Limiting Liability in a Federally Compliant File System

1
Limiting Liability in a Federally Compliant File
System

• Zachary N. J. Peterson
• Randal Burns
• Adam Stubblefield

2
Overview

• Recent legislation makes new requirements with
  respect to the management of electronic records
• How does one electronically leave the past
  behind?
• Data managers may wish to limit their liability
• Patients/account holders may wish for their data
  to expire
• We have developed a method for securely deleting
  data in a regulatory environment
• Fast efficient
• No additional key overhead

3
A Paperless World

• Information records are becoming entirely
  electronic
• Financial records, medical records, federal data
• 300 million computers storing 150,000 terabytes
  of data
• Eases use, sharing, and indexing
• Allows for undetectable modification,
  eaves-dropping, and other more devious things
• Congress and others have begun to address the
  importance of managing and securing electronic
  records
• Over 4,000 federal, state and local laws and
  regulations with regard to electronic record
  management

4
The Law and Storage

• Health Insurance Portability and Accountability
  Act (HIPAA) (1996)
• Government Information Security Reform Act
  (GISRA)
• Federal Information Security Management Act
  (FISMA) (2002)

• E-SIGN (2000)
• Sarbanes-Oxley (2002)
• Gramm-Leach-Bliley (2002)
• USA-PATRIOT Act
• Federal Records Act
• DoD Directive 5015.2
• And on and on

5
Distilling Regulatory Requirements

• Authentication and Authorization
• Audit Trail
• Files should be versioned over time
• Secure block sharing between versions
• Secure Storage and Transmission
• The use of cryptography for
• Privacy and confidentiality
• Non-repudiation

6
Secure Deletion in the Regulatory Environment

• Organizations must take steps to protect privacy
• Desire to limit liability
• Records that go out of audit scope should do so
  forever
• Patients may wish to redact portions of their
  medial record
• When a disk is subpoenaed, old and irrelevant
  data should be inaccessible
• Simply emptying the trash isnt good enough
• Only frees the blocks for future allocations
• Even after reuse, overwritten data may be
  reconstructed using magnetic force microscopy

7
Existing Techniques

• Secure Overwrite Gutmann 96
• Data blocks are overwritten many times with
  alternating patterns of 1s and 0s
• Magnetic media is degaussed and safe from MFM
• Key Disposal Boneh Lipton 96
• Data encrypted with a key
• Key is securely deleted, eliminating meaningful
  data access
• User Space Tools
• CyberScrub
• Overwrite
• Wipe

8
Technical Problems

• Secure overwriting of noncontiguous data blocks
  is slow and inefficient
• When versions share blocks, data to be
  overwritten may be noncontiguous
• Cannot dispose file keys in a versioning file
  system
• Blocks encrypted with a particular key need to be
  available in future versions
• User space tools are categorically inadequate
• Cant delete metadata
• Cant be interposed between file operations
• Truncate may leak data
• Synchronicity is difficult and inconvenient

9
The Big Idea

• A keyed all-or-nothing transform takes a key, a
  data block, and a nonce
• Encryption creates an encrypted block and a stub
  
• When the key is private, data is secure and
  authenticated
• Securely deleting stub, securely deletes block,
  even if the key is later exposed

10
All-or-nothing (AON) EncryptionBoyko 99
Rivest 96

• A mode for block ciphers that requires all cipher
  blocks to be decrypted before the message block
  is recovered
• Increases the searchable key space for
  brute-force attacks
• Attacker slowed down by a factor equal to the
  number of blocks in the cipher text
• By definition, destroying any cipher block
  destroys the entire message block
• Our work is the first practical application of AON

11
Features of our System

• Stub length is a security parameter
• In practice, the stub might be 128 bits
• Stubs are stored with metadata and are not secret
• When deleting a version, metadata and stubs are
  securely overwritten
• this securely removes all data for that version
• Stubs of the shared blocks are replicated to new
  versions
• Shared data are preserved when previous versions
  are deleted

12
Example
File Metadata
s0
s1
s2
11

Disk
C0
C1
C2
13
Example
Receive a write to block 2 at time 17
File Metadata
s0
s1
s2
11

Disk
C0
C1
C2
14
Example
Delete file at time 11
File Metadata
s0
s1
s2
11
s0
s1
s2
17


Disk
C0
C1
C2
C1
15
Example
Delete file at time 11
Block C1 is deleted permanently
File Metadata
s0
s1
s2
11
s0
s1
s2
17


Disk
C0
C1
C2
C1
16
More Features

• No extra key overhead added to the system when
  compared with other secure systems
• Versions of a file may use the same key for
  encryption
• AON encryption allows the deletion of any 128
  bits
• Instead of removing the stub, 128 bits of the
  block may be securely overwritten instead
• More efficient when removing data from all
  versions of a file

17
Example
File Metadata
s0
s1
s2
11
s0
s1
s2
17



Disk
C0
C1
C2
18
Example
File Metadata
s0
s1
s2
11
s0
s1
s2
17



Disk
C0
C1
C2
19
Availability

• Implementing this secure deletion scheme in
  ext3cow
• A fully working snapshot file system for the
  Linux 2.4 kernel
• Web site www.ext3cow.com
• Download the patch
• Read the technical report
• Join the mailing list
• Email zachary_at_jhu.edu

20
(No Transcript)
21
Electronic Record Legislation

• Sarbanes-Oxley (2002)
• CEO, CFO responsible for accurate financial
  reports
• Management assessment of internal controls
• Real time disclosure
• Criminal penalties for altering documents
• Gramm-Leach-Bliley (2002)
• Consumer records kept confidential
• Protect against threats and unauthorized access

• HIPAA (1996)
• Technical security mechanisms
• Physical safeguards
• E-SIGN (2000)
• Digital contracts are as legitimate as paper
  contracts
• FISMA (2002)
• Framework for ensuring security controls for
  storage
• Security of system must be commensurate with
  security of data

22
The Law and Storage

• Health Insurance Portability and Accountability
  Act (HIPAA)
• Government Information Security Reform Act
  (GISRA)
• Federal Information Security Management Act
  (FISMA)

• Sarbanes-Oxley (SOX)
• Gramm-Leach-Bliley (GLB)
• PATRIOT Act
• Federal Records Act
• DoD Directive 5015.2
• 4,000 State and Federal Laws and Regulations
  with regard to storage

23
What are the requirements?

• Authorization
• Access controls (role-based
  authorizations)
• Encryption (confidentiality)
• Digital signatures (non-repudiation)
• Authentication

• Audit Trail
• Record of all changes
• Secure Storage and Transmission
• More encryption?
• Integrity Reliability
• Unaltered records.
• Trusted content.

24
Introducing Ext3cow

• A file system based on ext3 that supports file
  system snapshot with a time-shifting interface.
• Creates immutable views of a file system as it
  appeared at a specific point in time.
• Versions of a file are created with copy-on-write
  (cow) of blocks.

• Snapshots are addressed with an epoch number that
  corresponds to a system time (gettimeofday).

25
Securing our COW file system

• Challenges
• How to encrypt files that share blocks between
  versions.
• How to change permissions such that a user who
  had access to a file in the past is not able to
  access current versions.
• Securely deleting files such that they are no
  longer able to be subpoenaed.

26
Conclusions

• New legislation requires versioning, security and
  privacy
• Versioning must be fast?
• AON encryption allows for secure deletion with
  minimal secure overwriting
• More efficient than securely overwriting
  noncontiguous data blocks
• Does not increase key overhead