2. Introduction
Security Background
Commonly used Encryption Algorithms
Traditional modes of operation
Confidential Data storage
Software based Confidential Data Storage
Hardware based Confidential Data Storage
Deletion
Conclusion
3. What is the need of storing the data in a confidential manner?
Cost of electronic storage declines rapidly.
Theft of electronic storage occurred much more frequently.
Sensitive information stored in an insecure manner is vulnerable
to theft.
Two major components exist to safeguard the privacy of data on
electronic storage media :
Data must be stored in a confidential manner to prevent
unauthorized access.
At the time of disposal, confidential data must be removed from
the storage media
4. The general concept of secure handling of data is composed of
three aspects:
Confidentiality- involves ensuring that information is not read by
unauthorized persons.
Using encryption- to store data or authenticating valid users are
example means by which confidentiality is achieved.
Integrity- ensures that the information is not altered by
unauthorized persons . To verify- Combine a message authentication
code with sensitive data. Many techniques of confidential storage
and deletion involve cryptography:
Commonly Used Encryption Algorithms
Traditional Modes of Operation
5. Encryption -used in cryptography “to scramble information so
that only someone knowing the appropriate secret can obtain the
original information (through decryption)”.
The secret is often a key of n random bits of zeros and ones.
Common symmetric key encryption algorithms : the Data
Encryption Standard (DES), Triple-DES (3DES), and the Advanced
Encryption Standard (AES).
DES-a key size of 56 bits and a block size of 64 bits.Criticism-56-bit key
length is too short. With newer CPUs, the key space of 256 can be
enumerated.
3DES-built to enlarge the DES key space. Criticism-the key space to 2168,
but the strength of 3DES is only twice as strong as DES.
AES-block length of 128 bits and supports key lengths of 128, 192, and 256
bits.
6. Electronic Codebook(ECB)- is the simplest mode of operation, and does not
use an IV(initialization vector) .With a key, Pi as the ith block of plaintext, and Ci as
the ith block of cipher text, the encryption is performed as Ci = Ekey (Pi), and
decryption is performed as Pi = Dkey (Ci).
cipher-block-chaining (CBC)
Cipher-Block-Chaining (CBC)-slightly more complicated and uses an IV,
Encryption of the first block of plaintext is performed as C1 =Ekey (P1 Å IV), where
C1 is the 1st block of cipher text; IV is the random, non-secret initialization vector;
and P1 is the 1st block of plaintext. Subsequent blocks of plaintext are encrypted as
Ci = Ekey (Pi Å Ci-1). In the same manner, the first block of cipher text is decrypted
as P1 = Dkey (C1) Å IV, and the subsequent blocks of cipher text are decrypted as
Pi = Dkey (Ci) Å Ci-1. Contd…
7. Mode of Encryption Performance Decryption performance
operation
ECB Good: ECB do not depend on Good: ECB do not depend on previous
previous blocks. Multiple blocks blocks. Multiple blocks can be encrypted
can be encrypted and decrypted in and decrypted in parallel.
parallel
CBC Poor: CBC ciphertext equires the Good: CFB and CBC decryption of one block
previous ciphertext block as input. requires only one previous ciphertext block
In the case of updates,CBC require as input. Multiple blocks can be decrypted
re-encrypting the remainder of a in parallel.
file, since all subsequent ciphertext
blocks depend on the current
ciphertext block. Thus, encryption
is not parallized.
8. Confidential storage methods are difficult to implement for
reasons including complexity of method setup, difficulty of
conversion of prior methods to new secure methods, training, key
management, and password.
Here it shows the storage path
for UNIX –based and WINDOWS
operating system.
Both UNIX and WINDOWS
share one-to-one mapping.
9. Requires no hardware.
Each solution has its strengths and limitations with regard to level
of confidentiality, ease-of-use, performance and the flexibility to
set policies. Example of Software based confidential data storage is :
Generalized Encryption Programs-can encrypt and decrypt
files using variety of ciphers and encryption modes.
Flexibility-Changing Security Polices.
User model-Invoke the programs with necessary key/password.
Performance-Slower because can’t take full advantage of VFS.
10. Differ from software ones :
Cryptographic functionality is either hard-coded into the hardware
or into an external specialty device.
More Rigid and User cannot change authentication mechanisms.
Much faster than any software.
Example : Secure Flash Drives.
Cannot be Reconfigured to meet changes in confidential policy.
11. A full secure data lifecycle implies that data is not only stored
securely, but deleted in a secure manner as well.
Confidential data deletion can be accomplished in 3 ways:
Physical Destruction: Pulverization, Acid bath.
Data Overwriting:
software applications-Overwrite the contents of a file,delete the
file normally, and then overwrite all free space in the partition,erase
the entire partition or disk.
file systems-FoSgen [Joukov et al. 2006] and Purgefs [Joukov and
Zadok 2005], which are stackable file systems built in FiST [Zadok
and Nieh 2000].
Encryption with key erasure : It is best to delete the encryption
key(s) securely through physical destruction or overwriting
methods
12. By compiling experiences and constraints of various
confidential storage and deletion techniques, we hope that
knowledge from research areas that have been evolving
independently can cross disseminate, to form solutions that are
tolerant to a broader range of constraints.