1 / 75

When Cryptography Meets Storage

When Cryptography Meets Storage. Sarah Diesburg, Chris Meyers, David Lary, and An-I Andy Wang Florida State University. Motivations. Cryptographic systems used for confidential storage of data Assumptions made for other media (e.g. networks) not directly applicable to storage

raina
Télécharger la présentation

When Cryptography Meets Storage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. When Cryptography Meets Storage Sarah Diesburg, Chris Meyers, David Lary, and An-I Andy Wang Florida State University

  2. Motivations • Cryptographic systems used for confidential storage of data • Assumptions made for other media (e.g. networks) not directly applicable to storage • Usage patterns and properties affect confidentiality guarantees, especially when keys and IVs are reused over time Introduction • Background • Cryptanalysis• Examples • Conclusion

  3. Contributions • Non-contributions • Two-time pad problem • Criticisms of particular storage systems Instead, we want to demonstrate what can go wrong when cryptography and storage constraints collide. Introduction • Background • Cryptanalysis• Examples • Conclusion

  4. Applying Encryption to a Network • Usage patterns and properties • Short-lived data streams (e.g., messages) • Write-once content (e.g., transactions) • Uniqueness of keys and IVs achieved by cycling through large IV space before changing to new key Introduction • Background • Cryptanalysis• Examples • Conclusion

  5. Storage • Similar to a communication channel through time, but… • Usage patterns and properties • In-place updates - if keys and IVs are generated as a function of offsets within a file or storage medium, the uniqueness of keys and IVs is compromised • Example: using sector number as IV Introduction • Background • Cryptanalysis• Examples • Conclusion

  6. Storage • Content shifting - potentially a large quantity of original plaintext is encrypted via reusing the keys and IVs defined as a function of file and disk locations • Backups – versions of backups can violate the uniqueness of IVs and keys Introduction • Background • Cryptanalysis• Examples • Conclusion

  7. Legacy Storage Data Path Problems • Single generic data type - encrypted and non-encrypted data treated similarly • Sensitive data may be cached in plaintext • Poor consistency guarantees – versions of encrypted data may reside in memory and on disk • Due to OS mechanisms (e.g., hibernation and swap) Introduction • Background • Cryptanalysis• Examples • Conclusion

  8. Legacy Storage Data Path Problems • Information hiding – no physical views of the underlying storage • Old versions may still linger on raw storage, even though application can only see newest encrypted data Introduction • Background • Cryptanalysis• Examples • Conclusion

  9. Two-time Pad Problem • Occurs when cryptographic information is reused to generate new encrypted data • Best explained with stream cipher example Introduction•Background• Cryptanalysis• Examples • Conclusion

  10. Stream Ciphers • K  P’ = C’ • K  P = C • K  P = C • K  P’= C’ • P  P’= C  C’  K K P P’ C’ C Introduction•Background• Cryptanalysis• Examples • Conclusion

  11. Block Cipher Modes of Operation:CFB Ekey(IV)P1=C1 Ekey(C1)P2=C2 Ekey(C2)P3=C3 Introduction•Background• Cryptanalysis• Examples • Conclusion

  12. Block Cipher Modes of Operation:CFB Ekey(IV)P1=C1 Ekey(C1)P2=C2 Ekey(C2)P3=C3 Introduction•Background• Cryptanalysis• Examples • Conclusion

  13. Block Cipher Modes of Operation:CFB Ekey(IV)P1=C1 Ekey(C1)P2=C2 Ekey(C2)P3=C3 Introduction•Background• Cryptanalysis• Examples • Conclusion

  14. Block Cipher Modes of Operation:CFB Ekey(IV)P1=C1 Ekey(C1)P2=C2 Ekey(C2)P3=C3 Ekey(IV)P1’=C1’ Ekey(C1’)P2=C2’ Ekey(C2’)P3=C3’ Introduction•Background• Cryptanalysis• Examples • Conclusion

  15. Block Cipher Modes of Operation:CFB Ekey(IV)P1=C1 Ekey(C1)P2=C2 Ekey(C2)P3=C3 Ekey(IV)P1’=C1’ Ekey(C1’)P2=C2’ Ekey(C2’)P3=C3’ Introduction•Background• Cryptanalysis• Examples • Conclusion

  16. Block Cipher Modes of Operation:CFB Ekey(IV)P1=C1 Ekey(C1)P2=C2 Ekey(C2)P3=C3 Ekey(IV)P1’=C1’ Ekey(C1’)P2=C2’ Ekey(C2’)P3=C3’ Introduction•Background• Cryptanalysis• Examples • Conclusion

  17. Block Cipher Modes of Operation:CFB Ekey(IV)P1=C1 Ekey(C1)P2=C2 Ekey(C2)P3=C3 Ekey(IV)P1’=C1’ Ekey(C1’)P2=C2’ Ekey(C2’)P3=C3’ Introduction•Background• Cryptanalysis• Examples • Conclusion

  18. Block Cipher Modes of Operation:CFB • Scope of vulnerability limited to current in-place updated block Ekey(IV)P1=C1 Ekey(C1)P2=C2 Ekey(C2)P3=C3 Ekey(IV)P1’=C1’ Ekey(C1’)P2=C2’ Ekey(C2’)P3=C3’ Introduction•Background• Cryptanalysis• Examples • Conclusion

  19. Block Cipher Modes of Operation:OFB Ekey(IV)P1=C1 Ekey(Ekey(IV))P2=C2 Ekey(Ekey(Ekey(IV)))P3=C3 Introduction•Background• Cryptanalysis• Examples • Conclusion

  20. Block Cipher Modes of Operation:OFB Ekey(IV)P1=C1 Ekey(Ekey(IV))P2=C2 Ekey(Ekey(Ekey(IV)))P3=C3 Introduction•Background• Cryptanalysis• Examples • Conclusion

  21. Block Cipher Modes of Operation:OFB Ekey(IV)P1=C1 Ekey(Ekey(IV))P2=C2 Ekey(Ekey(Ekey(IV)))P3=C3 Ekey(IV)P1=C1 Ekey(Ekey(IV))P2’=C2’ Ekey(Ekey(Ekey(IV)))P3’=C3’ Introduction•Background• Cryptanalysis• Examples • Conclusion

  22. Block Cipher Modes of Operation:OFB Ekey(IV)P1=C1 Ekey(Ekey(IV))P2=C2 Ekey(Ekey(Ekey(IV)))P3=C3 Ekey(IV)P1=C1 Ekey(Ekey(IV))P2’=C2’ Ekey(Ekey(Ekey(IV)))P3’=C3’ Introduction•Background• Cryptanalysis• Examples • Conclusion

  23. Block Cipher Modes of Operation:OFB Ekey(IV)P1=C1 Ekey(Ekey(IV))P2=C2 Ekey(Ekey(Ekey(IV)))P3=C3 Ekey(IV)P1=C1 Ekey(Ekey(IV))P2’=C2’ Ekey(Ekey(Ekey(IV)))P3’=C3’ Introduction•Background• Cryptanalysis• Examples • Conclusion

  24. Block Cipher Modes of Operation:OFB • Scope of vulnerability begins with first changed block and potentially ends with last block in file or extent Ekey(IV)P1=C1 Ekey(Ekey(IV))P2=C2 Ekey(Ekey(Ekey(IV)))P3=C3 Ekey(IV)P1=C1 Ekey(Ekey(IV))P2’=C2’ Ekey(Ekey(Ekey(IV)))P3’=C3’ Introduction•Background• Cryptanalysis• Examples • Conclusion

  25. Block Cipher Modes of Operation:CTR • Scope of vulnerability begins with first changed block and potentially ends with last block in file or extent Ekey(nonce ctr1)P1=C1 Ekey(nonce ctr2)P2=C2 Ekey(nonce ctr3)P3=C3 Ekey(nonce ctr1)P1=C1 Ekey(nonce ctr2)P2’=C2’ Ekey(nonce ctr3)P3’=C3’ Introduction•Background• Cryptanalysis• Examples • Conclusion

  26. Proof of Concept: DecodeXOR • Built a utility to extract Pand P’from C  C’ • Mostly hashing • No frequency analysis, hidden Markov models, etc. • OK to include punctuations, mixed case letters, numbers, and extended ASCII characters • Written in C, only 363 semicolons • Relies heavily on training set • Ample room for enhancements Introduction • Background • Cryptanalysis• Examples • Conclusion

  27. DecodeXOR • n-gram table representation and construction • Training file • 100MB of ~English content from random web pages • All consecutive 2-grams encountered hashed into bitmap Example 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Introduction • Background • Cryptanalysis• Examples • Conclusion

  28. DecodeXOR • n-gram table representation and construction • Training file • 100MB of ~English content from random web pages • All consecutive 2-grams encountered hashed into bitmap Example 0 0 0 0 0 1 0 0 0 0 0 0 0 0 Introduction • Background • Cryptanalysis• Examples • Conclusion

  29. DecodeXOR • n-gram table representation and construction • Training file • 100MB of ~English content from random web pages • All consecutive 2-grams encountered hashed into bitmap Example 0 0 1 0 0 1 0 0 0 0 0 0 0 0 Introduction • Background • Cryptanalysis• Examples • Conclusion

  30. DecodeXOR • n-gram table representation and construction • Training file • 100MB of ~English content from random web pages • All consecutive 2-grams encountered hashed into bitmap Example 0 0 1 0 0 1 0 0 0 0 0 0 0 0 Introduction • Background • Cryptanalysis• Examples • Conclusion

  31. DecodeXOR • n-gram table representation and construction • Training file • 100MB of ~English content from random web pages • All consecutive 2-grams encountered hashed into bitmap • Same method extended to capture n-grams of 3 to 6 characters Introduction • Background • Cryptanalysis• Examples • Conclusion

  32. DecodeXOR • n-gram table representation and construction • Can combine all tables, effectively a Bloom filter 2-gram … 1 0 0 1 1 0 0 1 0 1 0 1 1 0 0 0 1 0 1 0 1 1 1 0 0 0 1 0 6-gram 1 0 1 1 1 0 1 1 1 1 0 1 1 0 combined Introduction • Background • Cryptanalysis• Examples • Conclusion

  33. DecodeXOR • Solving plaintext substrings • Candidate plaintexts need to conform to 3 constraints 1st constraint P1 P2 P3 P4 P5 P6 P7 P1’ P2’ P3’ P4’ P5’ P6’ P7’  S1 S2 S3 S4 S5 S6 S7 Introduction • Background • Cryptanalysis• Examples • Conclusion

  34. DecodeXOR • Solving plaintext substrings • Candidate plaintexts need to conform to 3 constraints 2nd constraint P1 P2 P3 P4 P5 P6 P7 P1’ P2’ P3’ P4’ P5’ P6’ P7’ The above is a legitimate 6-gram Introduction • Background • Cryptanalysis• Examples • Conclusion

  35. DecodeXOR • Solving plaintext substrings • Candidate plaintexts need to conform to 3 constraints 2nd constraint P1 P2 P3 P4 P5 P6 P7 P1’ P2’ P3’ P4’ P5’ P6’ P7’ The above is a legitimate 6-gram Introduction • Background • Cryptanalysis• Examples • Conclusion

  36. DecodeXOR • Solving plaintext substrings • Candidate plaintexts need to conform to 3 constraints 2nd constraint P1 P2 P3 P4 P5 P6 P7 P1’ P2’ P3’ P4’ P5’ P6’ P7’ The above is a legitimate 6-gram Introduction • Background • Cryptanalysis• Examples • Conclusion

  37. DecodeXOR • Solving plaintext substrings • Candidate plaintexts need to conform to 3 constraints 2nd constraint P1 P2 P3 P4 P5 P6 P7 P1’ P2’ P3’ P4’ P5’ P6’ P7’ The above is a legitimate 6-gram Introduction • Background • Cryptanalysis• Examples • Conclusion

  38. DecodeXOR • Solving plaintext substrings • Candidate plaintexts need to conform to 3 constraints 3rd constraint P1 P2 P3 P4 P5 P6 P7 P1’ P2’ P3’ P4’ P5’ P6’ P7’ The last 5 characters of {Pn,…,Pn+5} need to match the first 5 characters of {Pn+1,…Pn+6} Introduction • Background • Cryptanalysis• Examples • Conclusion

  39. DecodeXOR • Solving plaintext substrings • Candidate plaintexts need to conform to 3 constraints 3rd constraint P1 P2 P3 P4 P5 P6 P7 P1’ P2’ P3’ P4’ P5’ P6’ P7’ The last 5 characters of {Pn,…,Pn+5} need to match the first 5 characters of {Pn+1,…Pn+6} Introduction • Background • Cryptanalysis• Examples • Conclusion

  40. DecodeXOR • Solving plaintext substrings • Candidate plaintexts need to conform to 3 constraints 3rd constraint P1 P2 P3 P4 P5 P6 P7 P1’ P2’ P3’ P4’ P5’ P6’ P7’ Same for P’ substrings Introduction • Background • Cryptanalysis• Examples • Conclusion

  41. DecodeXOR • Solving plaintext substrings • Candidate plaintexts need to conform to 3 constraints 3rd constraint P1 P2 P3 P4 P5 P6 P7 P1’ P2’ P3’ P4’ P5’ P6’ P7’ Same for P’ substrings Introduction • Background • Cryptanalysis• Examples • Conclusion

  42. DecodeXOR : Test Run Introduction • Background • Cryptanalysis• Examples • Conclusion

  43. Four Storage Examples • Seemingly one-time pads may be turned into two-time pads: • File system • Swap • Flash memory • Backups in all-or-nothing secure deletion system • Goal is not to criticize particular implementations Introduction • Background • Cryptanalysis•Examples• Conclusion

  44. File System • CryptoFS • Popular encryption file system • Extent-based • Uses CFB mode to support extent-based random access • Number of unique IVs is fixed but configurable • IV = disk block number % number of IVs Introduction • Background • Cryptanalysis•Examples• Conclusion

  45. File System File structure with extents and CFB encryption 4KB 4KB Introduction • Background • Cryptanalysis•Examples• Conclusion

  46. File System File structure with extents and CFB encryption 4KB 4KB Ekey(IV0)P1=C1 Ekey(C1)P2=C2 Introduction • Background • Cryptanalysis•Examples• Conclusion

  47. File System File structure with extents and CFB encryption 4KB 4KB Ekey(IV0)P1=C1 Ekey(C1)P2=C2 Ekey(IV0)P1’=C1’ Ekey(C1’)P2’=C2’ Introduction • Background • Cryptanalysis•Examples• Conclusion

  48. File System File structure with extents and CFB encryption 4KB 4KB Ekey(IV0)P1=C1 Ekey(C1)P2=C2 Ekey(IV0)P1’=C1’ Ekey(C1’)P2’=C2’ Introduction • Background • Cryptanalysis•Examples• Conclusion

  49. File System File structure with extents and CFB encryption 4KB 4KB Ekey(IV0)P1=C1 Ekey(C1)P2=C2 Ekey(IV0)P1’=C1’ Ekey(C1’)P2’=C2’ Introduction • Background • Cryptanalysis•Examples• Conclusion

  50. File System File structure with extents and CFB encryption 4KB 4KB Ekey(IV0)P1=C1 Ekey(C1)P2=C2 Ekey(IV0)P1’=C1’ Ekey(C1’)P2’=C2’ Introduction • Background • Cryptanalysis•Examples• Conclusion

More Related