trusted computing group trusted storage specification · trusted computing group trusted storage...

TRUSTED COMPUTING GROUP TRUSTED STORAGE

SPECIFICATION

Jason Cox, Seagate Technology

Trusted Computing Group Trusted Storage Specification © 2008 Storage Networking Industry Association. All Rights Reserved. 22

SNIA Legal Notice

The material contained in this tutorial is copyrighted by the SNIA. Member companies and individuals may use this material in presentations and literature under the following conditions:

Any slide or slides used must be reproduced without modificationThe SNIA must be acknowledged as source of any material used in the body of any document containing material from these presentations.

This presentation is a project of the SNIA Education Committee.Neither the Author nor the Presenter is an attorney and nothing in this presentation is intended to be nor should be construed as legal advice or opinion. If you need legal advice or legal opinion please contact an attorney.The information presented herein represents the Author's personal opinion and current understanding of the issues involved. The Author, the Presenter, and the SNIA do not assume any responsibility or liability for damages arising out of any reliance on or use of this information.NO WARRANTIES, EXPRESS OR IMPLIED. USE AT YOUR OWN RISK.


Abstract

Trusted Computing Group (TCG) Trusted Storage Specification

The Trusted Computing Group (TCG) Storage Work Group recently published formal specifications for security and trust services on storage devices, including hard drives, flash, and tape drives. The majority of hard drive and other storage device manufacturers participated. Putting security directly on the storage device avoids the vulnerabilities of platform OS-based software security. The details of the Specification will be highlighted, as well as various use cases, including Full Disk Encryption with enterprise key/credential management.


Storage WG Robert Thibadeau

SeagateKey Management

Services Walt Hubis

LSI

Storage Interface Interactions

James HatfieldSeagate

Optical Storage Bill McFerrin

DataPlay

Storage Conformance

Cyril Guyot HGST/Dave Kreft/NSA

TCG Storage Work Group Structure


3 Simple reasonsStorage for secrets with strong access control

• Inaccessible using traditional storage access• Arbitrarily large memory space• Gated by access control

Unobservable cryptographic processing of secrets• Processing unit “welded” to storage unit• “Closed”, controlled computing environment

Custom logic for faster, more secure operations• Inexpensive implementation of modern cryptographic functions• Complex security operations are feasible

Security in Storage


Peripheral Controller Electronics

Primary Host Interface

Diagnostic Ports

Loadable Firmware

Data Sink / Source

Probe Points

Special Hardware Functions

Firmware FunctionsPower

Trust = systems operate as intended Objective: Exercise control over operations

that might violate trust

Needed: Trusted Storage commands

General Risk Model – Storage


TRUSTED SEND/SECURITY PROTOCOL IN

TRUSTED RECEIVE/SECURITY PROTOCOL OUT

T10/T13 define the “container commands”TCG SWG defining the “TCG payload”

(Protocol ID = xxxx …..)

Protocol IDs assigned to TCG, T10/T13, other standards organizations, or reserved

Joint Work – T10 (SCSI) & T13 (ATA)


TCG SWG Document StructureTCG Storage Core Architecture Specification

Storage Interface Interactions

Security Subsystem Class (SSC)

Compliance SecurityEvaluation

Compliance SecurityEvaluation

Aux

iliar

y D

ocum

ents

Spec

ific

Doc

umen

tsG

ener

al

Doc

umen

ts

Security Subsystem Class (SSC)


TCG StorageCore Architecture SpecificationVersion 1.0Revision 0.9 (DRAFT)19 June 2007

TCG Storage Specification Overview


Define an architecture that:Enables application of access control over select device featuresPermit configuration of these capabilities in conformance to the platform security policy

TCG Storage Specification Purpose


TRUSTED STORAGE

ATA or SC

SI

Hidden StorageFirmware

Controller

Storage

Trusted Container Commands

Partitioned Hidden StorageSecurity firmware/hardware“Trusted” Commands Assign Hidden Storage to

Applications

Host Application

Enterprise Support

Security Providers

Assign Hidden Storage to Applications

TRUSTED

SP

TCG/T10/T13

Implementation Overview

Firmware/hardware enhancements for security and cryptography


TCG Storage Architecture Overview

Devices

Applications

End Users

Service Providers

ATA/SCSI

I/F

TCG Storage API

Internet

SW

and

HW

feat

ures

and

fu

nctio

n (e

.g.,

Cry

pto

Cal

ls) TCG Storage Architecture

SP 1

SP 2

SP 3

SP 4

SD or TPer

ADMIN

The host platform, applications, devices, local end users, or remote users/service providers can gain exclusive control of selected features of the storage device. This allows them to simultaneously and independently extend their trust boundary into the storage device or trusted peripheral (TPer).

TPM

Host

Mobile Devices


Security Providers (SPs)Storage Work Group specifications are intended to provide a comprehensive

command architecture for putting selected features of storage devices under policy-driven access control.

SP

Table

M

Method Name ACL

……Get User1

Set User2

MAuthorities

Features are packaged into individual functionality containers called “SECURITY PROVIDERS(SPs).

Each SP is a “sand box” exclusively controlled by its owner. SP functionality is a combination of pre-defined functionality sets called SP TEMPLATES

SPs are a collection of TABLES and METHODS that control the persistent trust state of the Storage Device (SD).

Method invocation occurs under access control.The SP has a list of authorities and their respective credentials for access control.

User1

User2

BaseAdminCrypto

LogClockLocking


SPs – Summary

Tables – store persistent state informationRemains active through power cycles, resets, spin up/down, device formats

Methods – remote procedure calls that operate on tables or the SPTable managementTable read/writeAuthenticationAccess Control managementare actions such as: table additions, table deletion, table read access, and table backup

Authorities – authentication agents. Specify cryptographic proofs required to execute the methods in the SP

Access Control Lists – define authorization requirements for method invocation

SPs haveTheir own storage, functional scope, and security domain

SPs are created by: Manufacturer (during Storage Device creation) AND/OR Issuance


TemplatesTemplates are sets of tables and methods, grouped by feature, from

which SPs are built.Base

All SPs include a subset of tables and methods defined by the Base templateProvides authentication and access control-related tables and methods

AdminOnly one SP on a device includes this templateStores configuration/capability informationUsed in Issuance

LockingOnly one SP on a device includes this templateProvides management capabilities for locking, encryption, and MBR shadowing

CryptoMethods and tables enabling host-invoked on-device signing, verification, hash, HMAC, and encrypt/decrypt

LogAdds forensic logging of SP access

ClockEnables time stamping for logging, adds time limitations to authorities


TablesTables provide data storage in SPs. Each template defines a set of tables.

Capabilities provided by the Base template allow the host to create additional tables.

Two types of tables:Object – organized storageByte – raw data

UID Col2 Col3 Col48 byte unique identifier Data Data Data… … … …

Object TableUID column contains SP-wide unique, addressable value for that row.

Rows associate column values.

Each column stores data all of the same type.

Index Column0 0x411 0x422 0x43… …

Byte Table

Byte tables have a single column.

Each cell stores one byte

Byte tables have 0 or more rows indexed by position in the table.


MethodsMethods are remote procedure calls invoked by the host to manipulate

SP state. Methods operate on tables or the SP itself, and are used for session startup, authentication, table manipulation, and access control customization.

InvokingUID.MethodUID [ Method Parameters ] => [ Method Result ]

UID of the table or object upon which the method is being invoked.

UID of the invoked method.

List of method parameters sent by host. List of results

generated by TPer

Key MethodsGet – Retrieve values stored in tables.Set – Change values stored in tables.Authenticate – Prove host knowledge of a secret

Other methods provide capability to: Create/delete tables/table rowsGenerate encryption keys on the devicePerform cryptographic operations on the device


Access Control - AuthenticationAccess control defines the authorization required to invoke specific

methods. Access control permissions apply at the SP, table, or table row level. Access control settings are configurable and assignable.

UID Name Key Material8 byte identifier Auth Key 1 ------ Auth Key 2 ------ --- ---

C_RSA_1024

UID Name PIN8 byte identifier Auth PWD 1 ------ --- ---

C_PINUID Name Credential Operation8 byte identifier Admin C_RSA_1024 UID Sign--- User C_PIN UID Password--- User C_RSA_1024 UID Sign--- --- --- ---

Authority

Authorities are authentication agents

Link to authentication credential Authorities required

authentication operation

Credential (C_*) tables store authentication secrets

The Host Application invokes the Authenticate method, identifying the Authority to be authenticated and the required proof (password, signed challenge, etc.)


Access Control - Application

InvokingID MethodID ACL--- ---

XXX YYYXXX ZZZXXX ---

--- ------ ------ ---

AccessControl

BooleanExpr Columns--- ---

User1 Column1,Column3--- ------ ------ ------ ------ ------ ---

ACE (Access Control Element)

UID Column1 Column2 Column3

XXX

Table

Method: XXX.YYY [ … ] ACL column holds a list of ACE UIDs

BooleanExpr column holds Authority UIDs and Boolean Operators

Columns identifies the columns to which the ACE applies


ACL

Table/Object/SP + Method(InvokingUID.MethodUID)

ACE2ACE1 ACE3

List of ACEs

Authority1 AND Authority2

Authority1 OR Authority3

(Authority1 AND Authority2) OR

Authority3

Access Control - Hierarchy


TemplatesThe Base Template is comprised of a core set of commonly used tables

and methods. A subset of the Base Template provides the basis for every SP, and enables authentication, access control, and table management.

SPInfo

SPTemplates

Table

Column

Type

MethodID

AccessControl

ACE

Authority

Certificates

C_PIN

C_RSA_1024

C_RSA_2048

C_AES_128

C_AES_256

C_HMAC_160

C_HMAC_256

C_HMAC_384

C_HMAC_512

C_EC_***

Tables Methods

DeleteSP

CreateTable

Delete

CreateRow

DeleteRow

Get

Set

Next

GetFreeSpace

GetFreeRows

DeleteMethod

Authenticate

GetACL

AddACE

RemoveACE

GenKey


The Admin Template provides capabilities to allow the host to retrieve device information, affect state of SPs, and issue new SPs.

TPerInfo

Template

CryptoSuite

SP

Tables Methods

IssueSP

The Locking Template provides mechanisms to manage LBA range locking, encryption, re-encryption, and MBR shadow, as well as tables that allow management of LBA range encryption keys.

LockingInfo

Locking

K_AES_128

MBRControl

MBR

K_AES_256

Tables Methods

GetPackage SetPackage

Templates


TemplatesThe Crypto Template defines tables and methods that enable host-

invoked cryptographic operations with host-supplied data to occur in the device, including hashing, encryption, decryption, signing, and verification.

H_SHA_1

H_SHA_256

H_SHA_384

H_SHA_512

Tables Methods

Random

Stir

EncryptInit

Encrypt

EncryptFinalize

DecryptInit

Decrypt

DecryptFinalize

HashInit

Hash

HashFinalize

HMACInit

HMAC

HMACFinalize

Sign

Verify

XOR


TemplatesThe Log Template provides a mechanism to enable forensic logging of

host access to the SP.

Log LogList

Tables Methods

AddLog

CreateLog

ClearLog

FlushLog

The Clock Template enables time stamping of log entries, as well as enhancement of authentication limitations by providing time-limited authorities.

ClockTime

Tables Methods

SetClockHigh

SetLagHigh

SetClockLow

SetLagLow

GetClock

ResetClock

IncrementCounter


Communications Architecture


Communications - ComIDsMultiple scenarios for Application-SP communication exist:

Single Application communicating with a single SPSingle Application communicating with multiple SPsMultiple Applications communicating with multiple SPs.

SP 1

SP 2

SP 3

SP 4

ADMIN

TPerApp 1

App 2

App 3

App 4

App 5


Communications - SessionsAn application communicates with an SP via a session. Each separate

application is assigned a ComID that it uses to identify itself to the device. Each session is associated with a ComID. Multiple sessions can be associated with a single ComID.

SP 1

SP 2

SP 3

SP 4

ADMIN

Application

TPerStorage Device

ComID assigned to application by device

Host Application

Session between Application and SP


Communications - StructuresComPacket –unit of communication transmitted as the payload of an

Interface Command. May hold multiple packets in its payload.

Packet – associated with a particular session between an App & SPMay hold multiple SubPackets.

SubPacket – contains data (Tokens) or buffer management informationToken – encoded data

Session1 Data

Tokens SubPacketPacket

ComPacket

“Trusted” Command

SubPacketSubPacket

Session2 Data

Tokens SubPacketSubPacket

SubPacket

SessionX Data

Tokens SubPacketSubPacket

SubPacket

Packet

Packet


Issuance ServerSP

SP Issuance/Personalization OverviewIssuance

Creation of a new SP (exchange/validation of credentials), including activation of drive features

Templates Define SP’s initial tables and methods.

Personalization Customization of a newly created SP via modification of table data, administrator and other authorities, default access control settings, etc.


SP Issuance/Personalization OverviewUsers/applications/services obtain a certificate from an authorized

organization to obtain an SP with the desired capabilities on a given storage device.

The storage device owner must authorize the issuance. Once issued, the SP can be customized by the user/app/service.

App A

SP A (Base+Locking)

Storage Device

Admin SPOrg 1

Which TemplatesE.g., Base + Locking

Which storage deviceHow much storageEtc.

Storage Device owner must also authorize issuance.

MAuth.

Auth.

MOrg 1 is a pre-installed authority. SP A is issued with

default tables/values and AppA_Auth is the only authority. App A can now customize the SP.

AppA_Auth

Org 1


Some TCG Storage Use Cases

Self Encrypting Drive ManagementLBA Range ManagementLocking/Unlocking of LBA RangesSecure Erase

End-of-Life, Repurposing

Drive VerificationGeneric Secure StorageForensic Logging


Here is the un-encrypted

text

P%k5t$@sg!7#x1)

#&%

Self-Encrypting Drive Basics

Data protected from loss, disclosure

Write

Read

100% performance encryption engine

in the drive

The storage device LOCKS when it powers OFF.The storage device remains LOCKED when it is powered back ON.Authentication UNLOCKS the storage device.The storage devices Reads and Writes data normally while drive is unlockedThe plaintext data sent to the device is encrypted before being writtenThe encrypted data read from the device is decrypted before being returned

Authentication Key

Management Service


“Locking SP” CreationThe “Locking SP” enables host management of Self Encrypting Drive functionality using the TCG Storage Architecture. The “Locking SP” incorporates a subset of at least the Base and Locking Templates. Other Templates may be incorporated at issuance to enable additional capabilities.

SPInfo

SPTemplates

Table

Column

Type

MethodID

AccessControl

ACE

Authority

Certificates

C_PIN

C_RSA_1024

Get

Set

Next

Authenticate

GetACL

AddACE

RemoveACE

GenKey

LockingInfo

Locking

K_AES_128

MBRControl

MBR

Base Template Tables & Methods

Locking Template Tables & Methods

Issuance Locking SP


Retrieving ConfigurationsAn authorized User can, access control permitting, read device

information and configurations from the Admin SP, and locking configurations from the Locking SP. Application communication with different SPs is performed using separate sessions.

Locking SP

Storage Device

Admin SP

M

Auth.Org 1

Admin SP

M

App A invokes Get to retrieve configurations.

Get

User authenticates to the SP and retrieves configuration information using App A.password

App A

User


LBA Range Encryption & LockingThe storage device can have only one SP with Locking capability. Access

control to user data can be configured. The storage device will support a certain number of independent ranges of user data.

App ALocking SP

Storage DeviceIndependent encryption and access control for each range.

Ran

ge 1

Ran

ge 2

Ran

ge 3

…

MAuth.

Locking Table

M

User 2

User 1

There can only be one Locking SP per Storage Device.

App A is responsible for configuring encryption and access control for all users


Locking RangesThe Locking SP enables independent ranges of the user data space to be

separately configured for read/write access control by an authorized and authenticated user (typically an Administrator).

App ALocking SP

Storage Device

Ran

ge 1

Ran

ge 2

Ran

ge 3

…

M

Locking Table

M Range settings are stored in the Locking table.

App A invokes Set to configure the starting address and length of each range.

Separately configured portions of user data space

Set

UserUser authenticates to the SP and configures the ranges using App A.

password


Configuring PasswordsEach user can be assigned a separate password that is used for

authentication to the Locking SP.

App ALocking SP

Storage Device

Ran

ge 1

Ran

ge 2

Ran

ge 3

…

M

C_PIN Table

M Passwords are stored in the C_PIN table.

App A invokes Set to change the password.

Set

UserUser authenticates to the SP and configures the password using App A.

password


Unlocking RangesThe authorized user authenticates with his password and then unlocks

the ranges to which she has access.

App ALocking SP

Storage Device

Ran

ge 1

Ran

ge 2

Ran

ge 3

…

MAuth.

Locking Table

M Range settings are stored in the Locking table.

App A invokes Set to change the locking values of the appropriate ranges.

Set

UserUser authenticates to the SP and changes unlocks the ranges to which she has access using App A.password

Unlocked range


Secure EraseThe Locking SP provides the users with the ability to erase data, securely

and quickly, by replacing the encryption key for a range with a new key randomly generated securely in the drive. This ability can be assigned based on security policy and device capability.

App ALocking SP

Storage Device

Ran

ge 1

Ran

ge 2

Ran

ge 3

…

MAuth.

K_* Table

M

App A invokes GenKey to generate a new key for the range.

GenKey

UserUser authenticates to the SP and erases the range using App A.

password

New encrypting key for the range


Incorporating Additional FeaturesThe basic Locking SP can be enhanced by incorporating additional Templates or a larger subset of the Base Template at issuance.

SPInfo

SPTemplates

Table

Column

Type

MethodID

AccessControl

ACE

Authority

Certificates

C_PIN

C_RSA_1024

Get

Set

Next

Authenticate

GetACL

AddACE

RemoveACE

GenKey

LockingInfo

Locking

K_AES_128

MBRControl

MBR

Base Template Tables & Methods

Locking Template Tables & Methods

Issuance Locking SP

Random

Sign

Crypto Template Methods


Locking SP – Random Method

App ALocking SP

Storage Device

MAuth.

App A invokes Random to request randomly generated bytes from the device.

Random

UserUser authenticates to the SP and retrieves random bytes using App A.

password

With the Crypto Template’s Random method activated at Issuance, the Locking SP can provide additional functionality for the host. The Random method allows the host to retrieve random bytes generated by the device’s RNG.


Locking SP – Sign Method

App ALocking SP

Storage Device

MAuth.

App A invokes Signand sends a nonce, which the device will sign using its private key. The signed nonce validates the device to the host.

Sign

UserUser authenticates to the SP requests that the device sign a challenge.

password

C_RSA_* Table

M

With the Crypto Template’s Sign method activated at Issuance, the Locking SP can provide additional functionality for the host. The host can verify a device by having the device sign a host-generated challenge.


Interface Interactions

Storage Interface Interactions SubgroupDefine a support document for Core Spec and SSCs

Maps Core Spec defined resets to associated interface resetsMaps TCG-based interface command errors in IF-SEND/IF-RECV to associated interface errorsProvides common place for reference


Storage Architecture Core Specification

Storage

HDD SSC - Enterprise

Optical SSC (OSSC)

HDD SSC - Notebook

Security Subsystem

Class = SSC

Security Subsystem Classes


ease of useunobtrusive

transparentcompatible

FDE

Optical SSC Goal


Trusted Platform with Trusted Storage

-Multi-factor authentication: password, biometrics, dongles

-Secure/hardware storage of credentials, confidential financial/medical data

-Trusted life cycle management of personal information

-Integrity-checking of application software

-Cryptographic functions for storage and communications security

-Trusted/secure computation of high-value functions (protection from viruses/etc)

Other Uses (Home banking, remote medical, …


SPFDE

Enterprise Server:Key generation and distributionKey/Password archive, backup and recovery

Laptop (Application):Master/User passwords, multi-factor authentication, TPM supportSecure log-in, Secure Fast Erase

Self Encrypting Trusted Drive:Disk or sector encryption, sensitive credential store, drive locking

Enterprise Management of Self Encrypting Drives


EncryptionAutomatic performance scaling, manageability, security

Standards-basedMultiple vendors; interoperability

Unified key managementHandles all forms of storage

The Future…


www.trustedcomputinggroup.org

Thank You!


Q&A / Feedback

Please send any questions or comments on this presentation to SNIA: [email protected]

Many thanks to the following individuals for their contributions to this tutorial.

- SNIA Education Committee

Robert Thibadeau Michael Willett

All Storage Manufacturers (contributors)

trusted computing group trusted storage specification · trusted computing group trusted storage...

Documents