Sec ecur urity ity Fea eatures ures for or SSD
Why Storage Security is Important ? Dilemma emmas ! “ A secret known by two is no longer a secret ” ● 자료출처 : https://www.symantec.com/about/newsroom/press-kits# ● 자료출처 : https://trustedcomputinggroup.org/work-groups/storage/
Why focus on the DAR(Data At Reset) and DARE(DAR Encryption) ? 3 States of data Data is everywhere, and when is broadly categorized, three states of data exist Data in Motion ion Data at Rest Data in Use Network Discovery, Analysis, Protection & Control • Integrity Multi-Channel : e-mail, Messaging, PC, Server, HDD, SSD, Other Media • End Point, Network Interface P2P, Web, FTP, etc • Data in use could include anything • Anytime a user uploads or downloads • There’s a misconception that data at rest is from a file being copied between data from a cloud server or data is in more secure than data in motion; the truth is folders to files being edited to data transit while being shared, that’s data they’re both vulnerable. Outside of physical being transferred from a laptop to a in motion. When that same data is device theft, where any unsecured data at rest thumb drive. While it might be easier to simply existing in the cloud or on an could become vulnerable, if data at rest isn’t steal data in motion, data in use (and endpoint device, the data is at rest. outfitted with access rights controls, nothing is data at rest) must always be secure as stopping an end user from downloading an well. • Data in transit is often an easy target app and unwittingly providing it permission to for cyber criminals, who can position access that file on their device. themselves between where data is stored and where it’s going to syphon • Data leakage through stolen/lost off information in transit. If this data in laptop or storage device motion is not encrypted, there’s nothing stopping the cyber criminal • End of life and disposal from gaining access.
Encryption at Rest in Google Cloud Platform Google’s default Encryption Policy • Data at Google is broken up into encrypted chunks for storage. • Several layers of encryption are used to protect data stored in Google Cloud Platform. Either distributed file system encryption or database • To decrypt a data chunk, the storage service calls Google’s Key and file storage encryption is in place for almost all files; and storage Management Service (KMS) to retrieve the unwrapped data device encryption is in place for almost all files. encryption key (DEK) for that data chunk. 자료출처 : https://cloud.google.com/security/encryption-at-rest/default-encryption/
What are the Security Features for SSD ? DAR security features ▪ With thout User-data Encry ryptio ion ▪ Security mode feature set ATA Securi rity ty ▪ The storage device allows read/write access to the user data only after the required authority is proven ▪ User password / Master password ▪ Frozen mode supply : The storage device will abort all read/write commands until it is unlocked ▪ TCG Security Subsystem Class TCG Pyri rite te ▪ Pyrite SSC does not specify encryption of user data ▪ With th User-data Encry ryptio ion FDE ▪ Encrypts an entire disk(1 Global range) (Full l Disk Encryp ryptio ion) ▪ One Key(Media Encryption Key) encrypts/decrypts the whole device ▪ MS Windows manages eDrive Micro rosoft ▪ No additional Key Management solution to deploy eDrive eDriv ive ▪ The Best-Kept Secret in Storage Device Encryption Security SED SED ▪ TCG Opal(Client) / TCG Enterprise(Enterprise) (Self lf Encryp rypti ting Drive) ▪ Encrypts Multi-ranges with Key Management scheme
What is a SED ? Self Encrypting Drive ▪ Power r Off f Drive Locked ked / Encryp rypte ted = Secure + “Instant Crypto Erase” - Hardware AES engine(AES : Advanced Encryption Standard, FIPS197) - Encrypt everything written - Decrypt everything read Encry ryptio ion AES 128/ 28/256 56-bit bit IEEE1 E166 667 Manag nagem ement nt Hardw rdware are TCG OPAL2 L2.0 Prot otocol ol Applic plicatio ion Encry ryptio ion n Engin ine AES256
What are SEDs ? Classical FDE(Full Disk Encryption) ▪ Encryp ryptio ion perf rformed rmed by the OS ▪ PROS ▪ FDE Soft ftwar ware • User data is useless without the key • Bitlocker(MS) • Hardware-based FDE : within a storage device is called a SED • SecureDoc(Winmagic) • Instant “Secure Erase” is possible : Simply delete the key ▪ CONS CONS • Embassy(WAVE) • SafeBoot(McAfee), etc • Runtime performance degradation Boot Accessing User r Files/ les/Apps Process Data OS OS Cryp ypto togra raphic ic S/W drive iver Encr cryp ypte ted Data ta FDE Plain inte text xt Data ta Host st FDE Drive ve
What are SEDs ? SED(Self Encrypting Drive) ▪ PROS ▪ Hardware AES engin ine • No performance Overhead ▪ Encryp ryptio ion perf rformed rmed by the driv iver control rolle ler • Instant in-place Encryption ▪ SED security = SED + ISV application • Secure Boot flow is available ▪ Provide more Secure Solution than FDE SED types ▪ CONS CONS ▪ Protect against to Malware ? Microsoft TCG SWG Standard Standards User r Files/ les/Apps OPAL eDrive OPALite Enterprise Pyrite OS OS SED SED Encrypte crypted Data ta Plain ainte text xt Data ta Cryp ypto togra raphic ic H/W in SED Secu curi rity ty Commands SED SED Host st
What are SEDs ? FDE(S/W Encryption based) vs SED(H/W based) Performance Comparison 자료출처 : : https: ps://www.trust usted edst strat ateg egies. es.com/ om/
What is a TCG OPAL SED ? TCG(Trusted Computing Group) > SWG(Storage Work Group) TCG SWG TCG Members (Storage Work Group) Virtu tuali lize zed Mobil ile Platf tform Truste sted Multi lti-ten tenant Infra frastru structu cture re Embedded Syste tems Truste sted Netwo twork Storag rage Connect ct Truste sted Soft ftwa ware re Platf tform Stack ck Module le PC PC Infra frastru structu cture re Clien ient Serve rver 자료출처 : www.t .trust rustedco computin tinggro roup.o .org rg
What is a TCG OPAL SED ? TCG(Trusted Computing Group) > SWG(Storage Work Group) With TCG OPAL SED TCG SWG Motivation TCG Storage Specifications ▪ Compared to S/W-based encryption solutions, Genera ral SEDs offer many benefits to user TCG OPAL/Enterprise SSCs Docum cument address the DAR problem • Data leak through stolen or Secu curi rity ty Sub ubsyste system lost laptop or storage device Class ss • End of life and disposal • Provides Encrypting/Locking Featu ture re Sets ts • Simple password based authentication
What is a TCG OPAL SED ? TCG OPAL SED Contents ▪ Syste tem Area ▪ Shadow MBR ▪ User Data Area • TCG Tables and Templates • Pre-Boot Environment • Always Encrypted with MEK • MEK(Media Encryption Key) • Potential for Multiple Ranges(or bands) • FW variables and settings, etc. with different MEK • Drive always locked when every power cycled TCG OPAL SED Power off off De De-authenti ticate te • Only Shadow MBR is visible. Read-only. Drive Power off off States • PBA(Pre-boot Authentication) • User authenticates • Drive decrypts MEK & Loading • Trigger boot User data De De-authenti ticate te • Drive remains unlocked state until power cycle or de-auth Power off off • Encryption transparent to OS • Only User data visible Encrypted Data • Authenticated user only can lock/unlock the drive Plaintext Data De-authenti De ticate te
What is a TCG OPAL SED ? TCG OPAL SED Operation flow TCG OPAL SED Operation flow TCG OPAL SED Layout PBKDF DF2(Pa (Passwo ssword rd-Base sed Key y Deri riva vatio tion Functio ction 2) 자료출처 : www.truste .trustedcomp computing tinggroup up.o .org with th SHA256
Appendix – Additional Security Features ▪ Digitally Signed Firmware Binaries ▪ All vendor unique commands or other abilities, including for debug, must be protected ▪ Security versioning, logging, etc. • Example : Secure Boot & Download Secu cure re Boot t & Down wnlo load Firmwa ware re Sign ignin ing 1. Decrypt RSA signature with RSA public key. 1. Build a firmware binary Firmware Firmware Key y Genera rato tor binary binary RSA public key 2. Hash firmware binary with SHA-256 SHA-256 RSA signature HASH (stored at protection area of (decrypted) Storage device) Firmware binary 2. Hash firmware binary with SHA-256 RSA private key SHA-256 (secret) HASH Firmware binary 3. Generate RSA signature with Signed Firmware ware Image RSA private key SHA-256 SHA-256 HASH HASH Firmware Firmware binary binary 3. Compare both hash are same or not. If same, continue boot or download SHA-256 RSA SHA-256 RSA signature HASH signature HASH current firmware binary. (encrypted) (encrypted) Firmware binary SHA-256 SHA-256 ? HASH HASH
Tha hank nk You ou
Recommend
More recommend