discussion encryption
sb230529
CH09.pptxChapter 9 Encrypting Volumes
Chapter 9 Overview
Risks and policy alternatives for protecting drive contents
Block ciphers that achieve high security
Block cipher encryption modes
Hardware for volume encryption
Software for volume encryption
Securing a Volume (1 of 2)
Securing a Volume (2 of 2)
Risks to volumes
Eavesdropping, OS bypass
Discarded hard drives scavenged
Risks and policy trade-offs
Identifying critical data – is it practical, or is it easier to apply crypto automatically?
Security boundary – are attackers inside the system already?
Access Control versus Encryption
Block Ciphers
Building a Block Cipher
Designed using a loop, called a round
More rounds = more scrambling
Higher security, but slower execution
Steps in a block cipher
Generate the key schedule from the key
For each round:
Take the input, or the previous round result
Use the key schedule to scramble the data
To decrypt, apply the steps in reverse order
Evolution of DES and AES
DES developed in mid 1970s by IBM
IBM developed a cipher called “Lucifer”
DES was a simplified version of it
DES was criticized for its obscure development process – no explanation given of its design
Also, the key seemed too short
AES was developed with an open process
All major analyses were published
Provides a series of larger key sizes
Triple DES
The RC4 Story
Developed by Ron Rivest, co-inventor of RSA
Kept as a trade secret by RSA Security, Inc.
US State Dept and NSA allowed its use in exportable crypto products w/40 bit keys
Leaked to the Internet in mid 1990s
Researchers found biases in the keystream
Weaknesses led to practical cracking techniques in early 2000s
RC4 was used in early wireless encryption
Attacks could crack wireless systems quickly
Lessons Learned from RC4
We can't assume that an algorithm's owner will find its flaws, or report them when found
It is harder to find flaws when we restrict the number of people analyzing the algorithm
It is hard to keep an algorithm secret
Qualities of Good Algorithms
Explicitly designed for encryption
Security doesn't rely on its secrecy
Available for analysis
Subjected to analysis
No practical weaknesses found
Implementation has completed a formal cryptographic evaluation (i.e., FIPS-140)
Block Ciphers Aren't Perfect
Courtesy of Dr. Richard Smith
The Cause of the Problem
The Solution: Modes of Operation
A mode is a technique for applying the cipher by mixing its outputs to hide ciphertext patterns
Most modes are mixing modes that hide patterns
Typical modes:
Electronic codebook (ECB) – no mixing at all
Output feedback (OFB) – creates a keystream
Counter (CTR) – creates a keystream
Cipher feedback (CFB) – blocks and streams
Cipher block chaining (CBC) – block oriented
Applying a Mixing Mode (CBC)
Courtesy of Dr. Richard Smith
A Keystream from OFB Mode
Operating a Mode
Many modes require an Initialization Vector (IV)
A nonce that ensures each encryption yields different ciphertext, even when encrypting exactly the same plaintext
Rules for the IV:
Attacker can't choose it
Varies from one encryption to the next
May be random, but not necessarily
Using an IV
Encrypting with OFB
Counter (CTR) Mode
Stream Cipher Modes in Operation
Both OFB and CTR can generate the keystream before the data is available to encrypt
Not all modes can do this
Because they are keystream-based, they can encrypt partial blocks
Beacuse they are keystream-based, attackers can change the plaintext by changing individual ciphertext bits.
Cipher Feedback (CFB) Mode
Error Propagation in CFB
Mode uses both XOR and the block cipher to construct the ciphertext stream.
When the block cipher decrypts a block containing a 1-bit error, it scrambles the entire block's decrypted plaintext
This yields two errors
One bit changed by the 1 ciphertext bit error
One block changed by the 1-bit error
Cipher Block Chaining (CBC) Mode
CBC Decryption
Volume Encryption in Software
A widely available capability
MS Windows – BitLocker feature
Apple OS X – FileVault feature
PGPDisk – part of commercial PGP crypto
Veracrypt – open-source FDE package
Software-Based Encryption
Volume Encryption Design Issues
FDE features
Strong encryption, large keys, high speed
Suppress data patterns
Plaintext size = ciphertext size
Integrity protection – important but not primary
Use block cipher – offers speed and security
Cipher mode to suppress data patterns
A “tweakable” mode: Uses block addresses
Avoid a separate IV
Adapting CTR Mode
Adapting CBC Mode: ESSIV
XTS Mode: Truly “Tweakable”
Comparing the Modes
CTR mode is vulnerable to bit-flipping attacks
ESSIV can't detect rearranged blocks
XTS addresses these risks
XTS is still vulnerable to attacks where an older copy of a disk sector is rewritten over more recent data
Hardware-Based Self-Encrypting Drive
Drive Controller Design
Drive Locking and Unlocking
Managing Volume Keys
Key generation
Use a built-in true random number generator
Rekeying
Rekeying can take place during reformatting
Key storage
Temporary (volatile) storage for working key
Permanent (nonvolatile) storage for wrapped key – wrapped with a passphrase
Option for removable keys in nonvolatile store
Booting an Encrypted Drive
Preboot authentication
Computer collects the passphrase or other secret before booting can proceed
Implementation options
Integrate into BIOS
Install on a dedicated hard drive partition
Automatic reboot
If crypto only serves to make the drives easier to recycle, then authentication isn't needed
Provide passphrase or key automatically
Residual Risks to Keys
Intercepted passphrases
Intercepted keys
Eavesdrop on (software) encryption
Sniffing keys stored in swap files
“Cold Boot” attack
Recycled password attack
The “master key” risk
