Analysis of FileVault 2: Apple's full disk encryption. Omar Choudary Felix Grobert Joachim Metz



Similar documents
Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption

Practical Cryptographic Key Recovery

Practical Methods for Dealing with Full Disk Encryption. Jesse Kornblum

Disk encryption... (not only) in Linux. Milan Brož

Forensic Decryption of FAT BitLocker Volumes

What users should know about Full Disk Encryption based on LUKS

SecureDoc Disk Encryption Cryptographic Engine

Disk Encryption. Aaron Howard IT Security Office

AD Image Encryption. Format Version 1.2

Best Practices for Deploying FileVault 2

Full Drive Encryption Security Problem Definition - Encryption Engine

Secure Storage. Lost Laptops

Project: Simulated Encrypted File System (SEFS)

Analyzing the Security Schemes of Various Cloud Storage Services

SAS Data Set Encryption Options

High Security Online Backup. A Cyphertite White Paper February, Cloud-Based Backup Storage Threat Models

ERNW Newsletter 42 / December 2013

Passware Kit User Guide

Fall. Forensic Examination of Encrypted Systems Matthew Postinger COSC 374

Introduction to BitLocker FVE

Password-based encryption in ZIP files

Understanding Core storage, logical volumes, and Fusion drives.

SECUDE AG. FinallySecure Enterprise Cryptographic Module. FIPS Security Policy

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Encrypting the Private Files on Your Computer Presentation by Eric Moore, CUGG June 12, 2010

GostCrypt User Guide. Laboratoire de Cryptologie et de Virologie Opérationnelles - France

10 Ways to Not Get Caught Hacking On Your Mac

EMC VMAX3 DATA AT REST ENCRYPTION

New Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer

Boost system security with better data-atrest

2.6.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 12

The virtual safe: A user-focused approach to data encryption

Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

How to Password Protect Files & Folders in Mac OS X with Disk Images

Guidance End User Devices Security Guidance: Apple OS X 10.9

Firewire-based Physical Security Attacks on Windows 7, EFS and BitLocker

Encrypted File Systems. Don Porter CSE 506

Guidelines on use of encryption to protect person identifiable and sensitive information

FIPS Non Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series USB Flash Drive

HDD Password Tool. User s Manual. English

End User Devices Security Guidance: Apple OS X 10.10

EMC Symmetrix Data at Rest Encryption

Attacking Obfuscated Code with IDA Pro. Chris Eagle

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Dashlane Security Whitepaper

SkyRecon Cryptographic Module (SCM)

Security for Mac Computers in the Enterprise

Forensics Issues in Full Disk Encryption. Dr Séamus Ó Ciardhuáin Department of IT Limerick Institute of Technology

EC-Council Ethical Hacking and Countermeasures

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

DeployStudio Server Quick Install

White Paper: Whole Disk Encryption

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

Incident Response and Computer Forensics

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1

SENSE Security overview 2014

YubiKey Integration for Full Disk Encryption

2.8.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 16

Getting Started with VMware Fusion

Time Machine Setup for Routers

Installing Ubuntu LTS with full disk encryption

PLATFORM ENCRYPTlON ARCHlTECTURE. How to protect sensitive data without locking up business functionality.

Northrop Grumman M5 Network Security SCS Linux Kernel Cryptographic Services. FIPS Security Policy Version

introducing COMPUTER ANTI FORENSIC TECHNIQUES

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Crystal Practice Management Encrypting the Database

Recover Data Like a Forensics Expert Using an Ubuntu Live CD

icloud Keychain and ios 7 Data Protection Andrey Belenko Sr. Security viaforensics

Michael Seltzer COMP 116: Security Final Paper. Client Side Encryption in the Web Browser Mentor: Ming Chow

Introduction to Windows 7 Feature Practice Examination (brought to you by RMRoberts.com)

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

About Parallels Desktop 7 for Mac

Administering FileVault 2 on OS X Lion with the Casper Suite. Technical Paper July 2012

Encrypting with BitLocker for disk volumes under Windows 7

Protection Profile for Full Disk Encryption

PARALLELS SERVER 4 BARE METAL README

Oracle Cluster File System on Linux Version 2. Kurt Hackel Señor Software Developer Oracle Corporation

Navigating Endpoint Encryption Technologies

Jeremi M Gosney Founder & CEO, Stricture Consulting Group

Contents. Getting Started...1. Managing Your Drives Backing Up & Restoring Folders Synchronizing Folders Managing Security...

Full version is >>> HERE <<<

USB Portable Storage Device: Security Problem Definition Summary

USB Portable Storage Device: Security Problem Definition Summary

File System & Device Drive. Overview of Mass Storage Structure. Moving head Disk Mechanism. HDD Pictures 11/13/2014. CS341: Operating System

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

Mobile Device Security and Encryption Standard and Guidelines

Data Backup & Recovery

Secure Password Managers and Military-Grade Encryption on Smartphones: Oh, Really? Andrey Belenko and Dmitry Sklyarov Elcomsoft Co. Ltd.

Storing Encrypted Plain Text Files Using Google Android

Chapter 10: Mass-Storage Systems

Mac Basics: Time Machine backs up your Mac

Windows 7: Current Events in the World of Windows Forensics

Implementing deniable storage encryption for file system using PDE

SimplySecure TM Architecture & Security

PGP Whole Disk Encryption Training

Management of Hardware Passwords in Think PCs.

EMC DATA DOMAIN ENCRYPTION A Detailed Review

How Drive Encryption Works

BitLocker/Active Directory Encryption Procedure Department: Information Security Office Version: 1.0 Last Revised: 09/26/2011

WARNING!!: Before installing Truecrypt encryption software on your

Transcription:

Analysis of FileVault 2: Apple's full disk encryption Omar Choudary Felix Grobert Joachim Metz

FileVault 2

Project Overview Goal reverse engineer and analyse Apple's full disk encryption (aka File Vault) introduced in OS X 10.7 (Lion) develop a cross-platform tool to read File Vault encrypted disks also known as CoreStorage volumes Why Need to know if secure Use in forensic investigation No trust in the operating system Interoperability Need for access of remote files on encrypted drives

Background - full disk encryption Problem: need to encrypt all data user should not memorize or enter a large encryption key e.g. 128 or 256 bits => key is stored in the disk somehow we would like to independently encrypt sectors (normally 512 bytes)

Background - full disk encryption AES-CBC alone is not really suitable random IV in metadata and just go on? (quite bad) zero/constant IV? (even worse) sector-based IV? (better, but still not good) (Wikipedia)

Background - popular systems PGP BitLocker (used with MS Windows) uses AES-CBC with a sector-based tweak AES-CBC + Elephant diffuser. A Disk Encryption Algorithm for Windows Vista. Niels Ferguson. LUKS (Linux Unified Key Setup) New methods in hard disk encryption. Clemens Fruhwirth.... others

AES-XTS based on AES-ECB 2 keys tweak value per sector modified per AES block

General full disk encryption architecture

The quest for Apple's File Vault FDE what are the key derivation mechanisms? what are the encryption mechanisms? how is the data encrypted?

Tools at hand GDB IDA Pro 3 MacBook's for kernel debugging 2 of them connected via FireWire => disk access 3rd one connected via Ethernet => remote gdb The Sleuth Kit disk forensic tool

FileVault overview

EncryptedRoot.plist file Introduced after FileVault activation Contains wrapped volume key Available on Recovery HD partition Encrypted with key in volume header Hints from Apple: AES-XTS as encryption Keys wrapped From IDA Pro we get pointers also for AES Wrap PBKDF2

AES-XTS based on AES-ECB 2 keys: volume key and tweak key tweak value per sector modified per AES block

Example EncryptedRoot.plist

General full disk encryption architecture

AES Wrap (RFC 3394) based on AES, like XTS needs a key for unwrapping used to protect volume master key can verify if unwrapping is successful

General full disk encryption architecture

PBKDF2 output keys of arbitrary lengths from any text slow brute force attacks on passwords 3 parameters: iterations, salt, password option of PRF (e.g. HMAC-SHA256) brute force searching of iterations... no luck salt given in EncryptedRoot.plist found iterations via IDA existing code for time dependent value turned out that a static value is used most of the time (41000)

Key derivation overview Image courtesy of Felix Grobert

are we done yet?... tweak key? Volume key

Looking for disk encryption mechanism (1) Looking at HFS+ metadata existing header at good location apparently unencrypted HFS+ structure files (allocation, journal block) but... misleading => bug in OS (forgot to erase data)

Looking for disk encryption mechanism (2) chasing the encryption via GDB found a tweak key and a tweak value for some data no luck... still no idea to what that corresponds (may be for virtual memory) comparing data with disk data we get tweak value correspondence start of encrypted value block size

Looking for disk encryption mechanism (3) chasing tweak key derivation via IDA Pro problems encountered: C++ obfcuscation cdecl (int*)... *(ebp+478)(ebp+x,...)...??? many classes and pointers involved IDA helps but not that much encryption process goes through a Daemon code is quite large AES-XTS tweak key = trunc 128 (SHA256(volume_key lvf_uuid)) (lvf_uuid comes from encrypted (obfuscated) metadata)

FileVault overview

Volume layout Encrypted Plaintext Zero

Random number generator used for derivation of recovery key randomness taken from /dev/random about 320 bits of randomness available after first boot of new OS installation mostly from mach_absolute_time() seems ok can be improved if needed

Memory extraction attacks possible keys easily available via gdb not much we can do... open research issue see "Lest We Remember: Cold Boot Attacks on Encryption Keys", USENIX Security 2008.

open source C library cross-platform tool to read and mount CoreStorage (FileVault 2 encrypted) volumes can mount a CoreStorage volume and read arbitrary files without first decrypting the entire volume available at: http://code.google.com/p/libfvde/ fvdemount -e EncryptedRoot.plist.wipekey -r 35AJ-AC98-TI1H-N4M3- HDUQ-UQFG /dev/sda2 /mnt/fvdevolume/ mount -o loop,ro /mnt/fvdevolume/fvde1 /mnt/hfs_file_system

That's all Omar Choudary www.cl.cam.ac.uk/~osc22

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information