Add to collection(s) Add to saved
  1. No category

When Cryptography Meets Storage Sarah Diesburg, Chris Meyers,

advertisement 
When Cryptography
Meets Storage
Sarah Diesburg, Chris Meyers,
David Lary, and An-I Andy Wang
Florida State University
1
Motivations


Cryptographic systems used for confidential
storage of data
Assumptions made for other media (e.g.
networks) not directly applicable to storage

Usage patterns and properties affect
confidentiality guarantees, especially when keys
and IVs are reused over time
Introduction • Background • Cryptanalysis • Examples • Conclusion
2
Contributions

Non-contributions


Two-time pad problem
Criticisms of particular storage systems
Instead, we want to demonstrate what can go
wrong when cryptography and storage
constraints collide.
Introduction • Background • Cryptanalysis • Examples • Conclusion
3
Applying Encryption to a Network

Usage patterns and properties



Short-lived data streams (e.g., messages)
Write-once content (e.g., transactions)
Uniqueness of keys and IVs achieved by
cycling through large IV space before
changing to new key
Introduction • Background • Cryptanalysis • Examples • Conclusion
4
Storage


Similar to a communication channel
through time, but…
Usage patterns and properties

In-place updates - if keys and IVs are generated
as a function of offsets within a file or storage
medium, the uniqueness of keys and IVs is
compromised

Example: using sector number as IV
Introduction • Background • Cryptanalysis • Examples • Conclusion
5
Storage


Content shifting - potentially a large quantity of
original plaintext is encrypted via reusing the keys
and IVs defined as a function of file and disk
locations
Backups – versions of backups can violate the
uniqueness of IVs and keys
Introduction • Background • Cryptanalysis • Examples • Conclusion
6
Legacy Storage Data Path Problems

Single generic data type - encrypted and
non-encrypted data treated similarly


Sensitive data may be cached in plaintext
Poor consistency guarantees – versions of
encrypted data may reside in memory and on
disk

Due to OS mechanisms (e.g., hibernation and
swap)
Introduction • Background • Cryptanalysis • Examples • Conclusion
7
Legacy Storage Data Path Problems

Information hiding – no physical views of
the underlying storage

Old versions may still linger on raw storage, even
though application can only see newest encrypted
data
Introduction • Background • Cryptanalysis • Examples • Conclusion
8
Two-time Pad Problem


Occurs when cryptographic information is
reused to generate new encrypted data
Best explained with stream cipher example
Introduction • Background • Cryptanalysis • Examples • Conclusion
9
Stream Ciphers
KP=C
 K  P’ = C’
KP=C
 K  P’ = C’
P  P’ = C  C’

K
K
P
P’
C
C’
Introduction • Background • Cryptanalysis • Examples • Conclusion
10
Block Cipher Modes of Operation:
CFB
Ekey(IV)P1=C1
Ekey(C1)P2=C2
Ekey(C2)P3=C3
Introduction • Background • Cryptanalysis • Examples • Conclusion
11
Block Cipher Modes of Operation:
CFB
Ekey(IV)P1=C1
Ekey(C1)P2=C2
Ekey(C2)P3=C3
Introduction • Background • Cryptanalysis • Examples • Conclusion
12
Block Cipher Modes of Operation:
CFB
Ekey(IV)P1=C1
Ekey(C1)P2=C2
Ekey(C2)P3=C3
Introduction • Background • Cryptanalysis • Examples • Conclusion
13
Block Cipher Modes of Operation:
CFB
Ekey(IV)P1=C1
Ekey(C1)P2=C2
Ekey(C2)P3=C3
Ekey(IV)P1’=C1’
Ekey(C1’)P2=C2’
Ekey(C2’)P3=C3’
Introduction • Background • Cryptanalysis • Examples • Conclusion
14
Block Cipher Modes of Operation:
CFB
Ekey(IV)P1=C1
Ekey(C1)P2=C2
Ekey(C2)P3=C3
Ekey(IV)P1’=C1’
Ekey(C1’)P2=C2’
Ekey(C2’)P3=C3’
Introduction • Background • Cryptanalysis • Examples • Conclusion
15
Block Cipher Modes of Operation:
CFB
Ekey(IV)P1=C1
Ekey(C1)P2=C2
Ekey(C2)P3=C3
Ekey(IV)P1’=C1’
Ekey(C1’)P2=C2’
Ekey(C2’)P3=C3’
Introduction • Background • Cryptanalysis • Examples • Conclusion
16
Block Cipher Modes of Operation:
CFB
Ekey(IV)P1=C1
Ekey(C1)P2=C2
Ekey(C2)P3=C3
Ekey(IV)P1’=C1’
Ekey(C1’)P2=C2’
Ekey(C2’)P3=C3’
Introduction • Background • Cryptanalysis • Examples • Conclusion
17
Block Cipher Modes of Operation:
CFB

Scope of vulnerability limited to current in-place
updated block
Ekey(IV)P1=C1
Ekey(C1)P2=C2
Ekey(C2)P3=C3
Ekey(IV)P1’=C1’
Ekey(C1’)P2=C2’
Ekey(C2’)P3=C3’
Introduction • Background • Cryptanalysis • Examples • Conclusion
18
Block Cipher Modes of Operation:
OFB
Ekey(IV)P1=C1
Ekey(Ekey(IV))P2=C2
Ekey(Ekey(Ekey(IV)))P3=C3
Introduction • Background • Cryptanalysis • Examples • Conclusion
19
Block Cipher Modes of Operation:
OFB
Ekey(IV)P1=C1
Ekey(Ekey(IV))P2=C2
Ekey(Ekey(Ekey(IV)))P3=C3
Introduction • Background • Cryptanalysis • Examples • Conclusion
20
Block Cipher Modes of Operation:
OFB
Ekey(IV)P1=C1
Ekey(Ekey(IV))P2=C2
Ekey(Ekey(Ekey(IV)))P3=C3
Ekey(IV)P1=C1
Ekey(Ekey(IV))P2’=C2’
Ekey(Ekey(Ekey(IV)))P3’=C3’
Introduction • Background • Cryptanalysis • Examples • Conclusion
21
Block Cipher Modes of Operation:
OFB
Ekey(IV)P1=C1
Ekey(Ekey(IV))P2=C2
Ekey(Ekey(Ekey(IV)))P3=C3
Ekey(IV)P1=C1
Ekey(Ekey(IV))P2’=C2’
Ekey(Ekey(Ekey(IV)))P3’=C3’
Introduction • Background • Cryptanalysis • Examples • Conclusion
22
Block Cipher Modes of Operation:
OFB
Ekey(IV)P1=C1
Ekey(Ekey(IV))P2=C2
Ekey(Ekey(Ekey(IV)))P3=C3
Ekey(IV)P1=C1
Ekey(Ekey(IV))P2’=C2’
Ekey(Ekey(Ekey(IV)))P3’=C3’
Introduction • Background • Cryptanalysis • Examples • Conclusion
23
Block Cipher Modes of Operation:
OFB

Scope of vulnerability begins with first changed block
and potentially ends with last block in file or extent
Ekey(IV)P1=C1
Ekey(Ekey(IV))P2=C2
Ekey(Ekey(Ekey(IV)))P3=C3
Ekey(IV)P1=C1
Ekey(Ekey(IV))P2’=C2’
Ekey(Ekey(Ekey(IV)))P3’=C3’
Introduction • Background • Cryptanalysis • Examples • Conclusion
24
Block Cipher Modes of Operation:
CTR

Scope of vulnerability begins with first changed block
and potentially ends with last block in file or extent
Ekey(nonce ctr1)P1=C1
Ekey(nonce ctr2)P2=C2
Ekey(nonce ctr3)P3=C3
Ekey(nonce ctr1)P1=C1
Ekey(nonce ctr2)P2’=C2’
Ekey(nonce ctr3)P3’=C3’
Introduction • Background • Cryptanalysis • Examples • Conclusion
25
Proof of Concept: DecodeXOR


Built a utility to extract P and P’ from C  C’
Mostly hashing





No frequency analysis, hidden Markov models, etc.
OK to include punctuations, mixed case letters,
numbers, and extended ASCII characters
Written in C, only 363 semicolons
Relies heavily on training set
Ample room for enhancements
Introduction • Background • Cryptanalysis • Examples • Conclusion
26
DecodeXOR

n-gram table representation and construction

Training file


100MB of ~English content from random web pages
All consecutive 2-grams encountered hashed into
bitmap
Example
0
0
0
0
0
0
0
0
0
0
0
0
Introduction • Background • Cryptanalysis • Examples • Conclusion
0
0
27
DecodeXOR

n-gram table representation and construction

Training file


100MB of ~English content from random web pages
All consecutive 2-grams encountered hashed into
bitmap
Example
0
0
0
0
0
1
0
0
0
0
0
0
Introduction • Background • Cryptanalysis • Examples • Conclusion
0
0
28
DecodeXOR

n-gram table representation and construction

Training file


100MB of ~English content from random web pages
All consecutive 2-grams encountered hashed into
bitmap
Example
0
0
1
0
0
1
0
0
0
0
0
0
Introduction • Background • Cryptanalysis • Examples • Conclusion
0
0
29
DecodeXOR

n-gram table representation and construction

Training file


100MB of ~English content from random web pages
All consecutive 2-grams encountered hashed into
bitmap
Example
0
0
1
0
0
1
0
0
0
0
0
0
Introduction • Background • Cryptanalysis • Examples • Conclusion
0
0
30
DecodeXOR

n-gram table representation and construction

Training file



100MB of ~English content from random web pages
All consecutive 2-grams encountered hashed into
bitmap
Same method extended to capture n-grams of 3
to 6 characters
Introduction • Background • Cryptanalysis • Examples • Conclusion
31
DecodeXOR

n-gram table representation and construction

Can combine all tables, effectively a Bloom filter
2-gram
…
1
0
0
1
1
0
0
1
0
1
0
1
1
0
6-gram
0
0
1
0
1
0
1
1
1
0
0
0
1
0
combined
1
0
1
1
1
0
1
1
1
1
0
1
1
0
Introduction • Background • Cryptanalysis • Examples • Conclusion
32
DecodeXOR

Solving plaintext substrings

Candidate plaintexts need to conform to 3 constraints
1st constraint
P1 P2 P3 P4 P5 P6 P7
P ’ P ’ P ’ P ’ P ’ P ’ P ’
1
2
3
4
5
6
7
S1
S2
S3
S4
S5
S6
S7
Introduction • Background • Cryptanalysis • Examples • Conclusion
33
DecodeXOR

Solving plaintext substrings

Candidate plaintexts need to conform to 3 constraints
2nd constraint
P1 P2 P3 P4 P5 P6 P7
P1’ P2’ P3’ P4’ P5’ P6’ P7’
The above is a legitimate 6-gram
Introduction • Background • Cryptanalysis • Examples • Conclusion
34
DecodeXOR

Solving plaintext substrings

Candidate plaintexts need to conform to 3 constraints
2nd constraint
P1 P2 P3 P4 P5 P6 P7
P1’ P2’ P3’ P4’ P5’ P6’ P7’
The above is a legitimate 6-gram
Introduction • Background • Cryptanalysis • Examples • Conclusion
35
DecodeXOR

Solving plaintext substrings

Candidate plaintexts need to conform to 3 constraints
2nd constraint
P1 P2 P3 P4 P5 P6 P7
P1’ P2’ P3’ P4’ P5’ P6’ P7’
The above is a legitimate 6-gram
Introduction • Background • Cryptanalysis • Examples • Conclusion
36
DecodeXOR

Solving plaintext substrings

Candidate plaintexts need to conform to 3 constraints
2nd constraint
P1 P2 P3 P4 P5 P6 P7
P1’ P2’ P3’ P4’ P5’ P6’ P7’
The above is a legitimate 6-gram
Introduction • Background • Cryptanalysis • Examples • Conclusion
37
DecodeXOR

Solving plaintext substrings

Candidate plaintexts need to conform to 3 constraints
3rd constraint
P1 P2 P3 P4 P5 P6 P7
P1’ P2’ P3’ P4’ P5’ P6’ P7’
The last 5 characters of {Pn,…,Pn+5} need to
match the first 5 characters of {Pn+1,…Pn+6}
Introduction • Background • Cryptanalysis • Examples • Conclusion
38
DecodeXOR

Solving plaintext substrings

Candidate plaintexts need to conform to 3 constraints
3rd constraint
P1 P2 P3 P4 P5 P6 P7
P1’ P2’ P3’ P4’ P5’ P6’ P7’
The last 5 characters of {Pn,…,Pn+5} need to
match the first 5 characters of {Pn+1,…Pn+6}
Introduction • Background • Cryptanalysis • Examples • Conclusion
39
DecodeXOR

Solving plaintext substrings

Candidate plaintexts need to conform to 3 constraints
3rd constraint
P1 P2 P3 P4 P5 P6 P7
P1’ P2’ P3’ P4’ P5’ P6’ P7’
Same for P’ substrings
Introduction • Background • Cryptanalysis • Examples • Conclusion
40
DecodeXOR

Solving plaintext substrings

Candidate plaintexts need to conform to 3 constraints
3rd constraint
P1 P2 P3 P4 P5 P6 P7
P1’ P2’ P3’ P4’ P5’ P6’ P7’
Same for P’ substrings
Introduction • Background • Cryptanalysis • Examples • Conclusion
41
DecodeXOR : Test Run
This is apa
This is apt
This is ara
This is arb
This is arc
This is are
This is arg
This is arm
This is asc
This is asl
This is ast
This is asy
This is atm
This is att
This is awa
This is a c
This is a d
This is a f
This is a h
This is a p
This is a t
This is as
This is atr
This is a 'b
This is a ta
This is a te
This is a tr
This is a tu
This is a tw
This is a ty
This is a 'ba
This is a tac
This is a tas
This is a tea
This is a tec
This is a tes
This is a try
This is a co
This is a pe
This is a pu
This is a te
This is a tu
This is a tw
This is assw
This is a con
This is a cot
This is a pes
This is a pul
This is a pun
This is a pus
This is a tes
This is a tet
This is a tri
This is a taci
This is a tack
This is a tact
This is a tast
This is a tess
This is a test
This is a tryi
This is a trys
This is a test
This is a test.
This is a test.
Introduction • Background • Cryptanalysis • Examples • Conclusion
42
Four Storage Examples

Seemingly one-time pads may be turned into
two-time pads:





File system
Swap
Flash memory
Backups in all-or-nothing secure deletion system
Goal is not to criticize particular
implementations
Introduction • Background • Cryptanalysis • Examples • Conclusion
43
File System

CryptoFS





Popular encryption file system
Extent-based
Uses CFB mode to support extent-based random
access
Number of unique IVs is fixed but configurable
IV = disk block number % number of IVs
Introduction • Background • Cryptanalysis • Examples • Conclusion
44
File System
File structure with extents and CFB encryption
4KB
4KB
Introduction • Background • Cryptanalysis • Examples • Conclusion
45
File System
File structure with extents and CFB encryption
4KB
4KB
Ekey(IV0)P1=C1
Ekey(C1)P2=C2
Introduction • Background • Cryptanalysis • Examples • Conclusion
46
File System
File structure with extents and CFB encryption
4KB
Ekey(IV0)P1=C1
Ekey(C1)P2=C2
4KB
Ekey(IV0)P1’=C1’
Ekey(C1’)P2’=C2’
Introduction • Background • Cryptanalysis • Examples • Conclusion
47
File System
File structure with extents and CFB encryption
4KB
Ekey(IV0)P1=C1
Ekey(C1)P2=C2
4KB
Ekey(IV0)P1’=C1’
Ekey(C1’)P2’=C2’
Introduction • Background • Cryptanalysis • Examples • Conclusion
48
File System
File structure with extents and CFB encryption
4KB
Ekey(IV0)P1=C1
Ekey(C1)P2=C2
4KB
Ekey(IV0)P1’=C1’
Ekey(C1’)P2’=C2’
Introduction • Background • Cryptanalysis • Examples • Conclusion
49
File System
File structure with extents and CFB encryption
4KB
Ekey(IV0)P1=C1
Ekey(C1)P2=C2
4KB
Ekey(IV0)P1’=C1’
Ekey(C1’)P2’=C2’
Introduction • Background • Cryptanalysis • Examples • Conclusion
50
File System
File structure with extents and CFB encryption
4KB
Ekey(IV0)P1=C1
Ekey(C1)P2=C2
…
Ekey(IV1)P257=C257
4KB
Ekey(IV0)P1’=C1’
Ekey(C1’)P2’=C2’
…
Ekey(IV1)P257’=C257’
Introduction • Background • Cryptanalysis • Examples • Conclusion
51
File System
File structure with extents and CFB encryption
4KB
Ekey(IV0)P1=C1
Ekey(C1)P2=C2
…
Ekey(IV1)P257=C257
4KB
Ekey(IV0)P1’=C1’
Ekey(C1’)P2’=C2’
…
Ekey(IV1)P257’=C257’
Introduction • Background • Cryptanalysis • Examples • Conclusion
52
File System
File structure with extents and CFB encryption
4KB
Ekey(IV0)P1=C1
Ekey(C1)P2=C2
…
Ekey(IV1)P257=C257
4KB
Ekey(IV0)P1’=C1’
Ekey(C1’)P2’=C2’
…
Ekey(IV1)P257’=C257’
Introduction • Background • Cryptanalysis • Examples • Conclusion
53
File System
File structure with extents and CFB encryption
4KB

4KB
Once content starts to shift, an attacker can
decrypt the modified block and the first block of
subsequent extents after the content insertion
point
Introduction • Background • Cryptanalysis • Examples • Conclusion
54
Proof of Concept
1.
We encrypt one file and save a copy of C1

2.
P1 = “Now is the time for all good people to worry
about their privacy.”
We modify the file and save a copy of C1’

P1’ = “ Now is the time for all good people to
worry about their privacy.”
Introduction • Background • Cryptanalysis • Examples • Conclusion
55
Proof of Concept

DecodeXOR
Now is the tied
1st XOR pair
Now is the tale
Now is the tied.
2nd XOR pair
Now is the talk
Now is the time'
3rd XOR pair
Now is the timb
Now is the time
4th XOR pair
Now is the time
Now is the time,
5th XOR pair
Now is the timi
Introduction • Background • Cryptanalysis • Examples • Conclusion
56
Flash


Use of flash storage is becoming ubiquitous
Although popular, flash has limitations



Each storage location can only be erased up to
100,000 times
Erasure time is slow (in msec)
An in-place update involves first erasing the target
location before writing new data
Introduction • Background • Cryptanalysis • Examples • Conclusion
57
Flash

Wear leveling rotates the usage of locations evenly to
prolong the life of device
OS
Flash
A
Z
0
1
2
3
4
Logical
Physical
0
0
1
1
5
6
Introduction • Background • Cryptanalysis • Examples • Conclusion
58
Flash

Wear leveling rotates the usage of locations evenly to
prolong the life of device
Write “A”
to 1
OS
Flash
A
Z
0
1
2
3
4
Logical
Physical
0
0
1
1
5
6
Introduction • Background • Cryptanalysis • Examples • Conclusion
59
Flash

Wear leveling rotates the usage of locations evenly to
prolong the life of device

Overwrites go to new block instead of original block
Write “A”
to 1
OS
Flash
A
Z
A
0
1
2
3
4
Logical
Physical
0
0
1
2
5
6
Introduction • Background • Cryptanalysis • Examples • Conclusion
60
Flash

Dead data is often left behind on the flash until that block
is needed to store new data
OS
Flash
Logical
Physical
0
0
1
4
2
6
A
Z
A
B
C
Y
Z
0
1
2
3
4
5
6
Introduction • Background • Cryptanalysis • Examples • Conclusion
61
Flash

Dead data is often left behind on the flash until that block
is needed to store new data
Write “J”
to 2
OS
Flash
Logical
Physical
0
0
1
4
2
6
A
Z
A
B
C
Y
Z
0
1
2
3
4
5
6
Introduction • Background • Cryptanalysis • Examples • Conclusion
62
Flash

Dead data is often left behind on the flash until that block
is needed to store new data
Write “J”
to 2
OS
Erase!
Flash
A
0
1
Logical
Physical
0
0
1
4
2
1
A
B
C
Y
Z
2
3
4
5
6
Introduction • Background • Cryptanalysis • Examples • Conclusion
63
Flash

Dead data is often left behind on the flash until that block
is needed to store new data
Write “J”
to 2
OS
Flash
Logical
Physical
0
0
1
4
2
1
A
J
A
B
C
Y
Z
0
1
2
3
4
5
6
Introduction • Background • Cryptanalysis • Examples • Conclusion
64
Flash

We demonstrate that we can find old
encrypted data using JFFS2


Log-based file system with wear leveling for flash
Experiment

Mounted jffs2 on a disk partition using the
emulation module block2mtd
Introduction • Background • Cryptanalysis • Examples • Conclusion
65
Flash


Encrypted two files with 128-bit AES in OFB mode
with same key and IV
File1 and File2 identical, except File2’s 2nd block
has shifted content

Result is different ciphertext for second half of file
File1
4KB
4KB
File2
4KB
4KB
Introduction • Background • Cryptanalysis • Examples • Conclusion
66
Flash


Copied File1 onto the jffs2 flash partition
Overwrote the second half of File1 with the
modified second half of File2

See if we could find traces of the original second
half of file1
We were able to verify large portions of the
original second half of file1!

With both second halves, we could use
DecodeXOR to recover the plaintext
Introduction • Background • Cryptanalysis • Examples • Conclusion
67
Lessons



Avoid certain encryption modes in storage
Do not reuse keys and IVs when reencrypting data
Be aware of the properties of legacy storage
data path



Single generic data type
Poor consistency guarantees
Information hiding
Introduction • Background • Cryptanalysis • Examples • Conclusion
68
Conclusion

Remember storage is different than networks





In-place updates
Content shifting
Backups
Legacy storage usage patterns and
properties threaten confidentiality
Knowing what can go wrong is the first step
Introduction • Background • Cryptanalysis • Examples • Conclusion
69
Questions?
When Cryptography Meets Storage
Sarah Diesburg, Chris Meyers,
David Lary, and An-I Andy Wang
Florida State University
70
Extra Slides
71
Attacks

So how can attacker get two versions of a
file’s ciphertext?

Backups


Multiuser machine




Portable hard drives, flash, versioning file systems…
Through root access or poor directory permission
settings
Email snooping / network sniffing
Swap
More to the imagination…
Introduction • Background • Cryptanalysis • Examples • Conclusion
72
Swap via Hibernation

Memory caching may keep recently modified
encrypted data in memory



Write-back policy
Hibernation allows system to save current
memory states to non-volatile storage
Could result in multiple stored versions of
data encrypted with same key and IV
Introduction • Background • Cryptanalysis • Examples • Conclusion
73
Swap via Hibernation

Experiment




Injected encrypted data into memory
Indentified swap candidate blocks with high
entropy
Created XOR blocks by XORing encrypted file
blocks with candidate swap blocks
Used DecodeXOR to analyze XOR blocks that
exhibit low, but non-zero entropy



C  C’ = P  P’ = low entropy
C  C = zero entropy
C1  C2 = high entropy
Introduction • Background • Cryptanalysis • Examples • Conclusion
74
DecodeXOR

Tracking and assembling candidate plaintext
substrings


Uses a hash table to track 6-character candidate
substrings that satisfy previous constraints
For each 6-character candidate substring


Last 5 characters in substring determine storage
location of the 6-character substring
First 5 characters in substring points to the hash bin
location of the previous candidate substring with the last
5 characters matched
Introduction • Background • Cryptanalysis • Examples • Conclusion
75
Related documents
Harford Community College June 11, 2013 S. King, D. Mack, V. Swain
Harford Community College June 11, 2013 S. King, D. Mack, V. Swain
ICISC 2010 program - +=+ International Conference on
ICISC 2010 program - +=+ International Conference on
More Cryptography and Cryptanalysis Concepts
More Cryptography and Cryptanalysis Concepts
DOC
DOC
MCA (R+LE) 4th semester (Sessional (Minor I) Examination, April
MCA (R+LE) 4th semester (Sessional (Minor I) Examination, April
Cryptanalysis
Cryptanalysis
Harford Community College November 2, 2012
Harford Community College November 2, 2012
Presentation One
Presentation One
Download
advertisement