Presentation is loading. Please wait.

Presentation is loading. Please wait.

STRONGBOX: CONFIDENTIALITY, INTEGRITY, AND PERFORMANCE USING STREAM CIPHERS FOR FULL-DISK ENCRYPTION Bernard Dickens III.

Published byAubrie Nichols Modified over 6 years ago

Similar presentations

Presentation on theme: "STRONGBOX: CONFIDENTIALITY, INTEGRITY, AND PERFORMANCE USING STREAM CIPHERS FOR FULL-DISK ENCRYPTION Bernard Dickens III."— Presentation transcript:

1 STRONGBOX: CONFIDENTIALITY, INTEGRITY, AND PERFORMANCE USING STREAM CIPHERS FOR FULL-DISK ENCRYPTION
Bernard Dickens III

2 Roadmap Motivation Current State of the Art
Key Insight of Log-structured File Systems StrongBox Implementation Overview Threat Model Performance Evaluation Contribution and Limitations Conclusion Future Work

3 Motivation Modern devices use fast flash-based storage
Flash storage, including SSDs, flash drives, eMMC, etc. are extremely popular Extremely fast unencrypted storage Full disk encryption is slow Really slow: 3-5x slower than unencrypted storage … because the AES block cipher is slow (in XTS mode) Full disk encryption (FDE) is ubiquitous Every Android device at or past Android M employs FDE by default Windows 10 devices come with TPM-based BitLocker FDE schemes Trusted hardware TPMs/TEEs are already widely integrated Stream ciphers are very fast Google replaced AES with a fast stream cipher for HTTPS in 2014! Can we leverage the speed of modern stream ciphers to make FDE faster? Split into two Better (more provocative) titles: securing data at rest, technology trends

4 Current Solutions (State of the Art)
Everyone implements FDE using AES in XTS mode dm-crypt is standard for Linux/Android; uses AES-XTS All Windows computers, laptops, tablets with BitLocker use AES-XTS Apple iOS/FileVault uses AES-XTS VeraCrypt/TrueCrypt et al. employ AES-XTS by default Add illustration of AES-XTS (basic internal diagrams of AES-XTS/block cipher) Better title Split this into two columns: how block cipher works vs stream cipher works w/ diagrams too Really slow vs really fast Why is one favored over the other? <add more pictures> Technology trends lead to the second being favored now (flash over normal disks; hardware secure counter support)

5 The Problem with FDE and Stream Ciphers
Naïve FDE implementations using stream ciphers are trivially vulnerable! Trivial many-time pad attacks Rollback attacks These problems with stream ciphers and FDE are well understood by the community The common assumption: workarounds for the above problems are too expensive The general wisdom: use a block cipher instead of a stream cipher for FDE

6 Key Insight In context, the disks that are being encrypted are often flash-based Flash-based storage allows I/O via Flash Translation Layer (FTL) FTLs behaves very similarly to Log-structured File Systems (LFS) LFSes are filesystems that write data and metadata to a circular buffer in a sequential fashion LFSes (and FTLs) are in effect append-only filesystems with garbage colletion We can avoid the many-time pad vulnerability if the filesystem consistently makes forward writes (i.e. append-only) 5 minutes by this point!

7 Solution: StrongBox We propose StrongBox
A drop-in replacement for AES-XTS-backed FDE providers such as dm-crypt Goals of our StrongBox implementation Provide a transparent encryption layer without API changes Track writes to ensure that the same location is never overwritten Ensure metadata used for tracking writes is secure and is not subject to side channel leaks or rollback attacks Accomplishing the above without cutting too deep into the performance gained by use of the stream cipher

8 StrongBox Illustration

9 Threat 1: Passive Attacker
(describe standard attacks that all FDE was created to defend against) (describe solution)

10 Threat 2: Many-time Pad Attack
(describe many-time pad attack unique to stream cipher use in FDE) (describe solution)

11 Threat 3: Rollback Attack
(describe rollback attack) (describe how it’s handled with AES-XTS) (describe how it’s different with stream ciphers) (describe solution)

12 Performance Evaluation
(add metrics from paper showing the defeat of dm-crypt in majority of cases as ratios; i.e. 2.5x faster than Y) Multiple slides, one result/sentence per slide

13 X Contribution (Key insight is a contribution?) (StrongBox itself?)
<<is this a necessary page at all?>>

14 X Limitations (describe the several limitations inherent in the current StrongBox implemention)

15 Conclusion (tell them what you told them but succinctly)

16 Future Work and Improvements
(summarize the three future work sections from the paper)

17 Reference (paper url or something goes here?)
(link to anonymous repo goes here)

18 END Any Questions?

Download ppt "STRONGBOX: CONFIDENTIALITY, INTEGRITY, AND PERFORMANCE USING STREAM CIPHERS FOR FULL-DISK ENCRYPTION Bernard Dickens III."

Similar presentations

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Full-Datapath Secure Deletion Sarah Diesburg 1. Overview Problem  Current secure deletion methods do not work State of the art  Optimistic system-wide.

Full-Datapath Secure Deletion Sarah Diesburg 1. Overview Problem  Current secure deletion methods do not work State of the art  Optimistic system-wide.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
MetaSync File Synchronization Across Multiple Untrusted Storage Services Seungyeop Han Haichen Shen, Taesoo Kim*, Arvind Krishnamurthy,

MetaSync File Synchronization Across Multiple Untrusted Storage Services Seungyeop Han Haichen Shen, Taesoo Kim*, Arvind Krishnamurthy,
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Institut Mines-Télécom “Digital Safe Client via HTML5 ” Mayssa JEMEL Ahmed SERHROUCHNI Journée: Cloud Coffre Fort Numérique 26 Février 2015.

Institut Mines-Télécom “Digital Safe Client via HTML5 ” Mayssa JEMEL Ahmed SERHROUCHNI Journée: Cloud Coffre Fort Numérique 26 Février 2015.
Operating Systems CMPSC 473 I/O Management (2) December 02 2010 - Lecture 24 Instructor: Bhuvan Urgaonkar.

Operating Systems CMPSC 473 I/O Management (2) December Lecture 24 Instructor: Bhuvan Urgaonkar.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Computer Safety Workshop Presented by Roy Coleman April 14, 2015 © 2015 Roy Coleman.

Computer Safety Workshop Presented by Roy Coleman April 14, 2015 © 2015 Roy Coleman.
Operating System Review September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1.

Operating System Review September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1.
Protecting Data on Smartphones and Tablets from Memory Attacks

Protecting Data on Smartphones and Tablets from Memory Attacks
Full-Datapath Secure Data Deletion Sarah Diesburg 5/4/2009 1.

Full-Datapath Secure Data Deletion Sarah Diesburg 5/4/
IT253: Computer Organization

IT253: Computer Organization
Resolving Journaling of Journal Anomaly in Android I/O: Multi-Version B-tree with Lazy Split Wook-Hee Kim 1, Beomseok Nam 1, Dongil Park 2, Youjip Won.

Resolving Journaling of Journal Anomaly in Android I/O: Multi-Version B-tree with Lazy Split Wook-Hee Kim 1, Beomseok Nam 1, Dongil Park 2, Youjip Won.
Shambhu Upadhyaya 1 802.11 Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)

Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.

DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
Storage Systems CSE 598d, Spring 2007 Lecture 13: File Systems March 8, 2007.

Storage Systems CSE 598d, Spring 2007 Lecture 13: File Systems March 8, 2007.
TUF: Secure Software Updates Justin Cappos NYU Poly Computer Science and Engineering.

TUF: Secure Software Updates Justin Cappos NYU Poly Computer Science and Engineering.
Protecting Data at Rest Through Encryption CIO Summit November 30, 2007.

Protecting Data at Rest Through Encryption CIO Summit November 30, 2007.

Similar presentations

Ads by Google