When Cryptography Meets Storage

1
When Cryptography Meets Storage

• Sarah Diesburg, Chris Meyers, David Lary,
  and An-I Andy Wang
• Florida State University

2
Motivations

• Cryptographic systems used for confidential
  storage of data
• Assumptions made for other media (e.g. networks)
  not directly applicable to storage
• Usage patterns and properties affect
  confidentiality guarantees, especially when keys
  and IVs are reused over time

Introduction Background Cryptanalysis
Examples Conclusion
3
Contributions

• Non-contributions
• Two-time pad problem
• Criticisms of particular storage systems
• Instead, we want to demonstrate what can go
  wrong when cryptography and storage constraints
  collide.

Introduction Background Cryptanalysis
Examples Conclusion
4
Applying Encryption to a Network

• Usage patterns and properties
• Short-lived data streams (e.g., messages)
• Write-once content (e.g., transactions)
• Uniqueness of keys and IVs achieved by cycling
  through large IV space before changing to new key

Introduction Background Cryptanalysis
Examples Conclusion
5
Storage

• Similar to a communication channel through time,
  but
• Usage patterns and properties
• In-place updates - if keys and IVs are generated
  as a function of offsets within a file or storage
  medium, the uniqueness of keys and IVs is
  compromised
• Example using sector number as IV

Introduction Background Cryptanalysis
Examples Conclusion
6
Storage

• Content shifting - potentially a large quantity
  of original plaintext is encrypted via reusing
  the keys and IVs defined as a function of file
  and disk locations
• Backups versions of backups can violate the
  uniqueness of IVs and keys

Introduction Background Cryptanalysis
Examples Conclusion
7
Legacy Storage Data Path Problems

• Single generic data type - encrypted and
  non-encrypted data treated similarly
• Sensitive data may be cached in plaintext
• Poor consistency guarantees versions of
  encrypted data may reside in memory and on disk
• Due to OS mechanisms (e.g., hibernation and swap)

Introduction Background Cryptanalysis
Examples Conclusion
8
Legacy Storage Data Path Problems

• Information hiding no physical views of the
  underlying storage
• Old versions may still linger on raw storage,
  even though application can only see newest
  encrypted data

Introduction Background Cryptanalysis
Examples Conclusion
9
Two-time Pad Problem

• Occurs when cryptographic information is reused
  to generate new encrypted data
• Best explained with stream cipher example

Introduction Background Cryptanalysis
Examples Conclusion
10
Stream Ciphers

• K ? P C

• K ? P C

• K ? P C
• K ? P C
• P ? P C ? C

?
K
K
P
P
C
C
Introduction Background Cryptanalysis
Examples Conclusion
11
Block Cipher Modes of OperationCFB
Ekey(IV)?P1C1 Ekey(C1)?P2C2 Ekey(C2)?P3C3
Introduction Background Cryptanalysis
Examples Conclusion
12
Block Cipher Modes of OperationCFB
Ekey(IV)?P1C1 Ekey(C1)?P2C2 Ekey(C2)?P3C3
Introduction Background Cryptanalysis
Examples Conclusion
13
Block Cipher Modes of OperationCFB
Ekey(IV)?P1C1 Ekey(C1)?P2C2 Ekey(C2)?P3C3
Introduction Background Cryptanalysis
Examples Conclusion
14
Block Cipher Modes of OperationCFB
Ekey(IV)?P1C1 Ekey(C1)?P2C2 Ekey(C2)?P3C3
Ekey(IV)?P1C1 Ekey(C1)?P2C2 Ekey(C2)?P3C3

Introduction Background Cryptanalysis
Examples Conclusion
15
Block Cipher Modes of OperationCFB
Ekey(IV)?P1C1 Ekey(C1)?P2C2 Ekey(C2)?P3C3
Ekey(IV)?P1C1 Ekey(C1)?P2C2 Ekey(C2)?P3C3

Introduction Background Cryptanalysis
Examples Conclusion
16
Block Cipher Modes of OperationCFB
Ekey(IV)?P1C1 Ekey(C1)?P2C2 Ekey(C2)?P3C3
Ekey(IV)?P1C1 Ekey(C1)?P2C2 Ekey(C2)?P3C3

Introduction Background Cryptanalysis
Examples Conclusion
17
Block Cipher Modes of OperationCFB
Ekey(IV)?P1C1 Ekey(C1)?P2C2 Ekey(C2)?P3C3
Ekey(IV)?P1C1 Ekey(C1)?P2C2 Ekey(C2)?P3C3

Introduction Background Cryptanalysis
Examples Conclusion
18
Block Cipher Modes of OperationCFB

• Scope of vulnerability limited to current
  in-place updated block

Ekey(IV)?P1C1 Ekey(C1)?P2C2 Ekey(C2)?P3C3
Ekey(IV)?P1C1 Ekey(C1)?P2C2 Ekey(C2)?P3C3

Introduction Background Cryptanalysis
Examples Conclusion
19
Block Cipher Modes of OperationOFB
Ekey(IV)?P1C1 Ekey(Ekey(IV))?P2C2
Ekey(Ekey(Ekey(IV)))?P3C3
Introduction Background Cryptanalysis
Examples Conclusion
20
Block Cipher Modes of OperationOFB
Ekey(IV)?P1C1 Ekey(Ekey(IV))?P2C2
Ekey(Ekey(Ekey(IV)))?P3C3
Introduction Background Cryptanalysis
Examples Conclusion
21
Block Cipher Modes of OperationOFB
Ekey(IV)?P1C1 Ekey(Ekey(IV))?P2C2
Ekey(Ekey(Ekey(IV)))?P3C3
Ekey(IV)?P1C1 Ekey(Ekey(IV))?P2C2
Ekey(Ekey(Ekey(IV)))?P3C3
Introduction Background Cryptanalysis
Examples Conclusion
22
Block Cipher Modes of OperationOFB
Ekey(IV)?P1C1 Ekey(Ekey(IV))?P2C2
Ekey(Ekey(Ekey(IV)))?P3C3
Ekey(IV)?P1C1 Ekey(Ekey(IV))?P2C2
Ekey(Ekey(Ekey(IV)))?P3C3
Introduction Background Cryptanalysis
Examples Conclusion
23
Block Cipher Modes of OperationOFB
Ekey(IV)?P1C1 Ekey(Ekey(IV))?P2C2
Ekey(Ekey(Ekey(IV)))?P3C3
Ekey(IV)?P1C1 Ekey(Ekey(IV))?P2C2
Ekey(Ekey(Ekey(IV)))?P3C3
Introduction Background Cryptanalysis
Examples Conclusion
24
Block Cipher Modes of OperationOFB

• Scope of vulnerability begins with first changed
  block and potentially ends with last block in
  file or extent

Ekey(IV)?P1C1 Ekey(Ekey(IV))?P2C2
Ekey(Ekey(Ekey(IV)))?P3C3
Ekey(IV)?P1C1 Ekey(Ekey(IV))?P2C2
Ekey(Ekey(Ekey(IV)))?P3C3
Introduction Background Cryptanalysis
Examples Conclusion
25
Block Cipher Modes of OperationCTR

• Scope of vulnerability begins with first changed
  block and potentially ends with last block in
  file or extent

Ekey(nonce ?ctr1)?P1C1 Ekey(nonce
?ctr2)?P2C2 Ekey(nonce ?ctr3)?P3C3
Ekey(nonce ?ctr1)?P1C1 Ekey(nonce
?ctr2)?P2C2 Ekey(nonce ?ctr3)?P3C3
Introduction Background Cryptanalysis
Examples Conclusion
26
Proof of Concept DecodeXOR

• Built a utility to extract P and P from C ? C
• Mostly hashing
• No frequency analysis, hidden Markov models, etc.
• OK to include punctuations, mixed case letters,
  numbers, and extended ASCII characters
• Written in C, only 363 semicolons
• Relies heavily on training set
• Ample room for enhancements

Introduction Background Cryptanalysis
Examples Conclusion
27
DecodeXOR

• n-gram table representation and construction
• Training file
• 100MB of English content from random web pages
• All consecutive 2-grams encountered hashed into
  bitmap

Example
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Introduction Background Cryptanalysis
Examples Conclusion
28
DecodeXOR

• n-gram table representation and construction
• Training file
• 100MB of English content from random web pages
• All consecutive 2-grams encountered hashed into
  bitmap

Example
0
0
0
0
0
1
0
0
0
0
0
0
0
0
Introduction Background Cryptanalysis
Examples Conclusion
29
DecodeXOR

• n-gram table representation and construction
• Training file
• 100MB of English content from random web pages
• All consecutive 2-grams encountered hashed into
  bitmap

Example
0
0
1
0
0
1
0
0
0
0
0
0
0
0
Introduction Background Cryptanalysis
Examples Conclusion
30
DecodeXOR

• n-gram table representation and construction
• Training file
• 100MB of English content from random web pages
• All consecutive 2-grams encountered hashed into
  bitmap

Example
0
0
1
0
0
1
0
0
0
0
0
0
0
0
Introduction Background Cryptanalysis
Examples Conclusion
31
DecodeXOR

• n-gram table representation and construction
• Same method extended to capture n-grams of 3 to 6
  characters.

Example
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Introduction Background Cryptanalysis
Examples Conclusion
32
DecodeXOR

• n-gram table representation and construction
• Same method extended to capture n-grams of 3 to 6
  characters.

Example
0
0
0
0
0
1
0
0
0
0
0
0
0
0
Introduction Background Cryptanalysis
Examples Conclusion
33
DecodeXOR

• n-gram table representation and construction
• Same method extended to capture n-grams of 3 to 6
  characters.

Example
0
0
0
0
1
1
0
0
0
0
0
0
0
0
Introduction Background Cryptanalysis
Examples Conclusion
34
DecodeXOR

• n-gram table representation and construction
• Same method extended to capture n-grams of 3 to 6
  characters.

Example
0
0
0
0
0
0
0
0
0
1
0
0
0
0
Introduction Background Cryptanalysis
Examples Conclusion
35
DecodeXOR

• n-gram table representation and construction
• Same method extended to capture n-grams of 3 to 6
  characters.

Example
0
0
0
0
0
1
0
0
0
1
0
0
0
0
Introduction Background Cryptanalysis
Examples Conclusion
36
DecodeXOR

• n-gram table representation and construction
• Can combine all tables, effectively a Bloom
  filter

1
0
0
1
1
0
0
1
0
1
0
1
1
0
2-gram

0
0
1
0
1
0
1
1
1
0
0
0
1
0
6-gram
1
0
1
1
1
0
1
1
1
1
0
1
1
0
combined
Introduction Background Cryptanalysis
Examples Conclusion
37
DecodeXOR

• Solving plaintext substrings
• Candidate plaintexts need to conform to 3
  constraints

1st constraint
P1 P2 P3 P4 P5 P6 P7 P1 P2 P3 P4 P5
P6 P7
?
S1 S2 S3 S4 S5 S6 S7
Introduction Background Cryptanalysis
Examples Conclusion
38
DecodeXOR

• Solving plaintext substrings
• Candidate plaintexts need to conform to 3
  constraints

2nd constraint
P1 P2 P3 P4 P5 P6 P7 P1 P2 P3 P4 P5
P6 P7
The above is a legitimate 6-gram
Introduction Background Cryptanalysis
Examples Conclusion
39
DecodeXOR

• Solving plaintext substrings
• Candidate plaintexts need to conform to 3
  constraints

2nd constraint
P1 P2 P3 P4 P5 P6 P7 P1 P2 P3 P4 P5
P6 P7
The above is a legitimate 6-gram
Introduction Background Cryptanalysis
Examples Conclusion
40
DecodeXOR

• Solving plaintext substrings
• Candidate plaintexts need to conform to 3
  constraints

2nd constraint
P1 P2 P3 P4 P5 P6 P7 P1 P2 P3 P4 P5
P6 P7
The above is a legitimate 6-gram
Introduction Background Cryptanalysis
Examples Conclusion
41
DecodeXOR

• Solving plaintext substrings
• Candidate plaintexts need to conform to 3
  constraints

2nd constraint
P1 P2 P3 P4 P5 P6 P7 P1 P2 P3 P4 P5
P6 P7
The above is a legitimate 6-gram
Introduction Background Cryptanalysis
Examples Conclusion
42
DecodeXOR

• Solving plaintext substrings
• Candidate plaintexts need to conform to 3
  constraints

3rd constraint
P1 P2 P3 P4 P5 P6 P7 P1 P2 P3 P4 P5
P6 P7
The last 5 characters of Pn,,Pn5 need
to match the first 5 characters of Pn1,Pn6
Introduction Background Cryptanalysis
Examples Conclusion
43
DecodeXOR

• Solving plaintext substrings
• Candidate plaintexts need to conform to 3
  constraints

3rd constraint
P1 P2 P3 P4 P5 P6 P7 P1 P2 P3 P4 P5
P6 P7
The last 5 characters of Pn,,Pn5 need
to match the first 5 characters of Pn1,Pn6
Introduction Background Cryptanalysis
Examples Conclusion
44
DecodeXOR

• Solving plaintext substrings
• Candidate plaintexts need to conform to 3
  constraints

3rd constraint
P1 P2 P3 P4 P5 P6 P7 P1 P2 P3 P4 P5
P6 P7
Same for P substrings
Introduction Background Cryptanalysis
Examples Conclusion
45
DecodeXOR

• Solving plaintext substrings
• Candidate plaintexts need to conform to 3
  constraints

3rd constraint
P1 P2 P3 P4 P5 P6 P7 P1 P2 P3 P4 P5
P6 P7
Same for P substrings
Introduction Background Cryptanalysis
Examples Conclusion
46
DecodeXOR Test Run
Introduction Background Cryptanalysis
Examples Conclusion
47
Four Storage Examples

• Seemingly one-time pads may be turned into
  two-time pads
• File system
• Swap
• Flash memory
• Backups in all-or-nothing secure deletion system
• Goal is not to criticize particular
  implementations

Introduction Background Cryptanalysis
Examples Conclusion
48
File System

• CryptoFS
• Popular encryption file system
• Extent-based
• Uses CFB mode to support extent-based random
  access
• Number of unique IVs is fixed but configurable
• IV disk block number number of IVs

Introduction Background Cryptanalysis
Examples Conclusion
49
File System
File structure with extents and CFB encryption
4KB
4KB
Introduction Background Cryptanalysis
Examples Conclusion
50
File System
File structure with extents and CFB encryption
4KB
4KB
Ekey(IV0)?P1C1 Ekey(C1)?P2C2
Introduction Background Cryptanalysis
Examples Conclusion
51
File System
File structure with extents and CFB encryption
4KB
4KB
Ekey(IV0)?P1C1 Ekey(C1)?P2C2
Ekey(IV0)?P1C1 Ekey(C1)?P2C2
Introduction Background Cryptanalysis
Examples Conclusion
52
File System
File structure with extents and CFB encryption
4KB
4KB
Ekey(IV0)?P1C1 Ekey(C1)?P2C2
Ekey(IV0)?P1C1 Ekey(C1)?P2C2
Introduction Background Cryptanalysis
Examples Conclusion
53
File System
File structure with extents and CFB encryption
4KB
4KB
Ekey(IV0)?P1C1 Ekey(C1)?P2C2
Ekey(IV0)?P1C1 Ekey(C1)?P2C2
Introduction Background Cryptanalysis
Examples Conclusion
54
File System
File structure with extents and CFB encryption
4KB
4KB
Ekey(IV0)?P1C1 Ekey(C1)?P2C2
Ekey(IV0)?P1C1 Ekey(C1)?P2C2
Introduction Background Cryptanalysis
Examples Conclusion
55
File System
File structure with extents and CFB encryption
4KB
4KB
Ekey(IV0)?P1C1 Ekey(C1)?P2C2 Ekey(IV1)?P257C257

Ekey(IV0)?P1C1 Ekey(C1)?P2C2 Ekey(IV1)?P257
C257


Introduction Background Cryptanalysis
Examples Conclusion
56
File System
File structure with extents and CFB encryption
4KB
4KB
Ekey(IV0)?P1C1 Ekey(C1)?P2C2 Ekey(IV1)?P257C257

Ekey(IV0)?P1C1 Ekey(C1)?P2C2 Ekey(IV1)?P257
C257


Introduction Background Cryptanalysis
Examples Conclusion
57
File System
File structure with extents and CFB encryption
4KB
4KB
Ekey(IV0)?P1C1 Ekey(C1)?P2C2 Ekey(IV1)?P257C257

Ekey(IV0)?P1C1 Ekey(C1)?P2C2 Ekey(IV1)?P257
C257


Introduction Background Cryptanalysis
Examples Conclusion
58
File System
File structure with extents and CFB encryption
4KB
4KB

• Once content starts to shift, an attacker can
  decrypt the modified block and the first block of
  subsequent extents after the content insertion
  point

Introduction Background Cryptanalysis
Examples Conclusion
59
Proof of Concept

• We encrypt one file and save a copy of C1
• P1 Now is the time for all good people to
  worry about their privacy.
• We modify the file and save a copy of C1
• P1 Now is the time for all good people to
  worry about their privacy.

Introduction Background Cryptanalysis
Examples Conclusion
60
Proof of Concept

• DecodeXOR

Introduction Background Cryptanalysis
Examples Conclusion
61
Flash

• Use of flash storage is becoming ubiquitous
• Although popular, flash has limitations
• Each storage location can only be erased up to
  100,000 times
• Erasure time is slow (in msec)
• An in-place update involves first erasing the
  target location before writing new data

Introduction Background Cryptanalysis
Examples Conclusion
62
Flash

• Wear leveling rotates the usage of locations
  evenly to prolong the life of device

OS
A
Z
Flash
0
1
1
2
3
4
5
6
Introduction Background Cryptanalysis
Examples Conclusion
63
Flash

• Wear leveling rotates the usage of locations
  evenly to prolong the life of device

Write A to 1
OS
A
Z
Flash
0
1
1
2
3
4
5
6
Introduction Background Cryptanalysis
Examples Conclusion
64
Flash

• Wear leveling rotates the usage of locations
  evenly to prolong the life of device
• Overwrites go to new block instead of original
  block

Write A to 1
OS
A
Z
A
Flash
0
1
1
2
3
4
5
6
Introduction Background Cryptanalysis
Examples Conclusion
65
Flash

• Dead data is often left behind on the flash until
  that block is needed to store new data

OS
A
Z
A
B
C
Y
Z
Flash
0
1
1
2
3
4
5
6
Introduction Background Cryptanalysis
Examples Conclusion
66
Flash

• Dead data is often left behind on the flash until
  that block is needed to store new data

Write J to 2
OS
A
Z
A
B
C
Y
Z
Flash
0
1
1
2
3
4
5
6
Introduction Background Cryptanalysis
Examples Conclusion
67
Flash

• Dead data is often left behind on the flash until
  that block is needed to store new data

Write J to 2
OS
Erase!
A
A
B
C
Y
Z
Flash
0
1
1
2
3
4
5
6
Introduction Background Cryptanalysis
Examples Conclusion
68
Flash

• Dead data is often left behind on the flash until
  that block is needed to store new data

Write J to 2
OS
A
J
A
B
C
Y
Z
Flash
0
1
1
2
3
4
5
6
Introduction Background Cryptanalysis
Examples Conclusion
69
Flash

• We demonstrate that we can find old encrypted
  data using JFFS2
• Log-based file system with wear leveling for
  flash
• Experiment
• Mounted jffs2 on a disk partition using the
  emulation module block2mtd

Introduction Background Cryptanalysis
Examples Conclusion
70
Flash

• Encrypted two files with 128-bit AES in OFB mode
  with same key and IV
• File1 and File2 identical, except File2s 2nd
  block has shifted content
• Result is different ciphertext for second half of
  file

File1
File2
4KB
4KB
4KB
4KB
Introduction Background Cryptanalysis
Examples Conclusion
71
Flash

• Copied File1 onto the jffs2 flash partition
• Overwrote the second half of File1 with the
  modified second half of File2
• See if we could find traces of the original
  second half of file1
• We were able to verify large portions of the
  original second half of file1!
• With both second halves, we could use DecodeXOR
  to recover the plaintext

Introduction Background Cryptanalysis
Examples Conclusion
72
Lessons

• Avoid certain encryption modes in storage
• Do not reuse keys and IVs when re-encrypting data
• Be aware of the properties of legacy storage data
  path
• Single generic data type
• Poor consistency guarantees
• Information hiding

Introduction Background Cryptanalysis
Examples Conclusion
73
Conclusion

• Remember storage is different than networks
• In-place updates
• Content shifting
• Backups
• Legacy storage usage patterns and properties
  threaten confidentiality
• Knowing what can go wrong is the first step

Introduction Background Cryptanalysis
Examples Conclusion
74
Questions?

• When Cryptography Meets Storage
• Sarah Diesburg, Chris Meyers,
• David Lary, and An-I Andy Wang
• Florida State University

75
Extra Slides
76
Attacks

• So how can attacker get two versions of a files
  ciphertext?
• Backups
• Portable hard drives, flash, versioning file
  systems
• Multiuser machine
• Through root access or poor directory permission
  settings
• Email snooping / network sniffing
• Swap
• More to the imagination

Introduction Background Cryptanalysis
Examples Conclusion
77
Swap via Hibernation

• Memory caching may keep recently modified
  encrypted data in memory
• Write-back policy
• Hibernation allows system to save current memory
  states to non-volatile storage
• Could result in multiple stored versions of data
  encrypted with same key and IV

Introduction Background Cryptanalysis
Examples Conclusion
78
Swap via Hibernation

• Experiment
• Injected encrypted data into memory
• Indentified swap candidate blocks with high
  entropy
• Created XOR blocks by XORing encrypted file
  blocks with candidate swap blocks
• Used DecodeXOR to analyze XOR blocks that exhibit
  low, but non-zero entropy
• C ? C P ? P low entropy
• C ? C zero entropy
• C1 ? C2 high entropy

Introduction Background Cryptanalysis
Examples Conclusion
79
DecodeXOR

• Tracking and assembling candidate plaintext
  substrings
• Uses a hash table to track 6-character candidate
  substrings that satisfy previous constraints
• For each 6-character candidate substring
• Last 5 characters in substring determine storage
  location of the 6-character substring
• First 5 characters in substring points to the
  hash bin location of the previous candidate
  substring with the last 5 characters matched

Introduction Background Cryptanalysis
Examples Conclusion