Lecture 16: Full Disk Encryption

Encryption is one of the main tools that we use to protect data confidentiality. The goal of Part 3 of this course is to study encryption and its role in:

• Protecting data at rest on your laptop or phone
• Protecting data in transit over the Internet or messaging app

Last time, we studied pseudorandom permutations \(f: \{0, 1\}^n \to \{0, 1\}^n\), which are deterministic, fixed-length functions that act “as if” they are random.

The most common pseudorandom permutation used in practice is the Advaned Encryption Standard (AES).

We also studied the sponge function design, from which we constructed many symmetric crypto primitives.

Definition. Authenticated encryption with associated data (AEAD) contains three algorithms:

• KeyGen: randomly choose \(k\), as usual
• Enc\((k, P, A, N)\): produces a ciphertext/tag \(C\) of length \(|C| > |P|\)
• Dec\((k, C, A, N)\): returns the original private message \(P\)

“If you have to perform any cryptographic operation before verifying the MAC on a message you’ve received, it will somehow inevitably lead to doom!”

– Moxie Marlinspike

All major operating systems support disk encryption, often by default.

Some terminology: the basic unit of data within a hard drive is called a “sector.” Sectors have a fixed length specified by the drive manufacturer.

• Common options are 512, 520, 2048, 4096 bytes
• Total number of sectors depends on the drive’s total storage

Here are the 4 types of hardware that we are going to consider today.

Remember that having the secret key gives someone the power to decrypt and read a message. With that in mind, whenever you see encryption used in practice, the first question you should ask is “where are the keys?

Question. In sector-level encryption, where should we store the symmetric key?

An appealing, but ultimately incorrect, idea is to store the symmetric key in hard drive. After all, we already use the hard drive to store everything else.

Question. Why is this a mistake?

Instead, a better workflow is to store the key in a tamper-resistant piece of hardware when the computer is off, and move the key into the RAM when the computer is on.

Sector-level encryption uses a special kind of symmetric encryption scheme, called AES-XTS. Why is that?

This is the best way to derive symmetric keys from a login procedure that is non-interactive (i.e., runs on your computer, rather than with a web server) because the device never stores its own long-term secrets.

Common PRFs used in practice are AES and HMAC-SHA2 (which is just SHA-2 with some important but minor tweaks).

However, we do not want to encrypt the entire drive several times.

\[ \operatorname{Enc}_{\text{K1}}(\text{sector}) \quad \operatorname{Enc}_{\text{K2}}(\text{sector}) \quad \operatorname{Enc}_{\text{K3}}(\text{sector}) \]

Question. What can we do instead?

Key wrapping is a special kind of encryption that allows us to protect one key under another.

• For each sector, we can generate an ephemeral (one-time) key to encrypt the file.
• Then we can wrap this key under all of the password-derived keys for all accounts that are authorized to read the file.

\[ \operatorname{Wrap}_{\text{K1}}(ek) \quad \operatorname{Wrap}_{\text{K2}}(ek) \quad \operatorname{Wrap}_{\text{K3}}(ek) \quad \operatorname{Enc}_{\text{ek}}(\text{sector}) \]

There are two downsides to this approach:

• If a file is shared between different accounts, we will need public key encryption to encrypt to the other parties even if we do not know their password-derived secret keys.
• The encrypted data plus the keywraps no longer fit inside of the original sector.

As a case study, we will examine the design of Apple’s data encryption system on iPhones.

Core idea: data should only be decryptable in the right context.

Let’s work our way through this image from right to left. There is (at least) one symmetric key for each file that is stored on the drive.

“Every time a file on the data volume is created, Data Protection creates a new 256-bit key (the per-file key) and gives it to the hardware AES Engine, which uses the key to encrypt the file as it’s being written to flash storage.

On A14 through A18 and M1 through M4 devices, the encryption uses AES-256 in XTS mode, where the 256-bit per-file-key goes through a Key Derivation Function (NIST Special Publication 800-108) to derive a 256-bit tweak and a 256-bit cipher key.”

– Apple Platform Security guide (link)

Since Apple controls both the software and hardware:

• Their Secure Enclave includes a hardware component to generate keys at random.
• Their fast AES engine is placed between the RAM and hard drive.

Moving left, each of the file keys is itself key-wrapped using a “class key,” which determines when the file needs to be readable and writable.

This keywrap goes in the file’s metadata. Whenever the file is read, the filesystem is designed to retrieve this metadata along with the encrypted file contents.

Question. How does the phone get the class keys?

Remember our mantra for today: derive keys rather than storing them! Once again we use keywrapping to protect the class keys with a passcode key that is derived from:

• The alphanumeric PIN used to log into the phone.
• A unique string fused into the chip at manufacture time, unknown outside Secure Enclave.

Note that there exist other ways to derive the class keys, in order to enable:

• Biometric-based login (TouchID and FaceID)
• Overnight iCloud backups
• Corporate device management
• Customer service (i.e., the company helping you to regain control of your data if you forget your password)
• …

Let’s look at some of the legal questions raised by the use of encryption.

The latter question gained significant attention in early 2016, when the FBI wanted data on a locked iPhone 5c in its possession, but they did not have the PIN.

Remember that key = pbkdf2(pin, uid), so to read the files they could:

• Brute-force the pin on the phone itself, or
• Pry open the phone to find the hardware uid and then brute-force the pin on a faster computer.

FBI wanted Apple to modify its operating system to enable a brute-force search of the PINs:

• Allow PINs to be submitted via external interface, not by hand
• Remove the delay between incorrect guesses (not the crypto delay, but the other one)
• Remove the “poison pill” wiping of the phone after 10 misses

Question. If these are software-only protections, why couldn’t the FBI change the operating system code on its own?

Here we need to discuss the crypto used for updates to the operating system. Since the code itself is not a secret, here the goal is integrity.

The server’s digital signature contains:

• Device ID to personalize the response to this particular phone
• Nonce to connect the response to the initial request, in order to prevent replay attacks

The FBI wanted Apple to produce and digitally sign an updated “GovtOS” without the delay and poison pill. Only Apple could create this software update, or else the phone would reject it.

This court case was never fully resolved.

• The FBI withdrew their request after finding a company who could break into the phone without Apple’s assistance.
• While we do not know the exact methods used with that specific phone, here is a Vice magazine article that describes a device and procedure that law enforcement agencies in the United States use to decrypt other phones.

We will discuss more interactions between cryptography and the law, often informally dubbed the Crypto Wars, in Part 5 of the course.