Limiting Liability in a
Federally Compliant File System
Zachary N. J. Peterson
Randal Burns
Adam Stubblefield
Department of Computer Science, Johns Hopkins University
Overview


Recent legislation makes new requirements with
respect to the management of electronic records
How does one electronically “leave the past behind?”
–
–

Data managers may wish to limit their liability
Patients/account holders may wish for their data to expire
We have developed a method for securely deleting
data in a regulatory environment
–
–
Fast & efficient
No additional key overhead
PORTIA Workshop 2004
A Paperless World

Information records are becoming entirely electronic
–
–




Financial records, medical records, federal data
300 million computers storing 150,000 terabytes of data
Eases use, sharing, and indexing
Allows for undetectable modification, eaves-dropping,
and other more devious things
Congress and others have begun to address the
importance of managing and securing electronic
records
Over 4,000 federal, state and local laws and
regulations with regard to electronic record
management
PORTIA Workshop 2004
The Law and Storage



Health Insurance
Portability and
Accountability Act
(HIPAA) (1996)
Government
Information Security
Reform Act (GISRA)
Federal Information
Security Management
Act (FISMA) (2002)







E-SIGN (2000)
Sarbanes-Oxley (2002)
Gramm-Leach-Bliley
(2002)
USA-PATRIOT Act
Federal Records Act
DoD Directive 5015.2
And on and on…
PORTIA Workshop 2004
Distilling Regulatory Requirements


Authentication and Authorization
Audit Trail
–
–

Files should be versioned over time
Secure block sharing between versions
Secure Storage and Transmission
The use of cryptography for:
– Privacy and confidentiality
– Non-repudiation
PORTIA Workshop 2004
Secure Deletion in the
Regulatory Environment


Organizations must take steps to protect privacy
Desire to limit liability
–
–


Records that go out of audit scope should do so forever
Patients may wish to redact portions of their medial record
When a disk is subpoenaed, old and irrelevant data
should be inaccessible
Simply “emptying the trash” isn’t good enough
–
–
Only frees the blocks for future allocations
Even after reuse, overwritten data may be reconstructed
using magnetic force microscopy
PORTIA Workshop 2004
Existing Techniques

Secure Overwrite [Gutmann 96]
–
–

Key Disposal [Boneh & Lipton 96]
–
–

Data blocks are overwritten many times with alternating
patterns of 1s and 0s
Magnetic media is degaussed and safe from MFM
Data encrypted with a key
Key is securely deleted, eliminating meaningful data access
User Space Tools
–
–
–
CyberScrub
Overwrite
Wipe
PORTIA Workshop 2004
Technical Problems

Secure overwriting of noncontiguous data blocks is
slow and inefficient
–

Cannot dispose file keys in a versioning file system
–

When versions share blocks, data to be overwritten may be
noncontiguous
Blocks encrypted with a particular key need to be available
in future versions
User space tools are categorically inadequate
–
–
–
–
Can’t delete metadata
Can’t be interposed between file operations
Truncate may leak data
Synchronicity is difficult and inconvenient
PORTIA Workshop 2004
The Big Idea
f k ( Bi , N )  Ci || si




A keyed all-or-nothing transform takes a key, a data
block, and a nonce
Encryption creates an encrypted block and a stub
When the key is private, data is secure and
authenticated
Securely deleting stub, securely deletes block, even
if the key is later exposed
PORTIA Workshop 2004
All-or-nothing (AON) Encryption
[Boyko 99] [Rivest 96]


A mode for block ciphers that requires all cipher
blocks to be decrypted before the message block is
recovered
Increases the searchable key space for brute-force
attacks
–


Attacker slowed down by a factor equal to the number of
blocks in the cipher text
By definition, destroying any cipher block destroys
the entire message block
Our work is the first practical application of AON
PORTIA Workshop 2004
Features of our System

Stub length is a security parameter
–


Stubs are stored with metadata and are not secret
When deleting a version, metadata and stubs are
securely overwritten
–

In practice, the stub might be 128 bits
this securely removes all data for that version
Stubs of the shared blocks are replicated to new
versions
–
Shared data are preserved when previous versions are
deleted
PORTIA Workshop 2004
Example
File Metadata
11 …
s0
s1
s2
Disk
C0
C1 C2
PORTIA Workshop 2004
Example
Receive a write to block #2
at time 17
File Metadata
11 …
s0
s1
s2
17 …
s0 ss11’ s2
Disk
C0
C1 C2
PORTIA Workshop 2004
C1’
Example
Delete file at time 11
File Metadata
11 …
s0
s1
s2
17 …
s0 s1 ’ s2
Disk
C0
C1 C2
PORTIA Workshop 2004
C1’
Example
Delete file at time 11
Block C1 is deleted permanently
File Metadata
11 …
s0
s1
s2
17 …
s0 s1 ’ s2
Disk
C0
C1 C2
PORTIA Workshop 2004
C1’
More Features

No extra key overhead added to the system when
compared with other secure systems
–

Versions of a file may use the same key for encryption
AON encryption allows the deletion of any 128 bits
–
–
Instead of removing the stub, 128 bits of the block may be
securely overwritten instead
More efficient when removing data from all versions of a file
PORTIA Workshop 2004
Example
File Metadata
11 …
s0
s1
s2
…
Disk
C0 C1 C2
PORTIA Workshop 2004
17 …
s0
s1
s2
Example
File Metadata
11 …
s0
s1
s2
…
Disk
C0 C1 C2
PORTIA Workshop 2004
17 …
s0
s1
s2
Availability

Implementing this secure deletion scheme in
ext3cow
–

Web site: www.ext3cow.com
–
–
–

A fully working snapshot file system for the Linux
2.4 kernel
Download the patch
Read the technical report
Join the mailing list
Email: zachary@jhu.edu
PORTIA Workshop 2004
PORTIA Workshop 2004
Electronic Record Legislation

–
–

Digital contracts are as
legitimate as paper
contracts
FISMA (2002)
–
–
Framework for ensuring
security controls for storage
Security of system must be
commensurate with security
of data
Sarbanes-Oxley (2002)
–
Technical security
mechanisms
Physical safeguards
–
E-SIGN (2000)
–


HIPAA (1996)
–
–

CEO, CFO responsible for
accurate financial reports
Management assessment of
internal controls
Real time disclosure
Criminal penalties for altering
documents
Gramm-Leach-Bliley (2002)
–
–
PORTIA Workshop 2004
Consumer records kept
confidential
Protect against threats and
unauthorized access
The Law and Storage



Health Insurance
Portability and
Accountability Act
(HIPAA)
Government
Information Security
Reform Act (GISRA)
Federal Information
Security Management
Act (FISMA)






Sarbanes-Oxley (SOX)
Gramm-Leach-Bliley
(GLB)
PATRIOT Act
Federal Records Act
DoD Directive 5015.2
4,000+ State and
Federal Laws and
Regulations with regard
to storage
PORTIA Workshop 2004
What are the requirements?

Authorization
–
–
–

Access controls
(role-based
authorizations)
Encryption
(confidentiality)
Digital signatures
(non-repudiation)
Authentication

Audit Trail
–

Secure Storage and
Transmission
–

Record of all changes
More encryption?
Integrity & Reliability
–
–
PORTIA Workshop 2004
Unaltered records.
Trusted content.
Introducing Ext3cow

A file system based on ext3 that supports file
system snapshot with a time-shifting
interface.
–
–
–
Creates immutable views of a file system as it
appeared at a specific point in time.
Versions of a file are created with copy-on-write
(cow) of blocks.
Snapshots are addressed with an
epoch number that corresponds to a
system time (gettimeofday).
PORTIA Workshop 2004
Securing our COW file system

Challenges
–
–
–
How to encrypt files that share blocks between
versions.
How to change permissions such that a user who
had access to a file in the past is not able to
access current versions.
Securely deleting files such that they are no longer
able to be subpoenaed.
PORTIA Workshop 2004
Conclusions

New legislation requires versioning, security
and privacy
–

Versioning must be fast?
AON encryption allows for secure deletion
with minimal secure overwriting
–
–
More efficient than securely overwriting
noncontiguous data blocks
Does not increase key overhead
PORTIA Workshop 2004