

    33. 33 DecodeXOR n-gram table representation and construction Same method extended to capture n-grams of 3 to 6 characters.

    34. 34 DecodeXOR n-gram table representation and construction Same method extended to capture n-grams of 3 to 6 characters.

    35. 35 DecodeXOR n-gram table representation and construction Same method extended to capture n-grams of 3 to 6 characters.

    36. 36 DecodeXOR n-gram table representation and construction Can combine all tables, effectively a Bloom filter

    37. 37 DecodeXOR Solving plaintext substrings Candidate plaintexts need to conform to 3 constraints

    38. 38 DecodeXOR Solving plaintext substrings Candidate plaintexts need to conform to 3 constraints

    39. 39 DecodeXOR Solving plaintext substrings Candidate plaintexts need to conform to 3 constraints

    40. 40 DecodeXOR Solving plaintext substrings Candidate plaintexts need to conform to 3 constraints

    41. 41 DecodeXOR Solving plaintext substrings Candidate plaintexts need to conform to 3 constraints

    42. 42 DecodeXOR Solving plaintext substrings Candidate plaintexts need to conform to 3 constraints

    43. 43 DecodeXOR Solving plaintext substrings Candidate plaintexts need to conform to 3 constraints

    44. 44 DecodeXOR Solving plaintext substrings Candidate plaintexts need to conform to 3 constraints

    45. 45 DecodeXOR Solving plaintext substrings Candidate plaintexts need to conform to 3 constraints

    46. DecodeXOR : Test Run 46

    47. 47 Four Storage Examples Seemingly one-time pads may be turned into two-time pads: File system Swap Flash memory Backups in all-or-nothing secure deletion system Goal is not to criticize particular implementations

    48. 48 File System CryptoFS Popular encryption file system Extent-based Uses CFB mode to support extent-based random access Number of unique IVs is fixed but configurable IV = disk block number % number of IVs

    49. File System 49

    50. File System 50

    51. File System 51

    52. File System 52

    53. File System 53

    54. File System 54

    55. File System 55

    56. File System 56

    57. File System 57

    58. File System 58

    59. 59 Proof of Concept We encrypt one file and save a copy of C1 P1 = Now is the time for all good people to worry about their privacy. We modify the file and save a copy of C1 P1 = Now is the time for all good people to worry about their privacy.

    60. 60 Proof of Concept DecodeXOR

    61. 61 Flash Use of flash storage is becoming ubiquitous Although popular, flash has limitations Each storage location can only be erased up to 100,000 times Erasure time is slow (in msec) An in-place update involves first erasing the target location before writing new data

    62. 62 Flash Wear leveling rotates the usage of locations evenly to prolong the life of device

    63. 63 Flash Wear leveling rotates the usage of locations evenly to prolong the life of device

    64. 64 Flash Wear leveling rotates the usage of locations evenly to prolong the life of device Overwrites go to new block instead of original block

    65. 65 Flash Dead data is often left behind on the flash until that block is needed to store new data

    66. 66 Flash Dead data is often left behind on the flash until that block is needed to store new data

    67. 67 Flash Dead data is often left behind on the flash until that block is needed to store new data

    68. 68 Flash Dead data is often left behind on the flash until that block is needed to store new data Dead blocks may not be recycled until entire device has been used due to evenness of wear leveling mechanismDead blocks may not be recycled until entire device has been used due to evenness of wear leveling mechanism

    69. 69 Flash We demonstrate that we can find old encrypted data using JFFS2 Log-based file system with wear leveling for flash Experiment Mounted jffs2 on a disk partition using the emulation module block2mtd

    70. 70 Flash Encrypted two files with 128-bit AES in OFB mode with same key and IV File1 and File2 identical, except File2s 2nd block has shifted content Result is different ciphertext for second half of file

    71. 71 Flash Copied File1 onto the jffs2 flash partition Overwrote the second half of File1 with the modified second half of File2 See if we could find traces of the original second half of file1 We were able to verify large portions of the original second half of file1! With both second halves, we could use DecodeXOR to recover the plaintext

    72. 72 Lessons Avoid certain encryption modes in storage Do not reuse keys and IVs when re-encrypting data Be aware of the properties of legacy storage data path Single generic data type Poor consistency guarantees Information hiding

    73. 73 Conclusion Remember storage is different than networks In-place updates Content shifting Backups Legacy storage usage patterns and properties threaten confidentiality Knowing what can go wrong is the first step

    74. 74 Questions? When Cryptography Meets Storage Sarah Diesburg, Chris Meyers, David Lary, and An-I Andy Wang Florida State University

    75. Extra Slides 75

    76. 76 Attacks So how can attacker get two versions of a files ciphertext? Backups Portable hard drives, flash, versioning file systems Multiuser machine Through root access or poor directory permission settings Email snooping / network sniffing Swap More to the imagination

    77. 77 Swap via Hibernation Memory caching may keep recently modified encrypted data in memory Write-back policy Hibernation allows system to save current memory states to non-volatile storage Could result in multiple stored versions of data encrypted with same key and IV

    78. 78 Swap via Hibernation Experiment Injected encrypted data into memory Indentified swap candidate blocks with high entropy Created XOR blocks by XORing encrypted file blocks with candidate swap blocks Used DecodeXOR to analyze XOR blocks that exhibit low, but non-zero entropy C ? C = P ? P = low entropy C ? C = zero entropy C1 ? C2 = high entropy

    79. 79 DecodeXOR Tracking and assembling candidate plaintext substrings Uses a hash table to track 6-character candidate substrings that satisfy previous constraints For each 6-character candidate substring Last 5 characters in substring determine storage location of the 6-character substring First 5 characters in substring points to the hash bin location of the previous candidate substring with the last 5 characters matched

More Related