trusted computing group trusted storage specification...storage for secrets with strong access...

Trusted Computing Group Trusted Storage SpecificationMichael Willett, Seagate Technology

TCG Trusted Storage Specification © 2008 Storage Networking Industry Association. All Rights Reserved. 2

SNIA Legal Notice

The material contained in this tutorial is copyrighted by the SNIA. Member companies and individuals may use this material in presentations and literature under the following conditions:

Any slide or slides used must be reproduced without modificationThe SNIA must be acknowledged as source of any material used in the body of any document containing material from these presentations.

This presentation is a project of the SNIA Education Committee.Neither the Author nor the Presenter is an attorney and nothing in this presentation is intended to be nor should be construed as legal advice or opinion. If you need legal advice or legal opinion please contact an attorney.The information presented herein represents the Author's personal opinion and current understanding of the issues involved. The Author, the Presenter, and the SNIA do not assume any responsibility or liability for damages arising out of any reliance on or use of this information.

NO WARRANTIES, EXPRESS OR IMPLIED. USE AT YOUR OWN RISK.

TCG Trusted Storage Specification © 2008 Storage Networking Industry Association. All Rights Reserved.

Abstract

Trusted Computing Group (TCG) Trusted Storage Specification

The Trusted Computing Group (TCG) Storage Work Group recently published formal specifications for security and trust services on storage devices, including hard drives, flash, and tape drives. The majority of hard drive and other storage device manufacturers participated. Putting security directly on the storage device avoids the vulnerabilities of platform OS-based software security. The details of the Specification will be highlighted, as well as various use cases, including Full Disk Encryption with enterprise key/credential management.


Marketing WorkgroupBrian Berger, Wave

Board of DirectorsScott Rotondo, Sun, President and Chairman

Server Specific WGLarry McMahan, HP

User Auth WGLaszlo Elteto, Safenet

TSS Work GroupDavid Challener, Lenovo

TPM Work GroupDavid Grawrock, Intel

Storage WG Robert

Thibadeau Seagate

AdministrationVTM, Inc.

Advisory Council Invited Participants

Best Practices Jeff Austin, Intel

Technical Committee Graeme Proudler, HP

Public Relations

Anne Price, PR Works

EventsMarketingSupportVTM, Inc.

Peripherals WG(dormant)

PDA WGJonathan Tourzan, Sony

PC Client WGMonty Wiseman, Intel

Mobile Phone WGPanu Markkanen, Nokia

Infrastructure WGThomas Hardjono, SignaCert

Conformance WGManny Novoa, HP

BOLD:Most Relevant to Storage Work

Key ManagementServices

Walt HubisLSI

Storage Interface Interactions

James HatfieldSeagate

Optical Storage Bill McFerrin

DataPlay


Peripheral Controller Electronics

Primary Host Interface

Diagnostic Ports

Loadable Firmware

Data Sink / Source

Probe Points

Special Hardware Functions

Firmware FunctionsPower

Trust = systems operate as intended Objective: Exercise control over operations

that might violate trust

Needed: Trusted Storage commands

General Risk Model: Storage


TRUSTED SEND/IN

TRUSTED RECEIVE/OUT

T10/T13 defined the “container commands”

TCG/Storage defining the “TCG payload”

(Protocol ID = xxxx …..)

Protocol IDs assigned to TCG, T10/T13, or reserved

Joint Work –T10 (SCSI) and T13 (ATA)


TRUSTED STORAGE

ATA or SC

SI

Hidden StorageFirmware

Controller Storage

Firmware/hardwareenhancements for

security and cryptography

Trusted

Send and

Receive

Container Commands

• (Partitioned) Hidden Memory

• Security firmware/hardware

• Trusted Send/Receive Commands

• Assign Hidden Memory to Applications

ISVApplication

(on the Host)

Enterprise

Support

Security

Providers

Assign Hidden Memory to Applications

TRUSTED

FDE

SP

TCG/T10/T13

Implementation Overview


Trust “Toolkit”:

Cryptographic SIGNING

CREDENTIALS (eg, signed X.509 Certificates)

Trust

System behaves as designed


Hardware that

cannot changecan digitally sign

and therefore initiate a chain of trust

TPM (trusted platform module) is a tiny processor on the motherboard that can sign and whose firmware cannot be modified

Storage Devices can be roots of trust

Root of Trust


Authentication/Attestation

Capability LevelLOW HIGH

Ability to interact with the Platform

TPer = Trusted Peripheral

Extending Trust to Peripherals


Trusted Platform

TPMSecure

Communications

Trusted Storage

Life Cycle: Manufacture, Own, Enroll, PowerUp, Connect, Use, …

Root

Of

Trust

OR

Trusted

Element

Trusted Storage with Trusted Platform


3 Simple reasonsStorage for secrets with strong access control

• Inaccessible using traditional storage access• Arbitrarily large memory space• Gated by access control

Unobservable cryptographic processing of secrets• Processing unit “welded” to storage unit• “Closed”, controlled environment

Custom logic for faster, more secure operations• Inexpensive implementation of modern cryptographic

functions• Complex security operations are feasible

Why Security in STORAGE (hard drive)


Forensic Logging DRM Building Blocks

DriveLocking

Full Disc Encryption

Crypto Chip

ALL Encrypted

-Laptop Loss or Theft

-Re-Purposing

-End of Life

-Rapid Erase

Personal Video Recorders

Crypto Key Management

TCG Storage Use Case Examples


TCG Storage Workgroup

Specification Overview and Core Architecture SpecificationSpecification Version 1.0

Revision 0.9 (DRAFT)

19 June 2007

Specification Overview


Storage Specification Purpose

Define an architecture that:Enables application of access control over select value-add device featuresPermits configuration of these capabilities in conformance with the platform security policyIs scalable to different storage typesEncourages multi-vendor implementation


TCG Storage: Document StructureCore Spec Interface

PC SSC Enterprise SSC

Compliance and Security EvaluationAux

iliar

y D

ocum

ents

Spec

ific

Doc

umen

tsG

ener

al

Doc

umen

ts

SSC = Security Subsystem Class

Optical SSC


SPs (Security Providers)Logical Groupings of FeaturesSP = Tables + Methods + Access Controls

TablesLike “registers”, primitive storage and control

MethodsGet, Set – Commands kept simple with many possible functions

Access Control over Methods on Tables

TCG Storage WG Core Specification


MCTP = Multi-Component Trusted Platform

TPer = Trusted Peripheral (eg, Storage)

Core Architecture

SP = Security Provider


Communications Infrastructure


- SPs have own storage, functional scope, and security domain

- Created by:

1) manufacturer (during Storage Device creation) AND/OR

2) Issuance Process

•Tables: rows = security associations, columns = related elements

•Persistent State Information: remains active through power cycles, reset conditions, and spin up/down cycles

•Methods are actions such as: table additions, table deletion, table read access, and table backup

•Authorities are authentication agents. Authorities specify passwords or cryptographic proofs required to execute the methods in the SP

•Access Control Lists (ACLs) bind methods to valid authorities

Security Provider (SP)


SP

Table

M

Method Name ACL

……Get User1

Set User2

MAuthorities

User1

User2

Each SP is a “sand box” exclusively controlled by its owner. SP functionality is a combination of pre-defined functionality sets called SP Templates:

BaseAdminCryptoLogClockLocking

Security Providers (SP)

Result: Comprehensive command architecture for putting selected features of storage devices under policy-driven access control


Issuance is the act of creating a new SP (exchange/validation of credentials)

Templates define the initial tables and methods. All SPs = Base Templatetables and methods + other Templates: Admin Template, Crypto Template, and Templates for Forensic Logging and Locking/Encryption etc

Personalization is the customization of a newly created SP: modify initial table data and/or admin authority, customization of the default access control settings

Note: Admin SP manages Templates, creates other SPs under issuance control, andmaintains information about other SPs and the TPer as a whole. Admin SP cannot be deleted ordisabled.

Issuance Server

SP

SP Issuance/Personalization Overview


SPIssuance Server

ISV applicationREQUEST

ISSUANCE CREDENTIAL

Admin SP

(SESSION)

ISSUE SP

ISV SPPERSONALIZE SP

USE SP

Issuing an SP


- Cryptographic methods: utilize public and symmetric key store tables

- Credential tables + additional tables provided by Base and other Templates

- Encryption, Decryption, Signing, Verifying, Hashing, HMAC, and XOR

- AES, RSA, SHA, HMAC, Elliptic Curve, Random Numbers

01100110110010101

Crypto Template


ComID: allow TPer to identify caller of IF-RECV command

Secure Communications

Communications Architecture


ComPacket is the unit of communication transmitted asthe payload of an Interface command. A ComPacket isable to hold multiple packets in its payload.

Packet is associated with a particular session and mayhold multiple SubPackets.

SubPacket may hold multiple Tokens.

ComPacket

Packet

SubPacket

Token

Host Interface: Packetization


Credentials: Permission “secrets”

Authentication Operation: proof of knowledge of a secret

The Authority table associates specific Credential-Operation pairs together in Authority objects

Access Control Lists (ACLs): lists of Access Control Elements (ACEs)

ACEs are Boolean combinations of Authorities.

Access Control


Storage Architecture Core Specification

Storage

HDD SSC - Enterprise

Optical SSC (OSSC)

HDD SSC - Notebook

Security Subsystem

Class = SSC

Security Subsystem Classes


Separatecontrol channel

ease of useunobtrusive

transparentcompatible

FDE

Optical Subsystem Class Goal


Trusted Platform w/

Trusted Storage

- Multi-factor authentication: password, biometrics, dongles

- Secure/hardware storage of credentials, confidential financial/medical data

-Trusted life cycle management of personal information

- Integrity-checking of application software

- Cryptographic functions for storage and communications security

-Trusted/secure computation of high-value functions (protection from viruses/etc)

Home Banking (or Remote Medical, or … )


SPFDE

-Enterprise Server:Key generation and distribution

Key/Password archive, backup and recovery

-Laptop (Application):Master/User passwords, multi-factor authentication, TPM support

Secure log-in, “Rapid Erase”

-FDE Trusted Drive (self-encrypting):Disk or sector encryption, sensitive credential store, drive locking

Enterprise Management of Full Disc Encryption (FDE) Drives

Self-Encrypting Drive

TCG Trusted Storage Specification © 2008 Storage Networking Industry Association. All Rights Reserved.32

Self-Encrypting Drives

Eventually ALL drives will be self-encrypting

• Simple

• Transparent

• Integrated

For when a drive leaves the owner's control


Storage System

No Performance DegradationEncryption engine speed The encryption

engine is in the

controller ASIC

Matches

Port’s max speed

Scales Linearly, Automatically

Storage System

All data can be encrypted, with no performance degradation Less need for data classification


The drive remains LOCKED when it is powered back ONThe drive LOCKS automatically when powered OFFAuthentication Key (Password) Unlocks the drive

34

Here is the un-encrypted

text

Here is the un-encrypted

text

P%k5t$@sg!7#x1)

#&%

Write and Read data normally while drive is unlocked

Self-Encrypting Drive Basics

Data protected from loss, disclosure

Write

Read

100% performance encryption engine

in the drive

Authentication Key

Management Service


Implement Transparent to OS, applications, databases – Automatic Scalability

May need to change OS, applications, databases

Re-key Exposed Keys

No re-encryption needed Re-encrypt all data

Recover Data Encryption keys don’t leave drives. No need to track or manage them.

Track, manage, escrow encryption keys, maintain interoperability

Retire HDD Delete encryption key Key compromised; Could make data across multiple drives unreadable

Encrypting outside the drive

Storage Systems

Self-Encrypting Drives

Storage Systems

Simplify Management


What Does the Future Look Like?

Encryption everywhere!Automatic performance scaling, manageability, security

Standards-basedMultiple vendors; interoperability

Unified key managementHandles all forms of storage


www.trustedcomputinggroup.org

Thank You!


Q&A/Feedback

Please send any questions or comments on this presentation to SNIA: [email protected]

Many thanks to the following individuals for their contributions to this tutorial.

- SNIA Education Committee

Robert Thibadeau Jason Cox

All Storage Manufacturers (contributors)

trusted computing group trusted storage specification...storage for secrets with strong access...

Documents