Sec ecur urity ity Fea eatures ures for or SSD Why Storage - - PowerPoint PPT Presentation

sec ecur urity ity fea eatures ures for or ssd
SMART_READER_LITE
LIVE PREVIEW

Sec ecur urity ity Fea eatures ures for or SSD Why Storage - - PowerPoint PPT Presentation

Sep 02, 2023 454 likes •621 views

Sec ecur urity ity Fea eatures ures for or SSD Why Storage Security is Important ? Dilemma emmas ! A secret known by two is no longer a secret : https://www.symantec.com/about/newsroom/press-kits#

slide-1
SLIDE 1

Sec ecur urity ity Fea eatures ures for

  • r SSD
slide-2
SLIDE 2

Why Storage Security is Important ?

  • 자료출처 : https://www.symantec.com/about/newsroom/press-kits#
  • 자료출처 : https://trustedcomputinggroup.org/work-groups/storage/

Dilemma emmas !

“ A secret known by two is no longer a secret ”

slide-3
SLIDE 3

Why focus on the DAR(Data At Reset) and DARE(DAR Encryption) ?

  • 3 States of data
  • Data is everywhere, and when is broadly categorized, three states of data exist
  • Network
  • Multi-Channel : e-mail, Messaging,

P2P, Web, FTP, etc

  • Discovery, Analysis, Protection & Control
  • PC, Server, HDD, SSD, Other Media
  • Integrity
  • End Point, Network Interface

Data in Motion ion Data at Rest Data in Use

  • Anytime a user uploads or downloads

data from a cloud server or data is in transit while being shared, that’s data in motion. When that same data is simply existing in the cloud or on an endpoint device, the data is at rest.

  • Data in transit is often an easy target

for cyber criminals, who can position themselves between where data is stored and where it’s going to syphon

  • ff information in transit. If this data in

motion is not encrypted, there’s nothing stopping the cyber criminal from gaining access.

  • There’s a misconception that data at rest is

more secure than data in motion; the truth is they’re both vulnerable. Outside of physical device theft, where any unsecured data at rest could become vulnerable, if data at rest isn’t

  • utfitted with access rights controls, nothing is

stopping an end user from downloading an app and unwittingly providing it permission to access that file on their device.

  • Data in use could include anything

from a file being copied between folders to files being edited to data being transferred from a laptop to a thumb drive. While it might be easier to steal data in motion, data in use (and data at rest) must always be secure as well.

  • Data leakage through stolen/lost
  • End of life and disposal

laptop or storage device

slide-4
SLIDE 4

Encryption at Rest in Google Cloud Platform

  • Google’s default Encryption Policy

자료출처 : https://cloud.google.com/security/encryption-at-rest/default-encryption/

  • Several layers of encryption are used to protect data stored in Google

Cloud Platform. Either distributed file system encryption or database and file storage encryption is in place for almost all files; and storage device encryption is in place for almost all files.

  • Data at Google is broken up into encrypted chunks for storage.
  • To decrypt a data chunk, the storage service calls Google’s Key

Management Service (KMS) to retrieve the unwrapped data encryption key (DEK) for that data chunk.

slide-5
SLIDE 5

What are the Security Features for SSD ?

  • DAR security features

SED SED (Self lf Encryp rypti ting Drive)

▪ The Best-Kept Secret in Storage Device Encryption Security ▪ TCG Opal(Client) / TCG Enterprise(Enterprise) ▪ Encrypts Multi-ranges with Key Management scheme

ATA Securi rity ty

▪ Security mode feature set ▪ The storage device allows read/write access to the user data only after the required authority is proven ▪ User password / Master password ▪ Frozen mode supply : The storage device will abort all read/write commands until it is unlocked

FDE (Full l Disk Encryp ryptio ion)

▪ Encrypts an entire disk(1 Global range) ▪ One Key(Media Encryption Key) encrypts/decrypts the whole device

Micro rosoft eDriv ive

▪ MS Windows manages eDrive ▪ No additional Key Management solution to deploy eDrive

▪ With th User-data Encry ryptio ion TCG Pyri rite te

▪ TCG Security Subsystem Class ▪ Pyrite SSC does not specify encryption of user data

▪ With thout User-data Encry ryptio ion

slide-6
SLIDE 6

What is a SED ?

  • Self Encrypting Drive

▪ Power r Off f  Drive Locked ked / Encryp rypte ted = Secure + “Instant Crypto Erase”

  • Hardware AES engine(AES : Advanced Encryption Standard, FIPS197)
  • Encrypt everything written
  • Decrypt everything read

Encry ryptio ion Manag nagem ement nt Applic plicatio ion AES 128/ 28/256 56-bit bit Hardw rdware are Encry ryptio ion n Engin ine TCG OPAL2 L2.0 IEEE1 E166 667 Prot

  • tocol
  • l

AES256

slide-7
SLIDE 7

What are SEDs ?

  • Classical FDE(Full Disk Encryption)

FDE Drive ve Host st

Boot Process

Encr cryp ypte ted Data ta Plain inte text xt Data ta

Accessing Data

OS OS Cryp ypto togra raphic ic S/W drive iver FDE User r Files/ les/Apps

▪ Encryp ryptio ion perf rformed rmed by the OS ▪ FDE Soft ftwar ware

  • Bitlocker(MS)
  • SecureDoc(Winmagic)
  • Embassy(WAVE)
  • SafeBoot(McAfee), etc

▪ PROS

  • User data is useless without the key
  • Hardware-based FDE : within a storage device is called a SED
  • Instant “Secure Erase” is possible : Simply delete the key

▪ CONS CONS

  • Runtime performance degradation
slide-8
SLIDE 8

What are SEDs ?

  • SED(Self Encrypting Drive)

SED SED Secu curi rity ty Commands Host st Encrypte crypted Data ta Plain ainte text xt Data ta OS OS Cryp ypto togra raphic ic H/W in SED User r Files/ les/Apps SED SED

SED types

TCG SWG Standards Microsoft Standard OPAL OPALite Enterprise Pyrite eDrive

▪ Hardware AES engin ine ▪ Encryp ryptio ion perf rformed rmed by the driv iver control rolle ler ▪ SED security = SED + ISV application ▪ Provide more Secure Solution than FDE ▪ Protect against to Malware ▪ PROS

  • No performance Overhead
  • Instant in-place Encryption
  • Secure Boot flow is available

▪ CONS CONS ?

slide-9
SLIDE 9

What are SEDs ?

  • FDE(S/W Encryption based) vs SED(H/W based)

Performance Comparison

자료출처 : : https: ps://www.trust usted edst strat ateg egies. es.com/

  • m/
slide-10
SLIDE 10

What is a TCG OPAL SED ?

  • TCG(Trusted Computing Group) > SWG(Storage Work Group)

Truste sted Platf tform Module le PC PC Clien ient Embedded Syste tems Truste sted Netwo twork Connect ct Virtu tuali lize zed Platf tform Mobil ile Infra frastru structu cture re Soft ftwa ware re Stack ck Storag rage Serve rver Truste sted Multi lti-ten tenant Infra frastru structu cture re

TCG Members (Storage Work Group) TCG SWG

자료출처 : www.t .trust rustedco computin tinggro roup.o .org rg

slide-11
SLIDE 11

What is a TCG OPAL SED ?

  • TCG(Trusted Computing Group) > SWG(Storage Work Group)

Genera ral Docum cument Secu curi rity ty Sub ubsyste system Class ss Featu ture re Sets ts

TCG Storage Specifications TCG SWG Motivation

TCG OPAL/Enterprise SSCs address the DAR problem

  • Data leak through stolen or

lost laptop or storage device

  • End of life and disposal
  • Provides Encrypting/Locking
  • Simple password based

authentication

With TCG OPAL SED

▪ Compared to S/W-based encryption solutions, SEDs offer many benefits to user

slide-12
SLIDE 12

What is a TCG OPAL SED ?

  • TCG OPAL SED Contents

TCG OPAL SED

Encrypted Data Plaintext Data

Drive States

  • Drive always locked when every power cycled

Power off

  • ff

De De-authenti ticate te

  • Only Shadow MBR is visible. Read-only.

Power off

  • ff

De De-authenti ticate te

  • PBA(Pre-boot Authentication)
  • User authenticates
  • Drive decrypts MEK & Loading
  • Trigger boot User data
  • Drive remains unlocked state until power cycle or de-auth

Power off

  • ff

De De-authenti ticate te

  • Encryption transparent to OS
  • Only User data visible
  • Authenticated user only can

lock/unlock the drive

▪ Syste tem Area

  • TCG Tables and Templates
  • MEK(Media Encryption Key)
  • FW variables and settings, etc.

▪ Shadow MBR

  • Pre-Boot Environment

▪ User Data Area

  • Always Encrypted with MEK
  • Potential for Multiple Ranges(or bands)

with different MEK

slide-13
SLIDE 13

What is a TCG OPAL SED ?

  • TCG OPAL SED Operation flow

TCG OPAL SED Layout

PBKDF DF2(Pa (Passwo ssword rd-Base sed Key y Deri riva vatio tion Functio ction 2) with th SHA256

TCG OPAL SED Operation flow

자료출처 : www.truste .trustedcomp computing tinggroup up.o .org

slide-14
SLIDE 14

Appendix – Additional Security Features

▪ Digitally Signed Firmware Binaries ▪ All vendor unique commands or other abilities, including for debug, must be protected ▪ Security versioning, logging, etc.

Firmware binary

SHA-256 HASH

Secu cure re Boot t & Down wnlo load

RSA signature (decrypted)

Firmware binary

SHA-256 HASH

  • 1. Decrypt RSA signature with

RSA public key.

  • 2. Hash firmware binary with SHA-256

SHA-256 HASH

Firmware binary

SHA-256 HASH

  • 3. Compare both hash are same or not.

If same, continue boot or download current firmware binary.

SHA-256 HASH

?

Firmware binary Firmware binary

SHA-256 HASH

Firmware binary

  • 1. Build a firmware binary
  • 2. Hash firmware binary with SHA-256
  • 3. Generate RSA signature with

RSA private key

RSA signature (encrypted)

SHA-256 HASH

Firmwa ware re Sign ignin ing Key y Genera rato tor

RSA private key

(secret)

RSA public key

(stored at protection area of Storage device)

Signed Firmware ware Image

Firmware binary

RSA signature (encrypted)

SHA-256 HASH

  • Example : Secure Boot & Download
slide-15
SLIDE 15

Tha hank nk You

  • u