Network Bound Encryption
for Data-at-Rest Protection
Nathaniel McCallum,
Principal Software Engineer
Red Hat, Inc.
Disk Life Cycle
Disk Life Cycle
Network Bound Encryption for Data-at-Rest Protection
Disk Life Cycle
Network Bound Encryption for Data-at-Rest Protection
Disk Life Cycle
Network Bound Encryption for Data-at-Rest Protection
Procurement
Disk Life Cycle
Network Bound Encryption for Data-at-Rest Protection
Procurement
Disk Life Cycle
Network Bound Encryption for Data-at-Rest Protection
Procurement
Provisioning
Disk Life Cycle
Network Bound Encryption for Data-at-Rest Protection
Procurement
Provisioning
Disk Life Cycle
Network Bound Encryption for Data-at-Rest Protection
Procurement
Provisioning
Utilization
Disk Life Cycle
Network Bound Encryption for Data-at-Rest Protection
Procurement
Provisioning
Utilization
Disk Life Cycle
Network Bound Encryption for Data-at-Rest Protection
Procurement
Provisioning
Utilization
Disk Life Cycle
Network Bound Encryption for Data-at-Rest Protection
Procurement
Provisioning
Utilization
Repair
Disk Life Cycle (Third Parties)
Network Bound Encryption for Data-at-Rest Protection
Procurement
Provisioning
Utilization
Repair
Disk Life Cycle (Third Parties; Threat Models)
Network Bound Encryption for Data-at-Rest Protection
Procurement Provisioning Utilization Repair End of Life Firmware Attacks Code Injection
Disk Life Cycle (Third Parties; Threat Models)
Network Bound Encryption for Data-at-Rest Protection
Procurement Provisioning Utilization Repair End of Life Firmware Attacks
Disk Life Cycle (Third Parties; Threat Models)
Network Bound Encryption for Data-at-Rest Protection
Procurement Provisioning Utilization Repair End of Life Firmware Attacks
Code Injection Passive Snooping
Passive Snooping Firmware Attacks Code Injection
Security Threats and Mitigation
Network Bound Encryption for Data-at-Rest Protection
•
Provisioning:
•
Firmware Attacks – Flash Firmware
•
Code Injection – Format (Restore)
•
Encryption:
•
Passive Snooping
c
Key Usage Overview: Symmetric Encryption
Network Bound Encryption for Data-at-Rest Protection
Data
c
Common Technique #1: Shared KEKs
Network Bound Encryption for Data-at-Rest Protection
Data
Common Technique #1: Shared KEKs
Network Bound Encryption for Data-at-Rest Protection
Pros
Cons
Easy (A.K.A. procrastination) Manual Unlocking
Manual Rotation
Early Boot
Granularity vs. Scalability
No Access Control
Common Technique #2: KEK Escrow / Retrieval
Network Bound Encryption for Data-at-Rest Protection
Data
Disk Encryption Key
Key Encryption Key = “e3b0c44298f...”
Escrow
Encrypted
(hopefully)
Common Technique #2: KEK Escrow / Retrieval
Network Bound Encryption for Data-at-Rest Protection
Pros
Cons
Key Separation
No Offline Escrow
Manual Rotation (or CRL)
Automatic Unlocking
Key First, Disk Later
Requires Authentication
Access Control
“Key in Tunnel” Design
Stateful Server
Auditing
(Usually) No Early Boot
Network Bound Encryption for Data-at-Rest Protection
Can we use asymmetric crypto
to improve the situation?
New Technique #1: X.509
Network Bound Encryption for Data-at-Rest Protection
Data
Disk Encryption Key
Key Encryption Key
Decryption
Server
X.509 Certificate
TLS Encrypted
Private Key
Encrypted KEK
Decrypted KEK
New Technique #1: X.509
Network Bound Encryption for Data-at-Rest Protection
Pros
Cons
Key Separation
No Key First, Disk Later
“Key in Tunnel” Design
Automatic Unlocking
No Authentication Required
Manual Rotation (or CRL)
Offline Escrow
Limited Access Control
Early Boot
Limited Auditing
New Technique #1: X.509
Network Bound Encryption for Data-at-Rest Protection
•
Most major drawbacks relate to the use of X.509
•
Can we shrink implementation requirements for embedded use?
•
Can we hide key contents from the Decryption Server?
New Technique #1: X.509
Network Bound Encryption for Data-at-Rest Protection
•
Most major drawbacks relate to the use of X.509
•
Can we shrink implementation requirements for embedded use?
•
Can we hide key contents from the Decryption Server?
•
Can we avoid TLS?
New Technique #2: McCallum-Relyea Exchange
Network Bound Encryption for Data-at-Rest Protection
Data
Disk Encryption Key
Key Encryption Key
Decryption
Server
Public Key
McCallum-Relyea Exchange
Private Key
(no encryption)
UDP Request (x)
UDP Reply (x')
Elgamal Encryption
McCallum Opaque Decryption
McCallum-Relyea Exchange
New Technique #2: McCallum-Relyea Exchange
Network Bound Encryption for Data-at-Rest Protection
Data
Disk Encryption Key
Key Encryption Key
Decryption
Server
Public Key
McCallum-Relyea Exchange
Private Key
(no encryption)
UDP Request (x)
UDP Reply (x')
New Technique #2: McCallum-Relyea Exchange
Network Bound Encryption for Data-at-Rest Protection
Pros
Cons
Key Separation
No Key First, Disk Later
Limited Access Control
Automatic Unlocking
No Authentication Required
Limited Auditing
Offline Escrow
“Key in Tunnel” Design
Early Boot
Automatic Rotation
New Technique #3: Push McCallum-Relyea Exchange
Network Bound Encryption for Data-at-Rest Protection
Data
Disk Encryption Key
Key Encryption Key
Push
Command
Public Key
McCallum-Relyea Exchange
Private Key
(no encryption)
TCP Request (x)
TCP Reply (x')
New Technique #3: Push McCallum-Relyea Exchange
Network Bound Encryption for Data-at-Rest Protection
Pros
Cons
Key Separation
No Key First, Disk Later
Automatic Unlocking
No Authentication Required
Offline Escrow
“Key in Tunnel” Design
Early Boot
Automatic Rotation
Upstream Project: Deo
Network Bound Encryption for Data-at-Rest Protection
•
https://github.com/npmccallum/deo
•
Δεο: to bind
•
Project Status: Unstable
•
Technique #1 implemented (X.509; deprecated – don't use)
•
Techniques #2 and #3 in development
•
Early boot (LUKS) implemented
•
Support for ext4 crypto in planning
•
Contributions welcome!
Last slide
INTERNAL ONLY | PRESENTER NAME
