Authentication Concerns for Tape Drive Encryption Key Wrapping



Similar documents
ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Chapter 9 Key Management 9.1 Distribution of Public Keys Public Announcement of Public Keys Publicly Available Directory

Module 7 Security CS655! 7-1!

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Using Entrust certificates with VPN

Kerberos. Guilin Wang. School of Computer Science, University of Birmingham

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

SSL A discussion of the Secure Socket Layer

IBX Business Network Platform Information Security Controls Document Classification [Public]

Enterprise A Closer Look at Wireless Intrusion Detection:

Data Protection Act Guidance on the use of cloud computing

TELE 301 Network Management. Lecture 18: Network Security

A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model

Chapter 10. Cloud Security Mechanisms

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, BC. From Italy (?).

CS 4803 Computer and Network Security

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

An NSTIC-Compliant Identity Ecosystem For Preventing Consumer Identity Theft

Securing Data in the Cloud

CRYPTOGRAPHY AS A SERVICE

Securing an IP SAN. Application Brief

Key Management Interoperability Protocol (KMIP)

WHITE PAPER SECURE, DEPLOYABLE BILATERAL (CLIENT/SERVER) AUTHENTICATION

Case Study for Layer 3 Authentication and Encryption

A New Approach to IoT Security

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Peer-to-peer Cooperative Backup System

Securing Data on Microsoft SQL Server 2012

High Availability and Clustering

MS-55096: Securing Data on Microsoft SQL Server 2012

TELE 301 Network Management. Lecture 16: Remote Terminal Services

VoIP Security regarding the Open Source Software Asterisk

Key Management Best Practices

How To Get To A Cloud Storage And Byod System

Principles of Network Security

SSL/TLS: The Ugly Truth

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

A Secure Authenticate Framework for Cloud Computing Environment

Why an Intelligent WAN Solution is Essential for Mission Critical Networks

SQL Server Mirroring. Introduction. Setting up the databases for Mirroring

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

Login with Amazon. Developer Guide for Websites

ADVANCING SECURITY IN STORAGE AREA NETWORKS

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

A Strategic Approach to Enterprise Key Management

TENDER NOTICE No. UGVCL/SP/III/608/GPRS Modem Page 1 of 6. TECHNICAL SPECIFICATION OF GPRS based MODEM PART 4

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

- Introduction to Firewalls -

Authentication Application

SecureAuth Authentication: How SecureAuth performs what was previously impossible using X.509 certificates

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

The Use of the Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices

Deploying EFS: Part 1

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Symantec Advanced Threat Protection: Network

Understanding Secure Shell Host Keys

High Security Online Backup. A Cyphertite White Paper February, Cloud-Based Backup Storage Threat Models

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

TECHNICAL NOTE 10/03 DEPLOYMENT GUIDANCE FOR INTRUSION DETECTION SYSTEMS

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications

Internet Banking System Web Application Penetration Test Report

Druva Phoenix: Enterprise-Class. Data Security & Privacy in the Cloud

Security for 802 Access Networks: A Problem Statement

Configuring Security Solutions

Elements of Applied Cryptography. Key Distribution. Trusted third party: KDC, KTC Diffie-Helmann protocol The man-in-the-middle attack

PENTEST. Pentest Services. VoIP & Web.

Symantec Consulting Services

Security Considerations for Storage Area Networks

SECURING A STORAGE AREA NETWORKS

Bomgar Corporation. Bomgar Application Security Assessment Summary January 26, This document is the property of Bomgar Corporation.

Acano solution. Security Considerations. August E

Right-Sizing M2M Security: The Best Security is Security Tailored to Your Application

BEST PRACTICES. DMZ Virtualization with VMware Infrastructure

Cryptography and Network Security

UNIFIED THREAT MANAGEMENT SOLUTIONS AND NEXT-GENERATION FIREWALLS ADMINISTRATION TOOLS NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Security & Reliability in VoIP Solution

DELL POWERVAULT LIBRARY-MANAGED ENCRYPTION FOR TAPE. By Libby McTeer

An Overview of the Secure Shell (SSH)

SAC 049 SSAC Report on DNS Zone Risk Assessment and Management

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

What s wrong with FIDO?

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

A Guide to Ensuring Security and Resiliency

Securing Virtual Desktop Infrastructures with Strong Authentication

Whitenoise Security as a Service

Security Digital Certificate Manager

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Wireless Sensor Networks Chapter 14: Security in WSNs

CPSC 467b: Cryptography and Computer Security

Vendor Questionnaire

Notes on Network Security - Introduction

Feature and Technical

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

Security Digital Certificate Manager

CS5008: Internet Computing

BroadSAFE Enhanced IP Phone Networks

Solution Brief. Secure and Assured Networking for Financial Services

Potential Targets - Field Devices

Transcription:

Authentication Concerns for Tape Drive Encryption Key Wrapping To: INCITS T10 Committee From: Greg Wheeless, Symantec Background: There are currently proposals in development to provide a secure method for an application client to send an encryption key to a tape drive device server, known as encryption key wrapping. Any such proposal should address the problem of authentication, specifically attacks involving impersonation of either endpoint to gain inappropriate access to encrypted information. Revision History: Revision 0 Initial Document.

Impersonation Threats to Consider Terminology: Secure key exchange will likely involve additional keys used to secure the key that is in turn used to encrypt data on tape for the sake of clarity within this document I ll used the term Tape Key to mean a key used to encrypt data on tape, and Wrapping Key to mean any key used to secure the Tape Key exchange. Depending on the secure key exchange methodology, a Persistent Wrapping Key may be used to exchange a Session Wrapping Key, which is used to secure a single Tape Key exchange. Overview: Encryption key wrapping should authenticate the endpoints of the key exchange as necessary to minimize vulnerability to an attacker impersonating either the application client or the device server. Man-in-the-middle attacks are considered here only as a mechanism for impersonating an endpoint. Note that the application client, not merely the initiator port, is important to authentication as an attacker may have access to the same initiator port as a legitimate application client, especially where server virtualization is used. Three scenarios seem especially important: a) backup of data to a drive providing encryption; b) restore of data from a drive providing encryption; and c) management of Persistent Wrapping Keys. Additionally, authentication of a device upon its initial introduction to a storage network may warrant special consideration. Backup Scenario: The backup scenario involves the application client sending a Tape Key to the device server, followed by writing some amount of data to tape encrypted by that device key. (This may be repeated many times for what the user of a backup application would consider a backup job, but that repetition would not seem to add additional authentication concerns.) An attacker may impersonate a device server, gaining access to the Tape Key (as well as the plaintext backup data). If done as a man-in-the-middle attack, the backup may succeed, leaving the attacker with the Tape Key for a known tape, or the attacker might choose a Tape Key of his own for use in the real tape drive, without direct indication of a problem to the application client.

The application client needs to authenticate the device server in the backup scenario, or at least insure that the key wrapping protocol makes the wrapped Tape Key unavailable to an impersonator or man-in-the-middle. However, some vulnerability to a man-in-themiddle attack will remain despite authentication. An attacker may impersonate an application client, and interfere with a backup performed by a different application client on a storage network. The attacker might change the Tape Key after it was established by the legitimate application so that some or all of the data written to tape would be encrypted with a key of the attacker s choosing. A mechanism to alert the legitimate application client to a key change (even one made by the same initiator port) would seem to address this issue. Unless there are additional threats, the device server does not seem to need to authenticate the application client in the backup scenario. Restore Scenario: The restore scenario involves the application client sending a Tape Key to the device server, followed by reading some amount of data from tape decrypted by that device key. (This may be repeated many times for what the user of a backup application would consider a restore job, but that repetition would not seem to add additional authentication concerns.) An attacker may impersonate a device server, gaining access to the Tape Key. If done as a man-in-the-middle attack, the restore may succeed, leaving the attacker with the Tape Key for a known tape without direct indication of a problem to the application client. The application client needs to authenticate the device server in the restore scenario, or at least insure that the key wrapping protocol makes the wrapped Tape Key unavailable to an impersonator or man-in-the-middle. An attacker may impersonate an application client, but there does not seem to be any way to gain the Tape Key by this action, as it is never revealed by the device server. While an attacker could impersonate the legitimate application client mid-restore, to gain access to the plaintext restore data, the attacker could achieve the same result by the simpler action of sniffing the storage network passively, so this does not seem to be a threat that authentication can address. The device server does not need to authenticate the application client in the restore scenario, as the possession of the Tape Key serves that purpose. Key Management Scenario: Security policies may require a limited lifetime for Persistent Wrapping Keys. An application client would need to be involved in this process if this key management is done in-band. Key management is usually the hardest part of a secure system to get right, and the value of robust in-band key management cannot be ignored.

If the device server is capable of generating secure Persistent Wrapping Keys on demand, the role of the application client is limited to triggering this event, and the threat from impersonation is similarly limited. However, if due to device server limitations an application client will need to generate a new Persistent Wrapping Key (or public/private key pair) and send that key to the device server in-band, the threat from impersonation is high. An attacker impersonating an application client could cause a denial of service by changing the device server s Persistent Wrapping Key arbitrarily. An attacker impersonating a device server could, though a man-in-the-middle attack, gain access to the new Persistent Wrapping Key being sent to the device server. If an application client will perform in-band key management services for a device server, the application client and device server need to be able to authenticate one another. Illustrative Examples (Not a Proposal) Simple Symmetric Key: A simple approach to authentication and key wrapping can be illustrated with a symmetric key as a shared secret. This key would be used both for authentication and as the Persistent Wrapping Key. Before a tape drive was first used in normal operation, a symmetric key would need to be shared between the tape drive device server and the application client. Many methods are available, for example: a) a symmetric key is set in the tape drive at the factory, and communicated out-ofband to the application client; b) a symmetric key is generated by the application client and communicated out-ofband to the device server; or c) a symmetric key is sent in-band in the clear to the device server in a controlled environment before production deployment. In the backup and restore scenarios, the use of the symmetric key as the Persistent Wrapping Key would implicitly authenticate (or alleviate the need for authentication, depending on one s interpretation) the device server to the application client, as only an endpoint with knowledge of this secret would have access to the Tape Key. In the key management scenario, the symmetric key would allow the device server to explicitly authenticate the application client. For example, the device server could send a challenge to the application client, which would respond by encrypting both the challenge and the new symmetric key using the old symmetric key. The obvious disadvantage of this approach is scalability. If multiple application clients wish to use a given tape drive, the application clients must share that tape drives Persistent Wrapping Key by some out-of-band method, which may be challenging to do securely. This key sharing would need to be repeated whenever the key was changed.

The advantage of this approach is its simplicity: very few resources are needed on the device server. Authentication would add little complexity over that required for key wrapping. If there was a need to provide key wrapping for a tape drive without multiinitiator support (perhaps for some future regulatory compliance, or in a virtual server environment) some approach similar to this would seem appropriate. Public Key Infrastructure: As an example of authentication within a public key infrastructure, consider the case where a data center administrator wishes to use an existing system of certificate creation and certificate brokers, but the tape drives lack the resources to generate certificates or to store certificates for many initiators in a storage network. (If the tape drive can generate key pairs and store certificates, authentication is a well-solved problem.) A specific application client or clients may be designated by the data center administrator as key management clients (perhaps these application clients would be hosted on third-party key management appliances). A key management client would initially generate a private/private key pair and certificate on behalf of the tape drive. Depending on the protocol chosen, the private key could be used for both authentication and as the private Persistent Wrapping Key, or two key pairs might be generated: for the sake of simplicity of discussion we ll assume the one key pair serves both purposes. The key management client would send the private key to the tape drive. Initially the key would need to be sent either out-of-band, or in-band in the clear in a controlled environment. Once the first key was established, a new key could be sent securely inband, by using the current private key symmetrically to allow the device server to authenticate the application client with a challenge, or by using a more sophisticated protocol. The key management client would share the certificate and public key with all other application clients using the certificate brokers, and expire the tape drives private Wrapping Key on the schedule called for by the security policy, and in general make normal use of the key management infrastructure. If multiple key management clients were desired for redundancy, they would still need to share the tape drive private keys by some secure out-of-band method.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information