Self-Encrypting Hard Drives: From Laptops to the Data Center

Similar documents
Advances in Storage Security Standards Jason Cox Intel Corporation

Making Data at Rest Encryption Easy

TCG. TCG Storage Application Note: Encrypting Storage Devices Compliant with Enterprise SSC. Specification Version 1.00 Final Revision 1.

Trusted Computing Basics: Self-Encrypting Drives

Opal SSDs Integrated with TPMs

Data Security Using TCG Self-Encrypting Drive Technology

Solid-State Drives with Self-Encryption: Solidly Secure

New Drive Technologies Enable Strong Data Protection Strategies: Managing Self-Encrypting Drives in the Enterprise

Solid State Drives (SSD) with Self Encryption: Solidly Secure Michael Willett Storage Security Strategist Independent Consultant

Encrypted SSDs: Self-Encryption Versus Software Solutions

ACER ProShield. Table of Contents

Navigating Endpoint Encryption Technologies

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

BitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation

XTREMIO DATA AT REST ENCRYPTION

Full Drive Encryption Security Problem Definition - Encryption Engine

Technical Note. Installing Micron SEDs in Windows 8 and 10. Introduction. TN-FD-28: Installing Micron SEDs in Windows 8 and 10.

Keep Your Data Secure: Fighting Back With Flash

Overview of Data Security Methods: Passwords, Encryption, and Erase

SCSI Security Nuts and Bolts. Ralph Weber, ENDL Texas

Firmware security features in HP Compaq business notebooks

Commercially Proven Trusted Computing Solutions RSA 2010

QuickSpecs. SATA (Serial ATA) Hard Drives for HP Workstations. Introduction. SATA (Serial ATA) Hard Drives for HP Workstations.

Bypassing Self- Encrypting Drives (SED) in Enterprise Environments. Daniel Boteanu Kevvie Fowler November 12 th, 2015

Seagate Secure Technology

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Penetration Testing Windows Vista TM BitLocker TM

Disk Encryption. Aaron Howard IT Security Office

Samsung SED Security in Collaboration with Wave Systems

DriveLock and Windows 8

Strategies for Firmware Support of Self-Encrypting Drives

BlackBerry 10.3 Work Space Only

Practical Storage Security With Key Management. Russ Fellows, Evaluator Group

Mobile World. Chris Winter SafeNet Inc.

DriveLock and Windows 7

Restoration Technologies. Mike Fishman / EMC Corp.

State of South Carolina Policy Guidance and Training

1. System Requirements

Solid State Storage in a Hard Disk Package. Brian McKean, LSI Corporation

Seagate Secure Enterprise Self-Encrypting Drives FIPS 140 Module FIPS Security Policy

YubiKey Integration for Full Disk Encryption

BlackBerry 10.3 Work and Personal Corporate

HP FutureSmart Firmware Device Hard Disk Security

HP Commercial Notebook BIOS Password Setup

DESIGNING SECURE USB-BASED DONGLES

Implementing Stored-Data Encryption (with a bias for self-encrypting drives) Presenter: Michael Willett SAMSUNG Author: Michael Willett, Samsung

PGP Whole Disk Encryption Training

Self-Encrypting Hard Disk Drives in the Data Center

Windows BitLocker Drive Encryption Step-by-Step Guide

Factory-Installed, Standards-Based Hardware Security. Steven K. Sprague President & CEO, Wave Systems Corp.

Enterprise Architecture and the Cloud. Marty Stogsdill, Oracle

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

Cloud Archiving. Paul Field Consultant

Innovative Secure Boot System (SBS) with a smartcard.

Protect Sensitive Data Using Encryption Technologies. Ravi Sankar Technology Evangelist Microsoft Corporation

VDI Optimization Real World Learnings. Russ Fellows, Evaluator Group

How to Guide FUJITSU COMPUTER PRODUCTS OF AMERICA, INC E. Arques Ave., Sunnyvale, CA, Telephone: Facsimile:

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Enterprise Architecture and the Cloud. Marty Stogsdill, Oracle

Full Disk Encryption Drives & Management Software. The Ultimate Security Solution For Data At Rest

Full Disk Encryption Agent Reference

How Drive Encryption Works

How Endpoint Encryption Works

Full Disk Encryption Pre-Boot Authentication Reference

PCI Express IO Virtualization Overview

Using BitLocker As Part Of A Customer Data Protection Program: Part 1

Windows Server 2008 R2 Boot Manager Security Policy For FIPS Validation

Disk encryption... (not only) in Linux. Milan Brož

Encrypting with BitLocker for disk volumes under Windows 7

Data At Rest Protection

Data Breaches and the Encryption Safe Harbor. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

SNIA Solid State Storage Performance Test Specification. Easen Ho CTO, Calypso Systems, Inc.

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

Consumerization of Trusted Computing. Dr. Michael Willett Samsung

SecureDoc Disk Encryption Cryptographic Engine

Using Classification to manage File Servers. Nir Ben-Zvi, Microsoft Corporation

Securing The Cloud. Russ Fellows, Managing Partner - Evaluator Group Inc.

Introduction to BitLocker FVE

TPM. (Trusted Platform Module) Installation Guide V for Windows Vista

SecureD Technical Overview

TPM. (Trusted Platform Module) Installation Guide V2.1

Data Security using Encryption in SwiftStack

SERVER VIRTUALIZATION AND STORAGE DISASTER RECOVERY. Ray Lucchesi, Silverton Consulting

How To Write On A Flash Memory Flash Memory (Mlc) On A Solid State Drive (Samsung)

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

USB Portable Storage Device: Security Problem Definition Summary

Self-encrypting drives (SED): helping prevent data loss, theft, and misplacement

Storage Clouds. Enterprise Architecture and the Cloud. Author and Presenter: Marty Stogsdill, Oracle

Trustworthy Computing

Best Practices for Key Management for Secure Storage. Walt Hubis, LSI Corporation

Saving Private Data An Introduction to Storage Security Richard Austin, MS, CISSP, MCSE

White Paper: Whole Disk Encryption

Kaspersky Lab s Full Disk Encryption Technology

USB Portable Storage Device: Security Problem Definition Summary

How to Encrypt your Windows 7 SDS Machine with Bitlocker

in Transition to the Cloud

Two-factor authentication Free portable encryption for USB drive Hardware disk encryption Face recognition logon

That Point of Sale is a PoS

Self-Encrypting Drives

Transcription:

Self-Encrypting Hard Drives: From Laptops to the Data Center Jason Cox, Seagate Technology

SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individuals may use this material in presentations and literature under the following conditions: Any slide or slides used must be reproduced without modification The SNIA must be acknowledged as source of any material used in the body of any document containing material from these presentations. This presentation is a project of the SNIA Education Committee. Neither the Author nor the Presenter is an attorney and nothing in this presentation is intended to be nor should be construed as legal advice or opinion. If you need legal advice or legal opinion please contact an attorney. The information presented herein represents the Author's personal opinion and current understanding of the issues involved. The Author, the Presenter, and the SNIA do not assume any responsibility or liability for damages arising out of any reliance on or use of this information. NO WARRANTIES, EXPRESS OR IMPLIED. USE AT YOUR OWN RISK. 2

Abstract Trusted Computing Group (TCG) Storage Specifications The Trusted Computing Group (TCG) Storage Work Group recently published formal specifications for security and trust services on storage devices, including hard drives, flash, and tape drives. The majority of hard drive and other storage device manufacturers participated. Putting security directly on the storage device avoids the vulnerabilities of platform OS-based software security. The details of the Specification will be highlighted, as well as various use cases, including Self Encrypting Drives with enterprise key/credential management. 3

TCG Storage Work Group Structure Storage WG Jorge Campello HGST Key Management Services Walt Hubis LSI Storage Interface Interactions James Hatfield Seagate Optical Storage Bill McFerrin DataPlay Storage Conformance Cyril Guyot-HGST/ Dmitry Obukhov- Samsung

Document Roadmap Trusted Storage Core Architecture Specification 1.0 Published May 2007 Optical Storage Subsystem Class Specification Published September 2008 Enterprise Security Subsystem Class Specification Published January 2009 Storage Interface Interactions Specification Published January 2009 Trusted Storage Core Architecture Specification 2.0 Published April 2009 Opal Security Subsystem Class Specification Published April 2009

TCG SWG Document Structure General Documents TCG Storage Core Architecture Specification Storage Interface Interactions Specific Documents Security Subsystem Class (SSC) Security Subsystem Class (SSC) Auxiliary Documents Compliance App Note Compliance App Note

Core Spec/SSC Relationship General Documents TCG Storage Core Architecture Specification v1.0 Storage Interface Interactions TCG Storage Core Architecture Specification v2.0 Specific Documents Enterprise SSC Opal SSC Auxiliary Documents (currently in progress) Compliance App Note Compliance App Note

Self-Encrypting Drive Basics The storage device LOCKS when it powers OFF. The storage device remains LOCKED when it is powered back ON. Authentication UNLOCKS the storage device. The storage devices Reads and Writes data normally while drive is unlocked The plaintext data sent to the device is encrypted before being written The encrypted data read from the device is decrypted before being returned Authentication Key Management Service Write Read Here is the P%k5t$ un-encrypted @sg!7#x1) text #&% Data protected from loss, disclosure 100% performance encryption engine in the drive

SED in the Data Center Enterprise SSC Motivation Provide a solution to address current market needs: Protect the confidentiality of stored data. Minimize the time to bring devices online. Provide secure disposal / end of life.

SED in the Data Center Enterprise SSC Threat Model Unauthorized access to data on the device once it leaves the owner s control. Features Encryption Drive Locking with Password-based authorization Ranges Fast Secure Erase Static Access Control Model

SED in the Client Opal SSC Motivation Provide a solution to address current market needs: Stolen / lost laptop data leakage. End of life / disposal. Trade-off between time-to market and feature addition. Simple password based authentication. Provide encryption and locking

SED in the Client Opal SSC Threat Model Offline leakage of data. Features Encryption Drive Locking with PW access control Ranges MBR Shadowing Fast Secure Erase Dynamic Access Control Model

Encryption & Locking Independent Locks for read and write. Storage Device User Keys are generated internally. Secure (Cryptographic) Erase performed by erasing the key.

LBA Ranges Storage Device Independent encryption and access control for each range. Range 1 Range 2 Range 3 User 1 User 2 Ranges are not necessarily aligned with partitions, though we expect that will be the case in the majority of uses in the client space.

MBR Shadowing Initial Power-up When the system first requests the MBR, the HDD returns the preboot code (the MBR shadow). External Authorities User Usb key, etc Main System Board Management Software Platform Authorities Notebook / PC HDD User space OS Reserved Pre-boot Authentication and Unlock The pre-boot code manages the authentication process with both internal and external authorities. After the appropriate authentications, the management software unlocks the regular user space. External Authorities User Usb key, etc Main System Board Management Software Platform Authorities Notebook / PC HDD User space OS Reserved Pre-boot Resume Normal Boot After the HDD is unlocked, the management software sends the system back to the boot process. The system s request for the MBR now returns the true MBR and the OS is loaded completing the boot process. External Authorities User Usb key, etc Main System Board OS Platform Authorities Notebook / PC HDD User space OS Reserved Pre-boot

TCG Storage Specification Purpose Define an architecture that: Enables application of access control over select device features Permit configuration of these capabilities in conformance to the platform security policy

TCG Storage Architecture Overview SD or TPer SW and HW features and function (e.g., Crypto Calls) TCG Storage Architecture ADMIN SP 1 SP 2 SP 3 SP 4 TCG Storage API ATA/ SCSI I/F Host Devices TPM Applications End Users Internet Mobile Devices Service Providers The host platform, applications, devices, local end users, or remote users/service providers can gain exclusive control of selected features of the storage device. This allows them to simultaneously and independently extend their trust boundary into the storage device or trusted peripheral (TPer).

Security Providers (SPs) TCG Storage specifications are intended to provide a comprehensive command architecture for putting selected features of storage devices under policy-driven access control. Features are packaged into individual functionality containers called SECURITY PROVIDERS (SPs). SP Table Authorities User1 User2 M Method Name Get Set ACL User1 User2 M Each SP is a sand box exclusively controlled by its owner. SP functionality is a combination of pre-defined functionality sets called SP TEMPLATES Base Log Admin Clock Crypto Locking SPs are a collection of TABLES and METHODS that control the persistent trust state of the Storage Device (SD). Method invocation occurs under access control. The SP has a list of authorities and their respective credentials for access control.

Tables Tables provide data storage in SPs. Each template defines a set of tables. Capabilities provided by the Base template allow the host to create additional tables. Two types of tables: Object organized storage Byte raw data Each column stores data all of the same type. UID column contains SP-wide unique, addressable value for that row. Rows associate column values. Byte tables have 0 or more rows indexed by position in the table. Object Table UID Col2 Col3 Col4 8 byte unique identifier Data Data Data Byte Table Index Column 0 0x41 1 0x42 2 0x43 Byte tables have a single column. Each cell stores one byte

Methods Methods are remote procedure calls invoked by the host to manipulate SP state. Methods operate on tables or the SP itself, and are used for session startup, authentication, table manipulation, and access control customization. UID of the table or object upon which the method is being invoked. UID of the invoked method. List of method parameters sent by host. List of results generated by TPer InvokingUID.MethodUID [ Method Parameters ] => [ Method Result ] Key Methods Get Retrieve values stored in tables. Set Change values stored in tables. Authenticate Prove host knowledge of a secret Other methods provide capability to: Create/delete tables/table rows Generate encryption keys on the device Perform cryptographic operations on the device

Access Control Access control defines the authorization required to invoke specific methods. Access control permissions apply at the SP, table, or table row level. Access control settings are configurable and assignable. Authorities are authentication agents Authority UID Name Credential Operation 8 byte identifier Admin C_RSA_1024 UID Sign --- User C_PIN UID Password --- User C_RSA_1024 UID Sign --- --- --- --- Link to authentication credential Authorities required authentication operation C_PIN UID Name PIN 8 byte identifier Auth PWD 1 --- --- --- --- C_RSA_1024 UID Name Key Material 8 byte identifier Auth Key 1 --- --- Auth Key 2 --- --- --- --- Credential (C_*) tables store authentication secrets The Host Application invokes the Authenticate method, identifying the Authority to be authenticated and the required proof (password, signed challenge, etc.)

Communications Architecture

Opal SSC Range Encryption & Locking Ranges are individually encrypted with different encryption keys The access to a range is given from the Admin to any combination of users either for read, write, or both. The secure erase capability of a range is given from the Admin to any combination of users. Admin User1 User2 User3 User4 Global Range K0 Range 1 K1 Range 2 K2 Range 3 K3 Read Un/Lock Write Un/Lock Secure Erase Read Un/Lock Write Un/Lock Secure Erase Read Un/Lock Write Un/Lock Secure Erase Read Un/Lock Write Un/Lock Secure Erase Range N KN Read Un/Lock Write Un/Lock Secure Erase Fixed, not configurable Configurable by Admin

Enterprise SSC Range Encryption & Locking Ranges are individually encrypted with different encryption keys The access to ranges is assigned at manufacturing and non-modifiable Minimum support requires Global Range, and EraseMaster and BandMaster0 authorities EraseMaster BandMaster0 BandMaster1 BandMaster2 BandMasterN Global Range K0 Range 1 K1 Range 2 K2 Read Un/Lock Write Un/Lock Secure Erase Read Un/Lock Write Un/Lock Secure Erase Read Un/Lock Write Un/Lock Secure Erase Range N KN Read Un/Lock Write Un/Lock Secure Erase Fixed, not configurable

SSC-Based Device Components The SSCs define two SPs. The Admin SP is used for retrieving device information and configurations. The Locking SP is used to control the data encryption and locking/unlocking of LBA ranges in the storage device. Storage Device Admin SP Auth. Org 1 M User password User authenticates to the SP and retrieves configuration information using App A. Locking SP Get App A App A invokes Get to retrieve configurations. M

LBA Range Encryption & Locking The storage device can have only one SP with Locking capability. Access control to user data can be configured. The storage device will support a certain number of independent ranges of user data. Storage Device Independent encryption and access control for each range. Range 1 Range 2 Range 3 User 1 User 2 Locking SP Locking Table App App is responsible for configuring encryption and access control for all users Auth. M M There can only be one Locking SP per Storage Device.

Locking Ranges The Locking SP enables independent ranges of the user data space to be separately configured for read/write access control. Storage Device Separately configured portions of user data space Range 1 Range 2 Range 3 Locking SP Locking Table M M Set App Authenticates and App then invokes Set to configure the starting address and length of each range. Range settings are stored in the Locking table.

Configuring Passwords Each user can be assigned a separate password that is used for authentication to the Locking SP. Storage Device Range 1 Range 2 Range 3 Locking SP C_PIN Table Set App App Authenticates and then invokes Set to change the password. M M Passwords are stored in the C_PIN table.

Unlocking Ranges The user authenticates with a password and then unlocks the ranges accessible ranges. Storage Device Unlocked range Range 1 Range 2 Range 3 Auth. Locking SP Locking Table M M Set App authenticates and App then invokes Set to change the locking values of the appropriate ranges. Range settings are stored in the Locking table.

Secure Erase The Locking SP provides the host with the ability to erase data, securely and quickly, by replacing the encryption key for a range with a new key randomly generated securely in the drive. Storage Device New encrypting key for the range Range 1 Range 2 Range 3 Auth. Locking SP K_* Table M M GenKey App App Authenticates and then invokes GenKey (Opal) or Erase (Enterprise) to generate a new key for the range.

The Future Encryption Automatic performance scaling, manageability, security Standards-based Multiple vendors; interoperability Unified key management Handles all forms of storage

Thank You! www.trustedcomputinggroup.org

Q&A / Feedback Please send any questions or comments on this presentation to SNIA: tracksecurity@snia.org Many thanks to the following individuals for their contributions to this tutorial. - SNIA Education Committee Robert Thibadeau Michael Willett Jorge Campello All Storage Manufacturers (contributors) 33

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information