Advertisement

Practical Cryptographic Data Integrity Protection with Full Disk Encryption

  • Milan BrožEmail author
  • Mikuláš Patočka
  • Vashek Matyáš
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 529)

Abstract

Full Disk Encryption (FDE) has become a widely used security feature. Although FDE can provide confidentiality, it generally does not provide cryptographic data integrity protection. We introduce an algorithm-agnostic solution that provides both data integrity and confidentiality protection at the disk sector layer. Our open-source solution is intended for drives without any special hardware extensions and is based on per-sector metadata fields implemented in software. Our implementation has been included in the Linux kernel since the version 4.12.

Notes

Acknowledgments

The authors thank Arno Wagner, John Strunk, Ondrej Mosnáček, Virgil Gligor and Ric Wheeler for valuable comments.

References

  1. 1.
    FIPS Publication 197, the advanced encryption standard (AES) (2001), U.S. DoC/NISTGoogle Scholar
  2. 2.
    IEEE standard for authenticated encryption with length expansion for storage devices. IEEE Std 1619.1-2007 (2008).  https://doi.org/10.1109/IEEESTD.2008.4523925
  3. 3.
    CAESAR: competition for authenticated encryption: security, applicability, and robustness (2016). http://competitions.cr.yp.to/caesar.html
  4. 4.
    DM-crypt: Linux device-mapper crypto target (2017). http://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
  5. 5.
    LUKS: Linux unified key setup (2017). http://gitlab.com/cryptsetup/cryptsetup
  6. 6.
    Linux mainline kernel archive (2018). http://kernel.org
  7. 7.
    Alendal, G., et al.: Got HW crypto? On the (in)security of a self-encrypting drive series. IACR Cryptology ePrint Archive (2015)Google Scholar
  8. 8.
    Axboe, J.: Flexible I/O tester (2017). http://github.com/axboe/fio
  9. 9.
    Bairavasundaram, L.N., et al.: An analysis of data corruption in the storage stack. ACM Trans. Storage 4(3), 8 (2008)CrossRefGoogle Scholar
  10. 10.
    Bellare, M., et al.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. J. Digital Forensics Secur. Law 21(4), Article 6, 23–33 (2008).  https://doi.org/10.15394/jdfsl.2016.1428
  11. 11.
    Bernstein, D.J.: ChaCha, a variant of Salsa20 (2008). http://cr.yp.to/chacha/chacha-20080120.pdf
  12. 12.
    Böck, H., et al.: Nonce-disrespecting adversaries: practical forgery attacks on GCM in TLS. IACR Cryptology ePrint Archive (2016)Google Scholar
  13. 13.
    Brož, M., et al.: Practical cryptographic data integrity protection with full disk encryption. Technical report (2018). https://gitlab.com/cryptsetup/cryptsetup/wikis/integritytechreport
  14. 14.
    Dawidek, P.J.: FreeBSD GELI encryption system (2011). http://github.com/freebsd/freebsd/blob/master/sys/geom/eli/g_eli_integrity.c
  15. 15.
    van Dijk, M., et al.: Offline untrusted storage with immediate detection of forking and replay attacks. In: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, STC 2007, ACM (2007)Google Scholar
  16. 16.
    Dowdeswell, R.C.: Initial analysis of GBDE (2003). http://www.imrryr.org/~elric/cgd/gbde-analysis2.pdf
  17. 17.
    Dworkin, M.J.: SP 800–38D recommendation for block cipher modes of operation: galois/counter mode (GCM) and GMAC, NIST (2007)Google Scholar
  18. 18.
    Dworkin, M.J.: SP 800–38E recommendation for block cipher modes of operation: the XTS-AES mode for confidentiality on storage devices, NIST (2010)Google Scholar
  19. 19.
    Ferguson, N.: AES-CBC + Elephant diffuser: a disk encryption algorithm for Windows Vista, Microsoft Corporation (2006)Google Scholar
  20. 20.
    Ferguson, N.: Cryptography Engineering: Design Principles and Practical Applications. Wiley Publishing, Hoboken (2010)Google Scholar
  21. 21.
    Fruhwirth, C.: New methods in hard disk encryption. Ph.D. thesis, Institute for Computer Languages Theory and Logic Group, Vienna University of Technology (2005)Google Scholar
  22. 22.
    Gjøsteen, K.: Security notions for disk encryption. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 455–474. Springer, Heidelberg (2005).  https://doi.org/10.1007/11555827_26CrossRefGoogle Scholar
  23. 23.
    Gueron, S., et al.: GCM-SIV: full nonce misuse-resistant authenticated encryption at under one cycle per byte. In: Cryptology ePrint Archive (2015)Google Scholar
  24. 24.
    Holt, K.: End-to-End Data Protection Justification (2003), www.t10.org/ftp/t10/document.03/03-224r0.pdf, T10 Technical Committee proposal letter
  25. 25.
    Kamp, P.H.: GBDE: GEOM based disk encryption. In: Proceedings of the BSD Conference 2003 on BSD Conference, USENIX (2003)Google Scholar
  26. 26.
    Khati, Louiza, Mouha, Nicky, Vergnaud, Damien: Full disk encryption: bridging theory and practice. In: Handschuh, Helena (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 241–257. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-52153-4_14CrossRefGoogle Scholar
  27. 27.
    Krioukov, A., et al.: Parity lost and parity regained. In: Proceedings of the 6th USENIX Conference on File and Storage Technologies, USENIX Association (2008)Google Scholar
  28. 28.
    Lindell, Y., et al.: AES-GCM-SIV: nonce misuse-resistant authenticated encryption. In: Internet-Draft draft-IRTF-CFRG-GCMSIV-03 (2017)Google Scholar
  29. 29.
    Martin, T., et al.: The 2016 analysis of information remaining on computer hard disks offered for sale on the second hand market in the UAE. J. Cryptology 21(4), 469–491 (2016).  https://doi.org/10.1007/s00145-008-9026-x
  30. 30.
    Nir, Y., et al.: ChaCha20 and Poly1305 for IETF Protocols. In: RFC 7539 (2015)Google Scholar
  31. 31.
    Petersen, M.K.: T10 data integrity feature (logical block guarding). In: Linux Storage & Filesystem Workshop (2007)Google Scholar
  32. 32.
    Riedel, E., et al.: A framework for evaluating storage system security. In: Proceedings of the 1st USENIX Conference on File and Storage Technologies, vol. 2. USENIX Association (2002)Google Scholar
  33. 33.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (2002)Google Scholar
  34. 34.
    Saarinen, M.J.O.: Encrypted watermarks and Linux laptop security. In: Workshop on Information Security Applications, Revised Selected Papers (2005)Google Scholar
  35. 35.
    Satran, J., et al.: Internet protocol small computer system interface (iSCSI) cyclic redundancy check (CRC)/checksum considerations, In: RFC 7539 (2015)Google Scholar
  36. 36.
    Sivathanu, G., et al.: Ensuring data integrity in storage: techniques and applications. In: ACM Workshop on Storage Security and Survivability (2005)Google Scholar
  37. 37.
    Tischer, M., et al.: Users really do plug in USB drives they find. In: 2016 IEEE Symposium on Security and Privacy (SP) (2016)Google Scholar
  38. 38.
    Türpe, S., Poller, A., Steffan, J., Stotz, J.-P., Trukenmüller, J.: Attacking the bitlocker boot process. In: Chen, L., Mitchell, C.J., Martin, A. (eds.) Trust 2009. LNCS, vol. 5471, pp. 183–196. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-00587-9_12CrossRefGoogle Scholar
  39. 39.
    Zhang, Y., et al.: End-to-end data integrity for file systems: a ZFS case study. In: Proceedings of the 8th USENIX Conference on File and Storage Technologies, USENIX Association (2010)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  • Milan Brož
    • 1
    • 2
    Email author
  • Mikuláš Patočka
    • 1
  • Vashek Matyáš
    • 2
  1. 1.Red Hat CzechBrnoCzech Republic
  2. 2.Faculty of InformaticsMasaryk UniversityBrnoCzech Republic

Personalised recommendations