A new chapter in secure "Data at Rest" using cryptographyStory
July 25, 2011
Cryptography has evolved over many years to prevent unauthorized access to communications, whether the information was transported by courier, teletype, radio waves, or the Internet. Its use in protecting information on computer storage devices is a relatively new and rapidly evolving cryptographic technology.
Communications Security (COMSEC) has always been a critical issue in defense systems, and its importance has greatly increased as a result of the military engagements the U.S. has found itself in after 9/11. Data and COMS security have taken on renewed and urgent importance because of the readily available technology that enables adversaries to easily intercept and exploit communications or Data in Transit (also called Data in Motion), as well as gain access to restricted data retained on storage devices (Data at Rest). Security for Data at Rest is a relatively new and increasingly critical problem driven by the explosive growth of low-cost, high-capacity storage devices and the many forms of digital data. It’s important to understand how Data at Rest differs from communication security, and the unique security definitions, issues, and technologies available to protect Data at Rest.
Data at Rest versus Data in Motion
Cryptography was invented to protect communications, which is essentially information transmitted between two end points. Historically, this Data in Transit comprised voice or text transmitted over radio frequency channels. Today, both voice and digital data are transmitted over digital networks using Internet Protocol (IP). The National Security Agency (NSA) approved encryption device for Data in Transit over IP networks is called High Assurance Internet Protocol Encryptor (HAIPE).
With HAIPE, the communication end points coordinate keys at the beginning of each transmission, and these keys are destroyed when that unique transmission is complete. The keys are ephemeral in nature and are constantly being refreshed so that even if a key were to be compromised, the amount of information compromised would be small, and therefore, the damage would be minimal.
In contrast to Data in Motion, Data at Rest is data that is recorded to a storage device such as a computer hard drive, and can remain valuable for very long periods of time measured in days, months, and sometimes longer. For many years, the data recorded to storage devices was not encrypted, but was instead stored in clear text while the storage device itself was physically secured from theft or compromise. Over time, as nonvolatile flash storage became less expensive, its utility and value in the military for storing both unclassified and classified programs became apparent. A problem, though, was that securing the storage device itself was not always possible. To help solve the problem, suppliers of flash storage devices began to build in Information Assurance (IA) methods that enabled users to quickly erase, clear, purge, sanitize, and zeroize the contents of the storage device. It is useful to understand the definition of these various Information Assurance terms and how Data at Rest physical device security has evolved to support cryptography.
ERASE or CLEAR: Data piracy is an issue
ERASE, or CLEAR, is the process of performing data elimination by sending a single erase or clear instruction to each physical location or address of the nonvolatile memory. This is done in such a way that the data cannot be reconstructed using normal system functions such as binary block reads or file recovery software. It’s not a perfect method. By observing the data remnants effects that remain in the device, the data can be restored by an adversary using special laboratory techniques. While ERASE/CLEAR function can be completed in a few seconds, it provides minimal security for the Data at Rest problem.
PURGE/SANITIZE: Fast enough?
PURGE/SANITIZE is the process of performing data and data remnants elimination so that the data cannot be recovered by any known laboratory technique. PURGE/SANITIZE requires multiple memory erase and overwrite cycles and in some cases partial or complete verification as specified by various government agency PURGE standards. These standards include NSA 9-12, Navy NAVSO P-5239-26, Army AR380-19, Air Force AFSSI-5020, DoD 5220.22-M, and IRIG 106-09 Ch 10.
PURGE/SANITIZE algorithms that overwrite and verify memory contents several times work well, but only for a few gigabytes of either volatile or nonvolatile memory because of the time required for each memory access. Today’s storage devices typically have a capacity of several hundred gigabytes, and can often be as large as several terabytes. For large capacity storage, PURGE/SANITIZE algorithms can take hours to complete, which is unacceptable for the emergency PURGE of sensitive data in a hostile environment.
Another major issue associated with PURGE is that today’s nonvolatile flash storage usually consists of COTS Solid State Drives (SSDs). Figure 1 is a 3U VPX SSD. Such SSDs have multiple flash controllers located between the host interface and the actual flash memory chips. These flash controllers perform many tasks, such as wear leveling and bad block management, independent of and transparent to the host computer. As a result, in modern SSDs the flash controllers may reserve and make inaccessible to the host more than 20 percent of the flash memory cells. Because of this SSD feature, the PURGE algorithms must be implemented by the drive manufacturer; in lower-cost drives, PURGE algorithms are not implemented at all. Recently, as this problem has become better understood, it has become clear that PURGE/SANITIZE of the entire storage device is both impractical and unacceptable for security of Data at Rest in military systems.
Figure 1: A 3U VPX SSD
(Click graphic to zoom by 1.9x)
ZEROIZE: The new cryptography frontier
Emphasis in cryptography applied to Data at Rest has increased dramatically. Today, nearly all military programs include stringent IA requirements that focus on detailed ZEROIZE specifications.
ZEROIZING a storage device’s memory is the process of PURGING all sensitive cryptographic parameters from the cryptographic module, especially the keys. Once the ZEROIZE mechanism has been initiated, an adversary will have no way to decrypt the information on the storage device without first obtaining the sensitive parameters, including encryption keys, from some other source. Because of the relatively small amount of data that must be PURGED, the ZEROIZE process can be extremely short, often one second or less. This is very effective for emergency ZEROIZING of Data at Rest on devices of virtually unlimited capacity on the battlefield, whether megabytes, gigabytes, terabytes, or even petabytes of data.
It is worthwhile to note that the cryptographic key used to encrypt the data is also essential for anyone attempting to decrypt the data, including the data owner. Unlike COMSEC, the Data at Rest encryption key must exist as long as the encrypted data needs to be made available. That means that cryptographic key management becomes as important as protecting the unencrypted data.
Data at Rest security is only as strong as the encryption algorithm and the key management architecture being used. If the algorithm is strong but the key management is weak, the data is still not sufficiently protected. While the key management strategy must be strong, it must also be operationally simple so as not to impede the mission.
For ZEROIZING to be effective, the encryption module must be positioned “inline” between the host processor and the flash controller to ensure that all information stored to the flash gets encrypted and everything read from the flash gets decrypted. All of the Data at Rest on the flash always remains encrypted. Therefore, not only is the data protected but the entire File Allocation Table (FAT), directory, bad block, and wear-leveled data are also protected and are not available to the host unless decrypted.
Figure 2 shows the architecture of the Curtiss-Wright Controls Electronic Systems 3U VPX SATA Flash Storage Module (FSM) with onboard encryption. Note that this module has four flash banks, each with a SATA flash controller for wear leveling and bad-block management, and an inline SATA-to-SATA AES-25 encryption module. Also onboard is a microcontroller that performs key management, ZEROIZING, and BIT. The key management architecture is designed to be flexible and easily programmable to mesh smoothly with the end user Concept of Operations, often referred to as CONOPS.
Figure 2: The architecture of the Curtiss-Wright Controls Electronic Systems 3U VPX SATA Flash Storage Module (FSM) with onboard encryption.
(Click graphic to zoom by 1.8x)
Implementation: More to the story
Implementing Data at Rest encryption differs from Data in Transit encryption and is new to most military programs. Implementing Data at Rest encryption can be complicated and confusing, especially in light of the many choices for IA: ERASE or CLEAR, PURGE/SANITIZE, and ZEROIZE. The world of military security entails a veritable cryptic alphabet soup of acronyms and terms, including NSA, NIST, CDE, CNSS, CCI, NIAP, CCEVS, FIPS 140-2, Type 1, Suite A, Suite B, and CSPP, that need to be understood and navigated as well.
In addition, a variety of government agency validations and certifications may be required for components and products that store ever-increasing sensitive data from clear text to Top Secret and beyond. The NSA and National Institute of Standards and Technology (NIST) are the two U.S. government organizations that evaluate, validate, and certify cryptographic equipment for various levels of security.
Editor’s note: Curtiss-Wright Controls has two separate and distinct divisions working on embedded technologies. This article was written by Curtiss-Wright Controls Electronic Systems.
Tom Bohman is a Sr. Product Manager for Rugged Storage at Curtiss-Wright Controls Electronic Systems. He has more than 30 years of experience in the design of real-time embedded systems for man and hardware-in-the-loop simulations, high-speed data acquisition, DSP systems, and rugged storage products. Tom holds a BSEE degree from the University of Dayton and an Associate Degree in Tool & Die design. He can be contacted at [email protected].
Curtiss-Wright Controls Electronic Systems 937-252-5601 www.cwcelectronicsystems.com