An Improved Trusted Full Disk Encryption Model Prasenjit Das and Nirmalya Kar Department of Computer Sc. & Engineering, National Institute of Technology Agartala, India. e-mail: pj.cstech@gmail.com; nirmalya@nita.ac.in Abstract. This paper presents a complete analysis of current storage protection models like Encrypting File System (EFS), traditional Full Disk Encryption (FDE), FDE with Trusted Platform Module (TPM) chip and Trusted Full Disk Encryption (TFDE) model, and points out the security loop-holes an attacker can exploit in them. Based on the design of TFDE we introduce a new model which incorporates all the best security features of the models mentioned above. Digital certificate based user identification as in EFS, protects data between users. Encrypted partition secures critical data and file metadata at disk level. Trusted Platform Module is used to hide all the encryption and signing keys in separate hardware unreachable to preying eyes of attackers. The TFDE model is modified to protect systems coming out of standby mode from potential attacks. The new model also provides safe and easy recovery mechanism in case user forgets his password or a stolen system is found or recovered. Keywords: EFS, encryption, FDE, TPM, trusted full disk, storage security. 1. Introduction In today s world the most valuable asset is information. Stealing, publishing or modification of critical information about any person or organization may lead to social discrepancy and economic collapse. This is why protection of user system and data is of utmost importance and different tools are being developed for this purpose like EFS, FDE, FDE with TPM and TFDE model. Each model has its weaknesses and drawbacks. To evaluate and select the optimum solution for a given system or environment we have to analyze many intricate criterions such as security level, performance, key management issues and overall cost [1]. Most of the attacks exploit flaws in software. The risk increases exponentially if an attacker gets physical access to the system. To protect data against today s increasingly sophisticated attacks software based solutions are not enough. Tamper-proof hardwares like TPM add another layer of security. In this paper we introduce a secure and improved TFDE model eliminating the design flaws and security loop-holes in the basic TFDE model [2]. Corresponding author K. R. Venugopal, P. Deepa Shenoy and L. M. Patnaik (Eds.) ICDMW 2013, pp. 9 16. Elsevier Publications 2013.
Prasenjit Das and Nirmalya Kar 2. Security Tools 2.1 Encrypting file system EFS protects user files by encrypting them using a symmetric encryption key called file encryption key (FEK) [3,4]. FEK is encrypted by an asymmetric key and stored in the $EFS alternate data stream (ADS) of the encrypted file. 2.2 Full disk encryption In traditional FDE the contents of a disk are encrypted block-by-block using a symmetric key encryption algorithm. All the user files including directory structure, file names, temporary files, cache files, swap files, system files etc. always remain encrypted on the disk [5]. 2.3 Trusted platform module with full disk encryption TPM is an embedded cryptographic device and used in conjunction with FDE to provide better security. In this model the symmetric disk encryption key is stored in hard drive encrypted by a TPM non-migratable key and sealed with TPM s platform configuration register (PCR) values [6,8]. 2.4 Trusted full disk encryption model In this model all the file encryption keys and attestation keys are stored on disk encrypted by storage key (SK) and SRK. System boot partition and OS partition contents are encrypted by system storage key (SSK) and sealed by PCR values [2]. 3. Analysis of Existing Models 3.1 Problems found in EFS EFS has the following limitations affecting data security: (i) When a plaintext file is encrypted, the EFS driver makes a backup copy and creates the $EFS stream [3]. The backup file is deleted when encryption is completed. However, EFS marks the backup file as a status of deleted merely and doesn t really erase (overwrite with 0 s) it s contents. So the deleted plaintext data can be recovered easily by using some low-level data recovery tools. (ii) EFS only encrypts contents of a file. The file metadata like directory structure, file names, modification timestamps or sizes etc. are not encrypted, and therefore, may lead to security risk. (iii) Files and folders encrypted by EFS are decrypted before being copied to a volume formatted with another file system, like FAT32. Moreover, when encrypted files are shared over network using SMB protocol, they are decrypted before they are sent [4]. 10
An Improved Trusted Full Disk Encryption Model 3.2 Problems found in FDE Full disk encryption has the following problems: (i) Decryption keys can be stolen from dumped memory contents using cold boot attack. This attack is deployed based on two facts. First, the OS needs to hold the decryption keys in memory to decrypt data on disk. Second, all the data stored in RAM fades away gradually over a period of seconds to minutes even after power is cut off [9]. This duration can be increased by cooling the chip before cutting power. (ii) Evil-maid attack makes the system vulnerable during pre-boot authentication phase. Attacker can modify the MBR to run a malicious code in the pre-boot screen, which sniffs the decryption key and saves it somewhere or transmits over the network [10,11]. (iii) If the files in an encrypted volume are copied to an unencrypted volume such as usb drive, the files are decrypted. Even if a user shares files to remote users, or hackers copy the files after the system is cracked, the files are decrypted [12]. (iv) If a system is accessed by multiple users, each user can access all the data in the hard drive after the system starts, so the data confidentiality can not be achieved between different users in the system. 3.3 The problems of FDE with trusted platform module Along with the performance issues of FDE this model has the following problems: (i) Decrypted user data stays in memory for use by applications. So by using cold boot attack he can extract sensitive user data [9]. (ii) The PCR values stored inside TPM play an important role in remote computer authentication using a Privacy CA (a trusted third party) [7]. TPM typically resides on the Low Pin Count (LPC) bus which has a ground driven reset line. So if the attacker physically grounds this line, TPM is reset and PCR values are initialized to 0 [13]. 3.4 Problems of TFDE model TFDE has few design flaws and security loop holes as explained next. 3.4.1 Design flaws of TFDE TFDE model has the following design flaws. (i) SSK is encrypted using SK. This approach has two problems: a. SK of a user is decrypted by SRK and his password when he logs into the system [2]. So the SK is not available at boot time and as per TPM key hierarchy SSK can not be decrypted and used unless the parent key SK is decrypted and loaded to TPM key slot [7]. b. SK is user specific, so in a multiuser environment multiple SKs can not be used to encrypt a single unique SSK. 11
Prasenjit Das and Nirmalya Kar Figure 1. Hard disk partition structure. (ii) TFDE does not suggest any security measures about computer in sleep mode or screen locked mode. (iii) TFDE model does not specify any policy about locking down a user account after a specified number of login failures. It also does not provide any recovery mechanism in case a user forgets his password. (iv) To change login password every user must have SRK password as it is required to reconfigure SK which is not safe in a multi user environment. 3.4.2 Security loop-holes TFDE model has following security issues. (i) In TFDE any new data file created by user or temporary files, cache files, backup files etc created by operating system or application software are not encrypted automatically. User must encrypt them manually if these files contain any sensitive information. (ii) Only the contents of the file are encrypted. File names, access date and time etc. are easily readable which may lead to sensitive data leak. (iii) An attacker can perform TPM reset attack on this model if he can get access to any of the user accounts [13]. 4. Improved TFDE Model 4.1 Disk partition structure In the proposed model a new encrypted partition is included in addition to the existing three primary partitions (hidden keys partition, system boot partition and operating system partition) and one extended partition (user data partition) [2], along with an optional logical partition (see Figure 1). (i) Hidden Keys partition stores all the symmetric and asymmetric keys for every user. Asymmetric TPM keys include Storage keys (SK), Binding keys, Attestation Identity Keys (AIK), signing keys and other migratable as well as non-migratable keys. Storage Root Key (SRK) and Endorsement Key (EK) reside inside TPM. TPM manages a key hierarchy while storing the keys, where each key is encrypted by its parent key which, at the top level, is encrypted by SK 12
An Improved Trusted Full Disk Encryption Model Figure 2. Key hierarchy. and thereafter by SRK [6]. The System Storage Key (SSK) which is used to encrypt the contents of system boot partition and operating system partition is stored in an external storage device directly encrypted by SRK (see Figure 2). (ii) System boot partition contains the boot sector and files required to start up the booting process which are encrypted by SSK and sealed by the hash values of TPM platform configuration registers (PCR) to provide platform authentication. (iii) Operating System partition stores operating system files and its support files. These files are also encrypted by SSK and sealed by PCR values. (iv) Application software partition stores the application software files. This partition is optional. The purpose is to make the operating system partition less cluttered. (v) Encrypted partition is encrypted block-by-block using a symmetric key encryption algorithm. The encryption key is stored in hidden keys partition encrypted by a SK. This partition can be used as a temporary working directory for critical data while using applications which create backup files. Encryption at disk level protects file metadata and due to automatic encryption low-level data recovery tools become useless. (vi) User data partition stores encrypted user data and may be divided into multiple logical partitions. User data is encrypted by various symmetric key algorithms on demand basis. 4.2 System setup and configuration This includes multiple jobs and/or steps explained next. (i) Right After the system administrator finishes installation of operating system and other software, he takes owner ship of the TPM, during which a new SRK key pair is generated [7]. (ii) Administrator creates SSK using TPM s built in true Random Number Generator. This SSK is used to encrypt the contents of system boot partition and operating system kernel while sealing. (iii) The pre-boot authentication operating system is installed in system boot partition and the MBR is modified to execute that before booting starts. (iv) The booting process core components are sealed in the following manner. a. The Core Root of Trust for Measurement (CRTM) measures BIOS block and inserts that into a PCR by extending the PCR. Similarly the BIOS measures other hardware components and the boot loader and control is passed to the boot loader. 13
Prasenjit Das and Nirmalya Kar Figure 3. Flowchart for decryption process of system startup. b. The boot loader measures the pre-boot authentication operating system. The current PCR values are stored on the disk. At the time of decryption these values are used to ensure that the MBR is not infected and correct software is loaded. c. Then contents of the system boot partition are sealed using SSK and sealed content is stored on disk. These PCR values can be used to verify platform authenticity. d. Similarly the operating system kernel is measured, sealed and stored to verify platform integrity. To keep them temper proof sealed data is signed by TPM signing keys. (v) Whenever a new user account is created, a new set of symmetric and asymmetric keys is created by TPM and the user is given an external storage device (usually an usb drive) containing the SSK which is protected by a PIN or password. For the system to boot, user must plug in the storage device and enter password/pin in pre-boot screen in order to unseal the contents of system boot and operating system partition. In a multi user environment this configuration keeps the SRK password safe with the administrator allowing others to use the system with their separate PIN/password. (vi) During setup, a separate encrypted partition is created and to encrypt/ decrypt the contents of that partition a symmetric key is created by TPM. (vii) The system is configured so that at the time of sleep mode or screen locked mode, TPM should unload all the encryption keys from its key slots. When the user tries to resume from sleep mode or unlock the screen the system should display the pre-boot screen. User must plug in the usb drive and enter the PIN/password to load SSK into the TPM. 4.3 Decryption Process of the Model The system s decryption process includes decryption process of system start-up, decryption process of users keys, data and decryption process at resume from sleep mode/unlock screen. The whole process has been explained through flow charts (see Figures 3 and 4). 4.4 Recovery mechanism A safe and easy recovery mechanism is required whenever a user forgets his login password or a stolen PC is recovered. Whenever the number of failed login attempts in the login screen reaches a 14
An Improved Trusted Full Disk Encryption Model Figure 4. Flowchart for decryption process (a) of user keys (b) of user data (c) at resume from startup mode/unlock screen. policy based limit the system treats that as a threat situation and loads the pre-boot recovery console. Two options are available. (i) Recovery password: The system may ask for a recovery password designated at user account creation time and stored in the external storage device. (ii) Challenge-response method: The external storage device stores a set of challenge questions and their responses designated at user account creation time. The number and type of challenge questions depends upon users choice. The recovery console randomly chooses a challenge of the set and asks for its response to unlock the account. 5. Conclusion In this paper we have analyzed some of the mostly used storage security models and also a new model named TFDE. The models were scrutinized based on both their security measures and performance impact. As we can see from the analysis that most of security loop-holes persist due to the design flaws. We also proposed a new model eliminating almost every security loop-hole by making some changes in the existing TFDE model design. The primary component effecting security of the system is security of the external storage device and it s PIN/password. We have also introduced two recovery options to be used in case of forgotten password or recovery of a stolen PC. Although the proposed model is much secured than others, yet we do not get any performance gain over basic TFDE. Moreover, this model is not suitable for multi-os or network OS environment. These, along with extending the usage of external storage device as a backup of encryption keys will be the focus of our future wok. References [1] Tomasz Bilski: A Formal Model for Data Storage Security Evaluation. In International Conference on Computational Science and its Applications, ICCSA (2007) 253 257. [2] Li Jun and Yu Huiping: Trusted Full Disk Encryption Model Based on TPM. In 2nd International Conference on Digital Object Identifier, ICISE (2010) 1 4. 15
Prasenjit Das and Nirmalya Kar [3] http://www.microsoft.com/technet/prodtechnol/windows2000serv/ reskit/distrib/dsck efs duwf.mspx [4] Randy Muller: How it works-encrypting File System (2006) [Online], http://technet.microsoft.com/ en-us/magazine/2006.05.howitworks.aspx [5] http://www.symantec.com/content/en/us/enterprise/white papers/ b-how-drive-encryption-works WP 21275920.pdf [6] http://www.ogobin.org/tcpa/trusted Platform Module White Paper.pdf [7] ftp://ftp.cs.bham.ac.uk/pub/authors/m.d.ryan/08-intro-tpm.pdf [8] http://www.rsa.com/rsalabs/technotes/tpm/sealedstorage.pdf [9] Halderman, J. A., Schoen, S. D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J. A., Feldman, A. J., Applebaum, J. and Felten, E. W.: Lest we remember: Cold Boot Attacks on Encryption Keys. In Proc. 17th USENIX Security Symp., Sep. (2008) 45 60. [10] Jake Edge: Evil Maid Attack Against Disk Encryption, October (2009) [Online], http://lwn.net/articles/ 359145/ [11] http://theinvisiblethings.blogspot.in/2009/10/evil-maid-goes-after-truecrypt.html [12] Guido J. van t Noordende, Silvia D. Olabarriaga, Matthijs R. Koot and Cees Th. A. M. de Laat: A Trusted Data Storage Infrastructure for Grid-Based Medical Applications. In 8th IEEE International Symposium on Cluster Computing and the Grid, CCGRID-2008 (2008) 627 632. [13] Klaus Kursawe, Dries Schellekens and Bart Preneel: Analyzing Trusted Platform Communication. In ECRYPT Workshop, CRASH Cryptographic Advances in Secure Hardware (2005). 16