Security Architecture for Device Encryption and VPN Ammar Alkassar^ • Michael Scheibel^ • Christian Stiible^ Ahmad-Reza Sadeghi^ • Marcel Winandy^ ^Sinix AG Security Technologies {a.alkassar | m.scheibel}@sirrix.com ^Ruhr-University Bochum
[email protected] ^ Ruhr-University Bochum ihr-University Bocl {sadeghi | winandy}® crypto.rub.de
Abstract Encryption systems are widely used to protect stored and communicated data from unauthorized access. Unfortunately, most software-based encryption products suffer from various vulnerabilities such as insecure storage and usage capabilities for security-critical cryptographic keys and operations. In this paper we present a security architecture that allows secure, reliable and user-friendly encryption of devices and of TCP/IP conmiunication. The architecture is capable of using Trusted Computing functionalities and offers a security level which is comparable to a hardware based solution, but is far more cost-effective. We have already implemented a device encryption system and a VPN client. Moreover, the security architecture is an appropriate basis for many applications such as Enterprise Rights Management (ERM) and secure Online Banking.
1 Introduction Encryption systems are widely used to protect stored and communicated data from unauthorized access. Application areas include device (e.g. hard disk) encryption as well as Virtual Private Networks (VPN). Unfortunately, most software-based encryption products suffer from various vulnerabilities such as insecure storage and usage capabilities for security-critical cryptographic keys and operations. The underlying operating systems (OS) cannot prevent other (potentially malicious) applications from gaining access to the critical key data. The reasons lie in conceptual weaknesses of common computing platforms, in particular in insecure OS architectures. This is evident by the huge number of exploits and constant security updates.
S. Paulus, N. Pohlmann, H. Reimer (Editors): Securing Electronic Business Processes, Vieweg (2006), 54-63
Security Architecture for Device Encryption and VPN
5^
We present a security architecture that allows secure, reliable and user-friendly encryption of devices and of TCP/IP communication. The security architecture strongly isolates the secret (key) information and all related security-critical operations from the operating system. A security software layer is installed between the hardware layer and the operating system layer to isolate the legacy operating system (including legacy appHcations) from security-critical appUcations. This is similar to a hardware based solution but far more cost-effective. Moreover, the architecture is capable of using Trusted Computing functionalities to protect the cryptographic keys and to assure software integrity during the booting process of the system.
2 Existing Solutions Existing software device encryption systems [Micr05a, PGPC05, Safe05, Utim05] provide features such as strong symmetric encryption, a centralized user administration and policy enforcement, key recovery mechanisms, two-factor pre-boot authentication, and multi-user support. Some of these solutions integrate a Trusted Platform Module (TPM) [TCGW05] to bind encryption keys to hardware and/or software components and for secure random number generation. To the best of our knowledge, none of these systems strongly isolate the encryption keys and operations from the operating system. Thus, if the operating system fails (maliciously or accidentially), the encryption system will fail, too. This pertains to commonly used VPN clients as well, e.g., [Cisc05]. Representative examples of commercial software encryption systems serving both application areas are described next.
2.1 Windows Vista BitLoclcer Drive Encryption BitLocker Drive Encryption (formerly known as "Secure Startup - Full Volume Encryption") is a hard disk encryption system integrated into the upcoming cHent version release of Microsoft's Windows Operating System ("Windows Vista"). The feature optionally uses a TPM version 1.2 to ensure that system files have not been tampered with while the system was offline. This is achieved by the TPM's "sealing" functionality: A TPM-aware bootmanager^ first measures the integrity of all OS components before passing control to them. These integrity values are compared to reference values stored inside the TPM before unrevealing the encryption key. BitLocker is transparent to the user as it encrypts the entire Windows volume including all user and system files. For full user transparency, BitLocker does not use the TPM authentication mechanisms. The authorization secret of the TPM Storage Root Key (SRK) which is needed for the sealing functionality is set to a value of 20 bytes of zero [Micr05b]. Thus, appHcations (even if running on other operating systems) cannot use the full security functionality of the TPM.
^ Interestingly, the boot partition containing the bootmanager should be as large as 50 MB [MicrOSa]. Code of this size provides a large attack surface and is very difficult to verify.
56
Security Architecture for Device Encryption and VPN
BitLocker Drive Encryption/Secure Startup does explicitly not protect the cryptographic keys from malicious software: "...a Trojan^ can be downloaded when the administrative user is connected to the Internet, compromising the system security including Secure Startup. In this situation, the system could be compromised if it is lost or stolen." [Mici05a], p.8.
2.2 Cisco VPN Client The Cisco VPN Client establishes IP security (IPSec) tunnels to remote sites [Cisc05]. It is available for Microsoft Windows, Mac OS, Solaris, and Linux operating systems. Pre-shared keys are stored in RAM; passwords are stored in plain text files [Cisc04]. As the above operating systems have full access to both RAM and files, malicious software, having once gained system privileges, can read out these authorization secrets. An attacker may then connect to the Virtual Private Network from another host.
3 The EMSCB Project Our solution has been developed in the context of the European Multilaterally Secure Computing Base (EMSCB) project [Emsc06]. This project which is partly funded by the German Federal Ministry of Economics and Technology aims at developing a trustworthy computing platform, based on open standards and open source, that solves many security problems of conventional platforms. The EMSCB consortium includes several scientific and industrial partners. An implementation of the security architecture developed within the EMSCB project has recently been published under the name 'Turaya" [Emsc06]. The Turaya computing platform builds on a hardware layer that is optionally enhanced by Trusted Computing (TC) technology, e.g., a TPM. A security kernel provides an abstract interface to these hardware resources and guarantees strong isolation of applications. When focussing encryption systems, the isolation feature of the security kernel can be used to prevent potentially malicious software from accessing cryptographic keys and operations. Additionally, the security kernel integrates security-critical services such as a secure user interface, persistent storage, and secure booting. On top of the Turaya security kernel existing operating systems are running in parallel to - but strongly isolated from - security-critical applications (Figure 1). The security kernel is capable of integrating virtualization software such as the Xen virtual machine monitor [Univ06], and is prepared to take use of emerging hardware virtualization technologies [Adva06,Inte06]. In the sense of multilateral security, the Turaya platform allows the enforcement of security policies of different parties, i.e., end-users as well as business companys. Consequently, the platform enables the realization of various innovative business models, particularly in the area of Digital Rights Management, while averting the potential risks of Trusted Computing platforms concerning privacy issues. The basic Turaya technology will be made available under an an open-source license.
^ A computer program with an apparently or acmally useful function that contains additional (hidden) functions that surreptitiously exploit the legitimate authorizations of the invoking process to the detriment of security. [USDe85]
57
Security Architecture for Device Encryption and VPN
Legacy Operating System i---^-.;..''-:.^r,'/ -:^--».:j:^Vl-».-.•^..•^ »- .-;
