The Experts below are selected from a list of 339 Experts worldwide ranked by ideXlab platform
Demir Levent - One of the best experts on this subject based on the ideXlab platform.
-
Optimizing dm-crypt for XTS-AES: Getting the Best of Atmel Cryptographic Co-Processors (long version)
HAL CCSD, 2020Co-Authors: Demir Levent, Thiery Mathieu, Roca Vincent, Tenkes Jean-michel, Roch Jean-louisAbstract:Long version of the SECRYPT 2020 accepted articleInternational audienceLinux implementation of Full Disk Encryption (FDE) relies on the dm-crypt kernel module, and is based on the XTS-AES Encryption mode. However, XTS-AES is complex and can quickly become a performance bottleneck. Therefore we explore the use of cryptographic co-processors to efficiently implement the XTS-AES mode in Linux. We consider two Atmel boards that feature different cryptographic co-processors: the XTS-AES mode is completely integrated on the recent SAMA5D2 board but not on the SAMA5D3 board. We first analyze three XTS-AES implementations: a pure software implementation, an implementation that leverages the XTS-AES co-processor, and an intermediate solution. This work leads us to propose an optimization of dm-crypt, the extended request mode, that enables to encrypt/decrypt a Full 4kB page at once instead of issuing eight consecutive 512 bytes requests as in the current implementation. We show that major performance gains are possible with this optimization, a SAMA5D3 board reaching the performance of a SAMA5D2 board where XTS-AES operations are totally offloaded to the dedicated cryptographic co-processor, while remaining Fully compatible with the standard. Finally, we explain why bad design choices prevent this optimization to be applied to the new SAMA5D2 board and derive recommendations for future co-processor designs
-
Module de confiance pour l'externalisation de données dans le Cloud
HAL CCSD, 2017Co-Authors: Demir LeventAbstract:Data outsourcing to the Cloud has led to new security threats. The main concerns of this thesis are to protect the user data and privacy. In particular, it follows two principles : to decrease the necessary amount of trust towards the Cloud, and to design an architecture based on atrusted module between the Cloud and the clients. Both principles are derived from a new design approach : "Trust The Module, Not The Cloud ".Gathering all the cryptographic operations in a dedicated module allows several advantages : a liberation from internal and external attacks on client side ; the limitation of software to the essential needs offers a better control of the system ; using co-processors for cryptographic operations leads to higher performance. The thesis work is structured into three main sections. In the first section, we confront challenges of a personal Cloud, designed to protect the users’ data and based on a common and cheap single-board computer. The architecture relies on two main foundations : a transparent Encryption scheme based on Full Disk Encryption (FDE), initially used for local Encryption (e. g. hard Disks), and a transparent distribution method that works through iSCSI network protocol in order to outsource containers in Cloud. In the second section we deal with the performance issue related to FDE. By analysing the XTS-AES mode of Encryption, the Linux kernel module dm-crypt and the cryptographic co-processors, we introduce a new approach called extReq which extends the cryptographic requests sent to the co-processors. This optimisation has doubled the Encryption and decryption throughput. In the final third section we establish a Cloud for enterprises based on a more powerful and certified Hardware Security Module (HSM) which is dedicated to data Encryption and keys protection. Based on the TTM architecture, we added "on-the-shelf" features to provide a solution for enterprise.Resumé L'externalisation des données dans le Cloud a engendré de nouvelles problématiques de sécurité. L'enjeu est de protéger les données des utilisateurs et leur vie privée. En ce sens, deux principes ont été suivis durant cette thèse : le premier est d'avoir une confiance limitée envers l'hébergeur de données (entre autres), le deuxième est d'établir une architecture basée sur un module de confiance placé en rupture entre le poste client et le Cloud, d'où l'approche "Trust The Module,Not The Cloud". Déléguer donc les opérations de sécurité à un module matériel dédié permet alors plusieurs bé-néfices : d'abord s'affranchir d'un poste client davantage vulnérable face à des attaques internes ou externes ; ensuite limiter les composants logiciels au strict minimum afin d'avoir un meilleur contrôle du fonctionnement et enfin dédier les opérations cryptographiques à des co-processeurs spécialisés afin d'obtenir des performances élevées. Ainsi, les travaux menés durant cette présente thèse suivent trois axes. Dans un premier axe nous avons étudié les défis d'un Cloud personnel destiné à protéger les données d'un particu-lier, et basé sur une carte nano-ordinateur du marché peu coûteuse. L'architecture que nous avons définie repose sur deux piliers : une gestion transparente du chiffrement grâce à l'usage d'un chiffrement par conteneur appelé Full Disk Encryption (FDE), initialement utilisé dans un contexte de protection locale (chiffrement du disque d'un ordinateur ou d'un disque dur externe) ; et une gestion transparente de la distribution grâce à l'usage du protocole iSCSI qui permet de déporter le conteneur sur le Cloud. Nous avons montré que ces deux piliers per-mettent de construire un service sécurisé et fonctionnellement riche grâce à l'ajout progressif de modules "sur étagère" supplémentaires. Dans un deuxième axe, nous nous sommes intéressés au problème de performance lié à l'usage du FDE. Une étude approfondie du mode de chiffrement XTS-AES recommandé pour le FDE, du module noyau Linux dm-crypt et des co-processeurs cryptographiques (ne supportant pas tous le mode XTS-AES), nous ont conduit à proposer différentes optimisations dont l'approche extReq, qui étend les requêtes cryptographiques envoyées aux co-processeurs. Ces travaux nous ont ainsi permis de doubler les débits de chiffrement et déchiffrement. Dans un troisième axe, afin de passer à l'échelle, nous avons utilisé un module de sécurité matériel (Hardware Secure Module ou HSM) certifié et plus puissant, dédié à la protection des
-
Trusted module for data outsourcing in Cloud
2017Co-Authors: Demir LeventAbstract:L’externalisation des données dans le Cloud a engendré de nouvelles problématiques de sécurité. L’enjeu est de protéger les données des utilisateurs et leur vie privée. En ce sens, deux principes ont été suivis durant cette thèse : le premier est d’avoir une confiance limitée envers l’hébergeur de données (entre autres), le deuxième est d’établir une architecture basée sur un modulede confiance placé en rupture entre le poste client et le Cloud, d’où l’approche "Trust The Module,Not The Cloud" (TTM).Déléguer donc les opérations de sécurité à un module matériel dédié permet alors plusieurs bénéfices : d’abord s’affranchir d’un poste client davantage vulnérable face à des attaques internes ou externes ; ensuite limiter les composants logiciels au strict minimum afin d’avoir un meilleur contrôle du fonctionnement et enfin dédier les opérations cryptographiques à des co-processeurs spécialisés afin d’obtenir des performances élevées. Ainsi, les travaux menés durant cette présente thèse suivent trois axes. Dans un premieraxe nous avons étudié les défis d’un Cloud personnel destiné à protéger les données d’un particulier, et basé sur une carte nano-ordinateur du marché peu coûteuse. L’architecture que nous avons définie repose sur deux piliers : une gestion transparente du chiffrement grâce à l’usage d’un chiffrement par conteneur appelé Full Disk Encryption (FDE), initialement utilisédans un contexte de protection locale (chiffrement du disque d’un ordinateur ou d’un disque dur externe) ; et une gestion transparente de la distribution grâce à l’usage du protocole iSCSI qui permet de déporter le conteneur sur le Cloud. Nous avons montré que ces deux piliers permettent de construire un service sécurisé et fonctionnellement riche grâce à l’ajout progressif de modules"sur étagère" supplémentaires.Dans un deuxième axe, nous nous sommes intéressés au problème de performance lié à l’usage du FDE. Une étude approfondie du mode de chiffrement XTS-AES recommandé pour le FDE, du module noyau Linux dm-crypt et des co-processeurs cryptographiques (ne supportant pas tous le mode XTS-AES), nous ont conduit à proposer différentes optimisations dont l’approche extReq, qui étend les requêtes cryptographiques envoyées aux co-processeurs. Ces travaux nousont ainsi permis de doubler les débits de chiffrement et déchiffrement.Dans un troisième axe, afin de passer à l’échelle, nous avons utilisé un module de sécurité matériel (Hardware Secure Module ou HSM) certifié et plus puissant, dédié à la protection des données et à la gestion des clés. Tout en capitalisant sur l’architecture initiale, l’ajout du module HSM permet alors de fournir un service de protection adapté aux besoins d’une entreprise par exemple.Data outsourcing to the Cloud has led to new security threats. The main concerns of this thesis are to protect the user data and privacy. In particular, it follows two principles : to decrease the necessary amount of trust towards the Cloud, and to design an architecture based on a trusted module between the Cloud and the clients. Both principles are derived from a new design approach : "Trust The Module, Not The Cloud ".Gathering all the cryptographic operations in a dedicated module allows several advantages : a liberation from internal and external attacks on client side ; the limitation of software to the essential needs offers a better control of the system ; using co-processors for cryptographic operations leads to higher performance.The thesis work is structured into three main sections. In the first section , we confront challenges of a personal Cloud, designed to protect the users’ data and based on a common and cheap single-board computer. The architecture relies on two main foundations : a transparent Encryption scheme based on Full Disk Encryption (FDE), initially used for local Encryption (e.g., hard Disks), and a transparent distribution method that works through iSCSI network protocol in order to outsource containers in Cloud.In the second section we deal with the performance issue related to FDE. By analysing the XTS-AES mode of Encryption, the Linux kernel module dm-crypt and the cryptographic co-processors, we introduce a new approach called extReq which extends the cryptographic requests sent to the co-processors. This optimisation has doubled the Encryption and decryption throughput.In the final third section we establish a Cloud for enterprises based on a more powerful and certified Hardware Security Module (HSM) which is dedicated to data Encryption and keys protection. Based on the TTM architecture, we added "on-the-shelf" features to provide a solution for enterprise
-
Module de confiance pour externalisation de données dans le Cloud
HAL CCSD, 2017Co-Authors: Demir LeventAbstract:Data outsourcing to the Cloud has led to new security threats. The main concerns of this thesis are to protect the user data and privacy. In particular, it follows two principles : to decrease the necessary amount of trust towards the Cloud, and to design an architecture based on a trusted module between the Cloud and the clients. Both principles are derived from a new design approach : "Trust The Module, Not The Cloud ".Gathering all the cryptographic operations in a dedicated module allows several advantages : a liberation from internal and external attacks on client side ; the limitation of software to the essential needs offers a better control of the system ; using co-processors for cryptographic operations leads to higher performance.The thesis work is structured into three main sections. In the first section , we confront challenges of a personal Cloud, designed to protect the users’ data and based on a common and cheap single-board computer. The architecture relies on two main foundations : a transparent Encryption scheme based on Full Disk Encryption (FDE), initially used for local Encryption (e.g., hard Disks), and a transparent distribution method that works through iSCSI network protocol in order to outsource containers in Cloud.In the second section we deal with the performance issue related to FDE. By analysing the XTS-AES mode of Encryption, the Linux kernel module dm-crypt and the cryptographic co-processors, we introduce a new approach called extReq which extends the cryptographic requests sent to the co-processors. This optimisation has doubled the Encryption and decryption throughput.In the final third section we establish a Cloud for enterprises based on a more powerful and certified Hardware Security Module (HSM) which is dedicated to data Encryption and keys protection. Based on the TTM architecture, we added "on-the-shelf" features to provide a solution for enterprise.L’externalisation des données dans le Cloud a engendré de nouvelles problématiques de sécurité. L’enjeu est de protéger les données des utilisateurs et leur vie privée. En ce sens, deux principes ont été suivis durant cette thèse : le premier est d’avoir une confiance limitée envers l’hébergeur de données (entre autres), le deuxième est d’établir une architecture basée sur un modulede confiance placé en rupture entre le poste client et le Cloud, d’où l’approche "Trust The Module,Not The Cloud" (TTM).Déléguer donc les opérations de sécurité à un module matériel dédié permet alors plusieurs bénéfices : d’abord s’affranchir d’un poste client davantage vulnérable face à des attaques internes ou externes ; ensuite limiter les composants logiciels au strict minimum afin d’avoir un meilleur contrôle du fonctionnement et enfin dédier les opérations cryptographiques à des co-processeurs spécialisés afin d’obtenir des performances élevées. Ainsi, les travaux menés durant cette présente thèse suivent trois axes. Dans un premieraxe nous avons étudié les défis d’un Cloud personnel destiné à protéger les données d’un particulier, et basé sur une carte nano-ordinateur du marché peu coûteuse. L’architecture que nous avons définie repose sur deux piliers : une gestion transparente du chiffrement grâce à l’usage d’un chiffrement par conteneur appelé Full Disk Encryption (FDE), initialement utilisédans un contexte de protection locale (chiffrement du disque d’un ordinateur ou d’un disque dur externe) ; et une gestion transparente de la distribution grâce à l’usage du protocole iSCSI qui permet de déporter le conteneur sur le Cloud. Nous avons montré que ces deux piliers permettent de construire un service sécurisé et fonctionnellement riche grâce à l’ajout progressif de modules"sur étagère" supplémentaires.Dans un deuxième axe, nous nous sommes intéressés au problème de performance lié à l’usage du FDE. Une étude approfondie du mode de chiffrement XTS-AES recommandé pour le FDE, du module noyau Linux dm-crypt et des co-processeurs cryptographiques (ne supportant pas tous le mode XTS-AES), nous ont conduit à proposer différentes optimisations dont l’approche extReq, qui étend les requêtes cryptographiques envoyées aux co-processeurs. Ces travaux nousont ainsi permis de doubler les débits de chiffrement et déchiffrement.Dans un troisième axe, afin de passer à l’échelle, nous avons utilisé un module de sécurité matériel (Hardware Secure Module ou HSM) certifié et plus puissant, dédié à la protection des données et à la gestion des clés. Tout en capitalisant sur l’architecture initiale, l’ajout du module HSM permet alors de fournir un service de protection adapté aux besoins d’une entreprise par exemple
-
Improving dm-crypt performance for XTS-AES mode through extended requests: first results
HAL CCSD, 2016Co-Authors: Demir Levent, Thiery Mathieu, Roca Vincent, Roch Jean-louis, Tenkes Jean-michelAbstract:International audienceUsing dedicated hardware is common practice in order to accelerate cryptographic operations: complex operations are managed by a dedicated co-processor and RAM/crypto-engine data transfers are Fully managed by DMA operations. The CPU is therefore free for other tasks, which is vital in embedded environments with limited CPU power. In this work we discuss and benchmark XTS-AES, using either software or mixed approaches, using Linux and dm-crypt, and a low-power At-mel(tm) board. This board featurs an AES crypto-engine that supports ECB-AES but not the XTS-AES mode. We show that the dm-crypt module used in Linux for Full Disk Encryption has limitations that can be relaxed when considering larger block sizes. In particular we demonstrate that performance gains almost by a factor two are possible, which opens new opportunities for future use-cases
Engin Kirda - One of the best experts on this subject based on the ideXlab platform.
-
PRIVEXEC: Private Execution as an Operating System Service
2013Co-Authors: Kaan Onarlioglu, Collin Mulliner, William Van B. Robertson, Engin KirdaAbstract:Abstract—Privacy has become an issue of paramount importance for many users. As a result, Encryption tools such as TrueCrypt, OS-based Full-Disk Encryption such as FileVault, and privacy modes in all modern browsers have become popular. However, although such tools are useful, they are not perfect. For example, prior work has shown that browsers still leave many traces of user information on Disk even if they are started in private browsing mode. In addition, Disk Encryption alone is not sufficient, as key disclosure through coercion remains possible. Clearly, it would be useful and highly desirable to have OS-level support that provides strong privacy guarantees for any application – not only browsers. In this paper, we present the design and implementation of PRIVEXEC, a novel operating system service for private execution. PRIVEXEC provides strong, general guarantees of private execution, allowing any application to execute in a mode where storage writes, either to the filesystem or to swap, will not be recoverable by others during or after execution. PRIVEXEC does not require explicit application support, recompilation, or any other preconditions. We have implemented a prototype of PRIVEXEC by extending the Linux kernel that is performant, practical, and that secures sensitive data against disclosure. Keywords-privacy; operating systems; I
-
PrivExec: Private execution as an operating system service
Proceedings - IEEE Symposium on Security and Privacy, 2013Co-Authors: Kaan Onarlioglu, Collin Mulliner, William Van B. Robertson, Engin KirdaAbstract:Privacy has become an issue of paramount importance for many users. As a result, Encryption tools such as True Crypt, OS-based Full-Disk Encryption such as File Vault, and privacy modes in all modern browsers have become popular. However, although such tools are useful, they are not perfect. For example, prior work has shown that browsers still leave many traces of user information on Disk even if they are started in private browsing mode. In addition, Disk Encryption alone is not sufficient, as key disclosure through coercion remains possible. Clearly, it would be useful and highly desirable to have OS-level support that provides strong privacy guarantees for any application -- not only browsers. In this paper, we present the design and implementation of PrivExec, the first operating system service for private execution. PrivExec provides strong, general guarantees of private execution, allowing any application to execute in a mode where storage writes, either to the filesystem or to swap, will not be recoverable by others during or after execution. PrivExec does not require explicit application support, recompilation, or any other preconditions. We have implemented a prototype of PrivExec by extending the Linux kernel that is performant, practical, and that secures sensitive data against disclosure.
Khati Louiza - One of the best experts on this subject based on the ideXlab platform.
-
Chiffrement de disque intégrale et au-delà
HAL CCSD, 2019Co-Authors: Khati LouizaAbstract:Equipe cascade, ENS, InriaThis thesis is dedicated to the analysis of modes of operation in the context of Disk protection usage. Firstly, we give modes of operation secure in the Full Disk Encryption (FDE) model where additional data storage are not allowed. In this context, Encryption has to be length preserving which implies length-preserving Encryption. However, it is possible to use a value already present in the system, called a diversifier, to randomize the Encryption and to have a better security. Then, we introduce two methods to analyse symmetric primitive in the very constraint Key-Dependent Message (KDM) model which is of interest for Disk Encryption because the Encryption key can end up in the Disk. It enables to analyse the KDM security of the Even-Mansour and the Key-Alternating Feistel constructions which are the basis of different block-ciphers. Moreover, knowing that data authenticity cannot be ensured in the FDE model because tag storage is not allowed, we relax this constraint which gives us two models: the Authenticated Disk Encryption model (ADE) and the Fully Authenticated Disk Encryption (FADE). A secure mode in the ADE model ensures data authenticity of a sector but can be vulnerable to replay attacks; and a secure mode in the FADE model ensures the authenticity of the entire Disk even against replay attacks. Storage is not the only point to take into account, the read and write delays on a sector is a competitive argument for Disk manufacturers since Disk performances tightly depend on it and adding the computation of codes of authentication does not help. That is why, we tend to analyse incremental Message Authentication Codes: they have the property to be updatable in a time proportional to the corresponding modification.Cette thèse est dédiée à l’analyse de modes opératoires pour la protection des disques durs. Dans un premier temps, l’analyse des modes opératoires permettant de protéger la confidentialité des données est réalisée dans le modèle Full Disk Encryption. Ce modèle est très contraignant puisqu’il exclut tout mode qui ne ne conserve pas la longueur (la valeur en clair et chiffrée du secteur doivent avoir la même taille) et seuls des modes déterministes peuvent avoir cette propriété. Néanmoins, il est possible de tirer parti d’une valeur du système nommée le diversifiant, qui originellement a un autre but, pour apporter de l’aléa utile pour améliorer la sécurité des modes opératoires. Dans un second temps, nous introduisons deux méthodologies d’analyse dans le modèle Key-Dependent Message, où l’adversaire est autorisé à chiffrer des messages qui dépendent de la clé de chiffrement, qui nous ont permis d’analyser la sécurité des schémas Even-Mansour et Key-Alternating Feistel. Enfin, sachant qu’il est impossible de garantir l’authenticité des données dans le modèle FDE, la présence de codes d’authentification étant nécessaire, deux modèles où le stockage de métadonnées est possible sont envisagés : le modèle ADE pour Authenticated Disk Encryption et le modèle FADE pour Fully Authenticated Disk Encryption. Le premier permet de garantir l’authenticité au niveau du secteur mais est vulnérable aux attaques par rejeu et le second garantit l’authenticité du disque en entier et prévient ce type d’attaque. Le stockage n’est pas le seul point à prendre en compte : les vitesses de lecture et d’écriture sont un enjeu de taille pour les constructeurs puisque ces dernières conditionnent fortement les performances d’un disque. C’est la raison pour laquelle, nous avons étudié les codes d’authentification incrémentaux puisque ces derniers ont la propriété d’être mis à jour en un temps proportionnel à la modification réalisée
-
Chiffrement de disque
2019Co-Authors: Khati LouizaAbstract:Cette thèse est dédiée à l’analyse de modes opératoires pour la protection des disques durs. Dans un premier temps, l’analyse des modes opératoires permettant de protéger la confidentialité des données est réalisée dans le modèle Full Disk Encryption (FDE). Ce modèle est très contraignant puisqu’il exclut tout mode qui ne conserve pas la longueur (la valeur en clair et chiffrée du secteur doivent avoir la même taille) et seuls des modes déterministes peuvent avoir cette propriété. Néanmoins, il est possible de tirer partie d’une valeur du système nommée le diversifiant, qui originellement a un autre but, dans le but d’améliorer la sécurité des modes opératoires. Dans un second temps, nous introduisons deux méthodologies d’analyse dans le modèle Key-Dependent Message, où l’adversaire est autorisé à chiffrer des messages qui dépendent de la clé de chiffrement, qui nous ont permis d’analyser la sécurité des schémas Even-Mansour et Key-Alternating Feistel. Enfin, sachant qu’il est impossible de garantir l’authenticité des données dans le modèle FDE, la présence de codes d’authentification étant nécéssaire, deux modèles où le stockage de métadonnées est possible sont envisagés : le modèle Authenticated Disk Encryption (ADE) et le modèle Fully Authenticated Disk Encryption (FADE). Le premier permet de garantir l’authenticité au niveau du secteur mais est vulnérable aux attaques par rejeu et le second garantit l’authenticité du disque en entier et prévient ce type d’attaque. La securité des mécanismes cryptographiques utilisés pour protéger le contenu du disque n’est pas le seul paramètre à prendre en compte : les vitesses de lecture et d’écriture sont un enjeu de taille pour les constructeurs puisque ces dernières conditionnent fortement les performances d’un disque. C’est la raison pour laquelle, nous avons étudié les codes d’authentification incrémentaux puisque ces derniers ont la propriété d’être mis à jour en un temps proportionnel à la modification réalisée.This thesis is dedicated to the analysis of modes of operation in the context of Disk protection usage. Firstly, we give modes of operation secure in the Full Disk Encryption (FDE) model where additional data storage are not allowed. Inthis context, Encryption has to be length preserving which implies length-preserving Encryption. However, it is possible to use a value already present in the system, called a diversifier, to randomize the Encryption and to have a better security.Then, we introduce two methods to analyse symmetric primitive in the very constraint Key-Dependent Message (KDM) model which is of interest for Disk Encryption because the Encryption key can end up in the Disk. It enables to analyse the KDM security of the Even-Mansour and the Key-Alternating Feistel constructions which are the basis of different block-ciphers. Moreover, knowing that data authenticity cannot be ensured in the FDE model because tag storage is not allowed, we relax this constraint which gives us two models: the Authenticated Disk Encryption model (ADE) and the Fully Authenticated Disk Encryption (FADE). A secure mode in the ADE model ensures data authenticity of a sector but can be vulnerable to replay attacks; and a secure mode in the FADE model ensures the authenticity of the entire Disk even against replay attacks. Storage is not the only point to take into account, the read and write delays on a sector is a competitive argument for Disk manufacturers since Disk performances tightly depend on it and adding the computation of codes of authentication does not help. That is why, we tend to analyse incremental Message Authentication Codes: they have the property to be updatable in a time proportional to the corresponding modification
-
Security of Even–Mansour Ciphers under Key-Dependent Messages
Ruhr-Universität Bochum, 2017Co-Authors: Farshim Pooya, Khati Louiza, Vergnaud DamienAbstract:The iterated Even–Mansour (EM) ciphers form the basis of many blockcipher designs. Several results have established their security in the CPA/CCA models, under related-key attacks, and in the indifferentiability framework. In this work, we study the Even–Mansour ciphers under key-dependent message (KDM) attacks. KDM security is particularly relevant for blockciphers since non-expanding mechanisms are convenient in setting such as Full Disk Encryption (where various forms of key-dependency might exist). We formalize the folklore result that the ideal cipher is KDM secure. We then show that EM ciphers meet varying levels of KDM security depending on the number of rounds and permutations used. One-round EM achieves some form of KDM security, but this excludes security against offsets of keys. With two rounds we obtain KDM security against offsets, and using different round permutations we achieve KDM security against all permutation-independent claw-free functions. As a contribution of independent interest, we present a modular framework that can facilitate the security treatment of symmetric constructions in models that allow for correlated inputs
-
Full Disk Encryption: Bridging Theory and Practice
'Springer Science and Business Media LLC', 2017Co-Authors: Khati Louiza, Mouha Nicky, Vergnaud DamienAbstract:International audienceWe revisit the problem of Full Disk Encryption (FDE), which refers to the Encryption of each sector of a Disk volume. In the context of FDE, it is assumed that there is no space to store additional data, such as an IV (Initialization Vector) or a MAC (Message Authentica-tion Code) value. We formally define the security notions in this model against chosen-plaintext and chosen-ciphertext attacks. Then, we classify various FDE modes of operation according to their security in this setting, in the presence of various restrictions on the queries of the adversary. We will find that our approach leads to new insights for both theory and practice. Moreover, we introduce the notion of a diversifier, which does not require additional storage, but allows the plaintext of a particular sector to be encrypted to different ciphertexts. We show how a 2-bit diversifier can be implemented in the EagleTree simulator for solid state drives (SSDs), while decreasing the total number of Input/Output Operations Per Second (IOPS) by only 4%
Tilo Muller - One of the best experts on this subject based on the ideXlab platform.
-
A Systematic Assessment of the Security of Full Disk Encryption
IEEE Transactions on Dependable and Secure Computing, 2015Co-Authors: Tilo Muller, Felix C FreilingAbstract:Organizations as well as private users frequently report the loss and theft of mobile devices such as laptops and smartphones. The threat of data exposure in such scenarios can be mitigated by protection mechanisms based on Encryption. Full Disk Encryption (FDE) is an effective method to protect data against unauthorized access. FDE can generally be classified into software- and hardware-based solutions. We assess the practical security that users can expect from these FDE solutions regarding physical access threats. We assume that strong cryptography like AES cannot be broken but focus on vulnerabilities arising from practical FDE implementations. We present the results of a comprehensive and systematic comparison of the security of software- and hardware-based FDE. Thereby, we exhibit attacks on widespread FDE standards in many common scenarios and different system configurations. As a result, we show that neither software- nor hardware-based FDE provides perfect security, nor is one clearly superior to the other.
-
Mutual Authentication and Trust Bootstrapping towards Secure Disk Encryption
ACM Transactions on Information and System Security, 2014Co-Authors: Johannes Götzfried, Tilo MullerAbstract:The weakest link in software-based Full Disk Encryption is the authentication procedure. Since the master boot record must be present unencrypted in order to launch the decryption of remaining system parts, it can easily be manipulated and infiltrated by bootkits that perform keystroke logging; consequently, password-based authentication schemes become attackable. The current technological response, as enforced by BitLocker, verifies the integrity of the boot process by use of the trusted platform module. But, as we show, this countermeasure is insufficient in practice. We present STARK, the first tamperproof authentication scheme that mutually authenticates the computer and the user in order to resist keylogging during boot. To achieve this, STARK implements trust bootstrapping from a secure token to the whole PC. The secure token is an active USB drive that verifies the integrity of the PC and indicates the verification status by an LED to the user. This way, users can ensure the authenticity of the PC before entering their passwords.
-
Analysing Android's Full Disk Encryption Feature.
2014Co-Authors: Johannes Götzfried, Tilo MullerAbstract:Since Android 4.0, which was released in October 2011, users of Android smartphones are provided with a built-in Encryption feature to protect their home partitions. In the work at hand, we give a structured analysis of this software-based Encryption solution. For example, software-based Encryption always requires at least a small part of the Disk to remain unencrypted; in Android this is the entire system partition. Unencrypted parts of a Disk can be read out and are open to system manipulations. We present a tool named EvilDroid to show that with physical access to an encrypted smartphone only (i.e., without user level privileges), the Android system partition can be subverted with keylogging. Additionally, as it was exemplary shown by attacks against Galaxy Nexus devices in 2012, Android-driven ARM devices are vulnerable to cold boot attacks. Data recovery tools like FROST exploit the remanence effect of RAM to recover data from encrypted smartphones, at worst the Disk Encryption key. With a Linux kernel module named Armored, we demonstrate that Android’s software Encryption can be improved to withstand cold boot attacks by performing AES entirely on the CPU without RAM. As a consequence, cold boot attacks on Encryption keys can be defeated. We present both a detailed security and a performance analysis of Armored.
-
trevisor os independent software based Full Disk Encryption secure against main memory attacks
Applied Cryptography and Network Security, 2012Co-Authors: Tilo Muller, Benjamin Taubmann, Felix C FreilingAbstract:Software-based Disk Encryption techniques store necessary keys in main memory and are therefore vulnerable to DMA and cold boot attacks which can acquire keys from RAM. Recent research results have shown operating system dependent ways to overcome these attacks. For example, the TRESOR project patches Linux to store AES keys solely on the microprocessor. We present TreVisor, the first software-based and OS-independent solution for Full Disk Encryption that is resistant to main memory attacks. It builds upon BitVisor, a thin virtual machine monitor which implements various security features. Roughly speaking, TreVisor adds the Encryption facilities of TRESOR to BitVisor, i. e., we move TRESOR one layer below the operating system into the hypervisor such that secure Disk Encryption runs transparently for the guest OS. We have tested its compatibility with both Linux and Windows and show positive security and performance results.
Peter Reiher - One of the best experts on this subject based on the ideXlab platform.
-
comparing the power of Full Disk Encryption alternatives
2012 International Green Computing Conference (IGCC), 2012Co-Authors: Aaron Fujimoto, Peter A. H. Peterson, Peter ReiherAbstract:This paper examines the energy costs of different approaches to Full Disk Encryption, including hardware Encryption, software Encryption, and “no Encryption”. Using the DEEP power measurement platform, we measured the energy consumed by each configuration under various workloads. We demonstrate that hardware Encryption saves energy for many (though not all) workloads, but that the energy savings may not compensate for the hardware price at current rates.
-
investigating energy and security trade offs in the classroom with the atom leap testbed
USENIX Security Symposium, 2011Co-Authors: Peter A. H. Peterson, Digvijay Singh, William J Kaiser, Peter ReiherAbstract:We recently used the Atom LEAP as the foundation for CS 188, an undergraduate research seminar investigating potential trade-offs between security and energy consumption in a hypothetical, battery-powered tablet device. Twenty-three students, in five groups, researched the energy costs of Full Disk Encryption, network cryptography, and sandboxing techniques, as well as the potential savings from two concepts: offloading security computation, and enabling user-level applications to modulate their security behavior based on battery capacity and environmental security. The Atom LEAP is an exciting and powerful tool. A self-contained energy measurement platform, it can generate 10,000 component-level power samples per second during runtime. The Atom LEAP synchronizes individual samples to the time stamp counter of the Intel Atom CPU, allowing us to measure small code segments in the kernel or in user space. The success of CS 188 was possible because of the Atom LEAP's unique capabilities and ease of use. Following the success of the class, we are working to improve the hardware and software tools, in the hope that the Atom LEAP might someday become a widespread tool for energy research and education.
