The Experts below are selected from a list of 1233 Experts worldwide ranked by ideXlab platform
Tilo Muller - One of the best experts on this subject based on the ideXlab platform.
-
SysTEX@Middleware - Isolating Operating System Components with Intel SGX
Proceedings of the 1st Workshop on System Software for Trusted Execution - SysTEX '16, 2016Co-Authors: Lars Richter, Johannes Götzfried, Tilo MullerAbstract:In this paper, we present a novel approach on isolating operating system components with Intel SGX. Although SGX has not been designed to work in kernel mode, we found a way of wrapping Linux kernel functionality within SGX enclaves by moving parts of it to user space. Kernel components are strictly isolated from each other such that a vulnerability in one kernel module cannot escalate into compromising the entire kernel. We provide a proof-of-concept implementation which protects an exemplary kernel function, namely full Disk Encryption, using an Intel SGX enclave. Besides integrity of the Disk Encryption, our implementation ensures that the confidentiality of the Disk Encryption key is protected against all software level attacks as well as physical attacks. In addition to the user password, we use a second authentication factor for deriving the Encryption key which is stored sealed and bound to the platform. Thus, stealing the hard drive and sniffing the user password is insufficient for an attacker to break Disk Encryption. Instead, the two factor authentication scheme requires an attacker to additionally obtain the actual machine to be able to break Encryption.
-
A Systematic Assessment of the Security of Full Disk Encryption
IEEE Transactions on Dependable and Secure Computing, 2015Co-Authors: Tilo Muller, Felix C FreilingAbstract:Organizations as well as private users frequently report the loss and theft of mobile devices such as laptops and smartphones. The threat of data exposure in such scenarios can be mitigated by protection mechanisms based on Encryption. Full Disk Encryption (FDE) is an effective method to protect data against unauthorized access. FDE can generally be classified into software- and hardware-based solutions. We assess the practical security that users can expect from these FDE solutions regarding physical access threats. We assume that strong cryptography like AES cannot be broken but focus on vulnerabilities arising from practical FDE implementations. We present the results of a comprehensive and systematic comparison of the security of software- and hardware-based FDE. Thereby, we exhibit attacks on widespread FDE standards in many common scenarios and different system configurations. As a result, we show that neither software- nor hardware-based FDE provides perfect security, nor is one clearly superior to the other.
-
Mutual Authentication and Trust Bootstrapping towards Secure Disk Encryption
ACM Transactions on Information and System Security, 2014Co-Authors: Johannes Götzfried, Tilo MullerAbstract:The weakest link in software-based full Disk Encryption is the authentication procedure. Since the master boot record must be present unencrypted in order to launch the decryption of remaining system parts, it can easily be manipulated and infiltrated by bootkits that perform keystroke logging; consequently, password-based authentication schemes become attackable. The current technological response, as enforced by BitLocker, verifies the integrity of the boot process by use of the trusted platform module. But, as we show, this countermeasure is insufficient in practice. We present STARK, the first tamperproof authentication scheme that mutually authenticates the computer and the user in order to resist keylogging during boot. To achieve this, STARK implements trust bootstrapping from a secure token to the whole PC. The secure token is an active USB drive that verifies the integrity of the PC and indicates the verification status by an LED to the user. This way, users can ensure the authenticity of the PC before entering their passwords.
-
Analysing Android's Full Disk Encryption Feature.
2014Co-Authors: Johannes Götzfried, Tilo MullerAbstract:Since Android 4.0, which was released in October 2011, users of Android smartphones are provided with a built-in Encryption feature to protect their home partitions. In the work at hand, we give a structured analysis of this software-based Encryption solution. For example, software-based Encryption always requires at least a small part of the Disk to remain unencrypted; in Android this is the entire system partition. Unencrypted parts of a Disk can be read out and are open to system manipulations. We present a tool named EvilDroid to show that with physical access to an encrypted smartphone only (i.e., without user level privileges), the Android system partition can be subverted with keylogging. Additionally, as it was exemplary shown by attacks against Galaxy Nexus devices in 2012, Android-driven ARM devices are vulnerable to cold boot attacks. Data recovery tools like FROST exploit the remanence effect of RAM to recover data from encrypted smartphones, at worst the Disk Encryption key. With a Linux kernel module named Armored, we demonstrate that Android’s software Encryption can be improved to withstand cold boot attacks by performing AES entirely on the CPU without RAM. As a consequence, cold boot attacks on Encryption keys can be defeated. We present both a detailed security and a performance analysis of Armored.
-
ARES - ARMORED: CPU-Bound Encryption for Android-Driven ARM Devices
2013 International Conference on Availability Reliability and Security, 2013Co-Authors: Johannes Götzfried, Tilo MullerAbstract:As recently shown by attacks against Android-driven smart phones, ARM devices are vulnerable to cold boot attacks. At the end of 2012, the data recovery tool FROST was released which exploits the remanence effect of RAM to recover user data from a smart phone, at worst its Disk Encryption key. Disk Encryption is supported in Android since version 4.0 and is today available on many smart phones. With ARMORED, we demonstrate that Android's Disk Encryption feature can be improved to withstand cold boot attacks by performing AES entirely without RAM. ARMORED stores necessary keys and intermediate values of AES inside registers of the ARM microprocessor architecture without involving main memory. As a consequence, cold boot attacks on Encryption keys in RAM appear to be futile. We developed our implementation on a Panda Board and tested it successfully on real phones. We also present a security and a performance analysis for ARMORED.
Patrick Simmons - One of the best experts on this subject based on the ideXlab platform.
-
security through amnesia a software based solution to the cold boot attack on Disk Encryption
Annual Computer Security Applications Conference, 2011Co-Authors: Patrick SimmonsAbstract:Disk Encryption has become an important security measure for a multitude of clients, including governments, corporations, activists, security-conscious professionals, and privacy-conscious individuals. Unfortunately, recent research has discovered an effective side channel attack against any Disk mounted by a running machine [23]. This attack, known as the cold boot attack, is effective against any mounted volume using state-of-the-art Disk Encryption, is relatively simple to perform for an attacker with even rudimentary technical knowledge and training, and is applicable to exactly the scenario against which Disk Encryption is primarily supposed to defend: an adversary with physical access. While there has been some previous work in defending against this attack [27], the only currently available solution suffers from the twin problems of disabling access to the SSE registers and supporting only a single encrypted volume, hindering its usefulness for such common Encryption scenarios as data and swap partitions encrypted with different keys (the swap key being a randomly generated throw-away key). We present Loop-Amnesia, a kernel-based Disk Encryption mechanism implementing a novel technique to eliminate vulnerability to the cold boot attack. We contribute a novel technique for shielding multiple Encryption keys from RAM and a mechanism for storing Encryption keys inside the CPU that does not interfere with the use of SSE. We offer theoretical justification of Loop-Amnesia's invulnerability to the attack, verify that our implementation is not vulnerable in practice, and present measurements showing our impact on I/O accesses to the encrypted Disk is limited to a slowdown of approximately 2x. Loop-Amnesia is written for x86-64, but our technique is applicable to other register-based architectures. We base our work on loop-AES, a state-of-the-art open source Disk Encryption package for Linux.
-
security through amnesia a software based solution to the cold boot attack on Disk Encryption
arXiv: Cryptography and Security, 2011Co-Authors: Patrick SimmonsAbstract:Disk Encryption has become an important security measure for a multitude of clients, including governments, corporations, activists, security-conscious professionals, and privacy-conscious individuals. Unfortunately, recent research has discovered an effective side channel attack against any Disk mounted by a running machine\cite{princetonattack}. This attack, known as the cold boot attack, is effective against any mounted volume using state-of-the-art Disk Encryption, is relatively simple to perform for an attacker with even rudimentary technical knowledge and training, and is applicable to exactly the scenario against which Disk Encryption is primarily supposed to defend: an adversary with physical access. To our knowledge, no effective software-based countermeasure to this attack supporting multiple Encryption keys has yet been articulated in the literature. Moreover, since no proposed solution has been implemented in publicly available software, all general-purpose machines using Disk Encryption remain vulnerable. We present Loop-Amnesia, a kernel-based Disk Encryption mechanism implementing a novel technique to eliminate vulnerability to the cold boot attack. We offer theoretical justification of Loop-Amnesia's invulnerability to the attack, verify that our implementation is not vulnerable in practice, and present measurements showing our impact on I/O accesses to the encrypted Disk is limited to a slowdown of approximately 2x. Loop-Amnesia is written for x86-64, but our technique is applicable to other register-based architectures. We base our work on loop-AES, a state-of-the-art open source Disk Encryption package for Linux.
-
ACSAC - Security through amnesia: a software-based solution to the cold boot attack on Disk Encryption
Proceedings of the 27th Annual Computer Security Applications Conference on - ACSAC '11, 2011Co-Authors: Patrick SimmonsAbstract:Disk Encryption has become an important security measure for a multitude of clients, including governments, corporations, activists, security-conscious professionals, and privacy-conscious individuals. Unfortunately, recent research has discovered an effective side channel attack against any Disk mounted by a running machine [23]. This attack, known as the cold boot attack, is effective against any mounted volume using state-of-the-art Disk Encryption, is relatively simple to perform for an attacker with even rudimentary technical knowledge and training, and is applicable to exactly the scenario against which Disk Encryption is primarily supposed to defend: an adversary with physical access. While there has been some previous work in defending against this attack [27], the only currently available solution suffers from the twin problems of disabling access to the SSE registers and supporting only a single encrypted volume, hindering its usefulness for such common Encryption scenarios as data and swap partitions encrypted with different keys (the swap key being a randomly generated throw-away key). We present Loop-Amnesia, a kernel-based Disk Encryption mechanism implementing a novel technique to eliminate vulnerability to the cold boot attack. We contribute a novel technique for shielding multiple Encryption keys from RAM and a mechanism for storing Encryption keys inside the CPU that does not interfere with the use of SSE. We offer theoretical justification of Loop-Amnesia's invulnerability to the attack, verify that our implementation is not vulnerable in practice, and present measurements showing our impact on I/O accesses to the encrypted Disk is limited to a slowdown of approximately 2x. Loop-Amnesia is written for x86-64, but our technique is applicable to other register-based architectures. We base our work on loop-AES, a state-of-the-art open source Disk Encryption package for Linux.
Debrup Chakraborty - One of the best experts on this subject based on the ideXlab platform.
-
${\sf {FAST}}$: Disk Encryption and beyond
Advances in Mathematics of Communications, 2019Co-Authors: Debrup Chakraborty, Cuauhtemoc Mancillas López, Sebati Ghosh, Palash SarkarAbstract:This work introduces ${\sf {FAST}}$ which is a new family of tweakable enciphering schemes. Several instantiations of ${\sf {FAST}}$ are described. These are targeted towards two goals, the specific task of Disk Encryption and a more general scheme suitable for a wide variety of practical applications. A major contribution of this work is to present detailed and careful software implementations of all of these instantiations. For Disk Encryption, the results from the implementations show that ${\sf {FAST}}$ compares very favourably to the IEEE Disk Encryption standards XCB and EME2 as well as the more recent proposal AEZ. ${\sf {FAST}}$ is built using a fixed input length pseudo-random function and an appropriate hash function. It uses a single-block key, is parallelisable and can be instantiated using only the Encryption function of a block cipher. The hash function can be instantiated using either the Horner's rule based usual polynomial hashing or hashing based on the more efficient Bernstein-Rabin-Winograd polynomials. Security of ${\sf {FAST}}$ has been rigorously analysed using the standard provable security approach and concrete security bounds have been derived. Based on our implementation results, we put forward ${\sf {FAST}}$ as a serious candidate for standardisation and deployment.
-
Disk Encryption: do we need to preserve length?
Journal of Cryptographic Engineering, 2018Co-Authors: Debrup Chakraborty, Cuauhtemoc Mancillas López, Palash SarkarAbstract:In the last one and a half decade there has been a lot of activity toward development of cryptographic techniques for Disk Encryption. It has been almost canonized that an Encryption scheme suitable for the application of Disk Encryption must be length preserving, i.e., it rules out the use of schemes such as authenticated Encryption where an authentication tag is also produced as a part of the ciphertext resulting in ciphertexts being longer than the corresponding plaintexts. The notion of a tweakable enciphering scheme (TES) has been formalized as the appropriate primitive for Disk Encryption, and it has been argued that they provide the maximum security possible for a tagless scheme. On the other hand, TESs are less efficient than some existing authenticated Encryption schemes. Also TES cannot provide true authentication as they do not have authentication tags. In this paper, we analyze the possibility of the use of Encryption schemes where length expansion is produced for the purpose of Disk Encryption. On the negative side, we argue that nonce-based authenticated Encryption schemes are not appropriate for this application. On the positive side, we demonstrate that deterministic authenticated Encryption (DAE) schemes may have more advantages than disadvantages compared to a TES when used for Disk Encryption. Finally, we propose a new deterministic authenticated Encryption scheme called BCTR which is suitable for this purpose. We provide the full specification of BCTR, prove its security and also report an efficient implementation in reconfigurable hardware. Our experiments suggests that BCTR performs significantly better than existing TESs and existing DAE schemes.
-
1Disk Encryption: Do We Need to Preserve Length?
2016Co-Authors: Debrup Chakraborty, Palash SarkarAbstract:Abstract—In the last one-and-a-half decade there has been a lot of activity towards development of cryptographic techniques for Disk Encryption. It has been almost canonised that an Encryption scheme suitable for the application of Disk Encryption must be length preserving, i.e., it rules out the use of schemes like authenticated Encryption where an authentication tag is also produced as a part of the ciphertext resulting in ciphertexts being longer than the corresponding plaintexts. The notion of a tweakable enciphering scheme (TES) has been formalised as the appropriate primitive for Disk Encryption and it has been argued that they provide the maximum security possible for a tag-less scheme. On the other hand, TESs are less efficient than some existing authenticated Encryption schemes. Also TES cannot provide true authentication as they do not have authentication tags. In this paper, we analyze the possibility of the use of Encryption schemes where length expansion is produced for the purpose of Disk Encryption. On the negative side, we argue that nonce based authenticated Encryption schemes are not appropriate for this application. On the positive side, we demonstrate that deterministic authenticated Encryption (DAE) schemes may have more advantages than disadvantages compared to a TES when used for Disk Encryption. Finally, we propose a new deterministic authenticated Encryption scheme called BCTR which is suitable for this purpose. We provide the full specification of BCTR, prove its security and also report an efficient implementation in reconfigurable hardware. Our experiments suggests that BCTR performs significantly better than existing TESs and existing DAE schemes
-
On Some Weaknesses in the Disk Encryption Schemes EME and EME2
2016Co-Authors: Debrup ChakrabortyAbstract:Abstract. Tweakable enciphering schemes are a certain type of block-cipher mode of operation which provide security in the sense of a strong pseudo-random permutation. It has been proposed that these types of modes are suitable for in-place Disk Encryption. Currently there are many proposals available for these schemes. EME is one of the efficient candi-date of this category. EME2 is a derivative of EME which is currently one of the candidates of a draft standard for wide block modes by the IEEE working group on storage security. We show some weakness of these two modes assuming that some side channel information is available
-
Double ciphertext mode: a proposal for secure backup
International Journal of Applied Cryptography, 2012Co-Authors: Debrup Chakraborty, Cuauhtemoc Mancillas-ló, PezAbstract:Security of data stored in bulk storage devices like the hard Disk has gained a lot of importance in the current days. Among the variety of paradigms which are available for Disk Encryption, low level Disk Encryption is well accepted because of the high security guarantees it provides. In this paper, we view the problem of Disk Encryption from a different direction. We explore the possibility of how one can maintain secure backups of the data, such that loss of a physical device will mean neither loss of the data nor the fact that the data gets revealed to the adversary. We propose an efficient solution to this problem through a new cryptographic scheme which we call the double ciphertext mode (DCM). In this paper, we describe the syntax of DCM, define security for it and give some efficient constructions. Moreover, we argue regarding the suitability of DCM for the secure backup application.
Felix C Freiling - One of the best experts on this subject based on the ideXlab platform.
-
A Systematic Assessment of the Security of Full Disk Encryption
IEEE Transactions on Dependable and Secure Computing, 2015Co-Authors: Tilo Muller, Felix C FreilingAbstract:Organizations as well as private users frequently report the loss and theft of mobile devices such as laptops and smartphones. The threat of data exposure in such scenarios can be mitigated by protection mechanisms based on Encryption. Full Disk Encryption (FDE) is an effective method to protect data against unauthorized access. FDE can generally be classified into software- and hardware-based solutions. We assess the practical security that users can expect from these FDE solutions regarding physical access threats. We assume that strong cryptography like AES cannot be broken but focus on vulnerabilities arising from practical FDE implementations. We present the results of a comprehensive and systematic comparison of the security of software- and hardware-based FDE. Thereby, we exhibit attacks on widespread FDE standards in many common scenarios and different system configurations. As a result, we show that neither software- nor hardware-based FDE provides perfect security, nor is one clearly superior to the other.
-
trevisor os independent software based full Disk Encryption secure against main memory attacks
Applied Cryptography and Network Security, 2012Co-Authors: Tilo Muller, Benjamin Taubmann, Felix C FreilingAbstract:Software-based Disk Encryption techniques store necessary keys in main memory and are therefore vulnerable to DMA and cold boot attacks which can acquire keys from RAM. Recent research results have shown operating system dependent ways to overcome these attacks. For example, the TRESOR project patches Linux to store AES keys solely on the microprocessor. We present TreVisor, the first software-based and OS-independent solution for full Disk Encryption that is resistant to main memory attacks. It builds upon BitVisor, a thin virtual machine monitor which implements various security features. Roughly speaking, TreVisor adds the Encryption facilities of TRESOR to BitVisor, i. e., we move TRESOR one layer below the operating system into the hypervisor such that secure Disk Encryption runs transparently for the guest OS. We have tested its compatibility with both Linux and Windows and show positive security and performance results.
-
ACNS - TreVisor: OS-independent software-based full Disk Encryption secure against main memory attacks
Applied Cryptography and Network Security, 2012Co-Authors: Tilo Muller, Benjamin Taubmann, Felix C FreilingAbstract:Software-based Disk Encryption techniques store necessary keys in main memory and are therefore vulnerable to DMA and cold boot attacks which can acquire keys from RAM. Recent research results have shown operating system dependent ways to overcome these attacks. For example, the TRESOR project patches Linux to store AES keys solely on the microprocessor. We present TreVisor, the first software-based and OS-independent solution for full Disk Encryption that is resistant to main memory attacks. It builds upon BitVisor, a thin virtual machine monitor which implements various security features. Roughly speaking, TreVisor adds the Encryption facilities of TRESOR to BitVisor, i. e., we move TRESOR one layer below the operating system into the hypervisor such that secure Disk Encryption runs transparently for the guest OS. We have tested its compatibility with both Linux and Windows and show positive security and performance results.
Milan Brož - One of the best experts on this subject based on the ideXlab platform.
-
Practical Cryptographic Data Integrity Protection with Full Disk Encryption
2018Co-Authors: Milan Brož, Mikuláš Patočka, Vashek MatyášAbstract:Full Disk Encryption (FDE) has become a widely used security feature. Although FDE can provide confidentiality, it generally does not provide cryptographic data integrity protection. We introduce an algorithm-agnostic solution that provides both data integrity and confidentiality protection at the Disk sector layer. Our open-source solution is intended for drives without any special hardware extensions and is based on per-sector metadata fields implemented in software. Our implementation has been included in the Linux kernel since the version 4.12.
-
SEC - Practical Cryptographic Data Integrity Protection with Full Disk Encryption
ICT Systems Security and Privacy Protection, 2018Co-Authors: Milan Brož, Mikuláš Patočka, Vashek MatyášAbstract:Full Disk Encryption (FDE) has become a widely used security feature. Although FDE can provide confidentiality, it generally does not provide cryptographic data integrity protection. We introduce an algorithm-agnostic solution that provides both data integrity and confidentiality protection at the Disk sector layer. Our open-source solution is intended for drives without any special hardware extensions and is based on per-sector metadata fields implemented in software. Our implementation has been included in the Linux kernel since the version 4.12.
-
Practical Cryptographic Data Integrity Protection with Full Disk Encryption Extended Version
arXiv: Cryptography and Security, 2018Co-Authors: Milan Brož, Mikuláš Patočka, Vashek MatyášAbstract:Full Disk Encryption (FDE) has become a widely used security feature. Although FDE can provide confidentiality, it generally does not provide cryptographic data integrity protection. We introduce an algorithm-agnostic solution that provides both data integrity and confidentiality protection at the Disk sector layer. Our open-source solution is intended for drives without any special hardware extensions and is based on per-sector metadata fields implemented in software. Our implementation has been included in the Linux kernel since the version 4.12. This is extended version of our article that appears in IFIP SEC 2018 conference proceedings.
-
Security Protocols Workshop - Extending Full Disk Encryption for the Future (Transcript of Discussion)
Security Protocols XXV, 2017Co-Authors: Milan BrožAbstract:I will be talking about Disk Encryption. I am working with Disk Encryption for several years. The full Disk Encryption is transforming the problem of maintaining a lot of data into a key management problem, but I will not be talking about the key management. I would like to talk about data storage and how to provide data integrity. I also have some proof-of-concept implementation to show.
-
Security Protocols Workshop - Extending Full Disk Encryption for the Future
Security Protocols XXV, 2017Co-Authors: Milan BrožAbstract:Full Disk Encryption (FDE) provides confidentiality of a data-at-rest stored on persistent devices like Disks or a solid state drives (SSD). Typical examples of widely used FDE systems are Bitlocker on Windows [12], dm-crypt [5] on Linux and Android, TrueCrypt [7] followers or any self-encrypted drives (SED) [18].
