Commit a3c8b4f6 authored by Xunnamius (Zara)'s avatar Xunnamius (Zara)

touchups; summary incoming

parent eb37860d
......@@ -84,12 +84,12 @@ The API is accessible at three levels:
control over the XORing process. This is useful for less flexible ciphers but
comes at the cost of increased implementation overhead.
\item \textbf{\texttt{read\_handle}} and \textbf{\texttt{write\_handle}}\\
operates at a coarse-grain level tightly integrated with SwitchCrypt
\item \textbf{\texttt{read\_data}} and \textbf{\texttt{write\_data}}\\
These operate at a coarse-grain level tightly integrated with SwitchCrypt
internals. Implementations are expected to handle all stages of cipher
switching manually. Unlike the other two levels, encryption and decryption
are distinct concerns. \texttt{read\_handle} handles decryption during reads.
\texttt{write\_handle} handles encryption during writes. In exchange for
are distinct concerns. \texttt{read\_data} handles decryption during reads.
\texttt{write\_data} handles encryption during writes. In exchange for
maximum flexibility, there is significant implementation overhead with this
approach.
\end{enumerate}
......@@ -130,8 +130,8 @@ Determining \emph{when} to target a nugget for re-ciphering we call
\emph{temporal switching}, for which we propose the \emph{Forward} switching
strategy. Determining \emph{where}---in which storage region and across which
nuggets--to output ciphertext we call \emph{spatial switching}, for which we
propose the \emph{Mirrored} and \emph{Selective} switching strategies.\\
\\
propose the \emph{Mirrored} and \emph{Selective} switching strategies.
\textbf{A) Forward Switching Strategy.} When a nugget is encountered during I/O
that is encrypted using a cipher other than the active cipher, the Forward
strategy dictates that this nugget be re-ciphered immediately. If a particular
......@@ -144,8 +144,8 @@ Rather than re-cipher the entire backing store every time the active cipher
configuration changes, this strategy limits the performance impact of cipher
switching to individual nuggets. The expense of re-ciphering is paid only once,
after which the nugget is accessed normally during I/O until the active cipher
configuration is switched again.\\
\\
configuration is switched again.
\PUNT{There are several forms the Forward strategy might take. The default and
most intuitive is \emph{0-forward}, in which SwitchCrypt immediately transitions
individual nuggets encountered during I/O to the active cipher configuration if
......@@ -184,8 +184,8 @@ them as distinct virtual drives or even reading/writing bytes to different
security regions on the same drive.
Regions of the backing store will not be in a consistent state and will likely
contain different data.\\
\\
contain different data.
\textbf{C) Mirrored Switching Strategy.} Similar to the Selective strategy, when
SwitchCrypt is initialized with the Mirrored strategy, the backing store is
partitioned into $C$ regions where $C$ represents the maximum number of ciphers;
......@@ -223,7 +223,7 @@ share the same data.
\tblref{strategies-advantages} summarizes the tradeoffs between the three cipher
switching strategies.
\textbf{Convergence:} Depending on the use case, the ability to quickly converge
\textbf{Convergence.} Depending on the use case, the ability to quickly converge
the entire backing store to a single cipher configuration without losing data is
very useful (see: \secref{usecases}). The near-instantaneous nature of SSD
Instant Secure Erase (ISE) implementations on modern SSDs~\cite{ISE1,ISE2,ISE3}
......@@ -234,7 +234,7 @@ to converge since entire regions of nuggets must be re-ciphered to prevent data
loss; those regions can be destroyed with ISE too, which would be very fast, but
unlike Mirrored the data would be lost forever, which is rarely desirable.
\textbf{``Waste'':} Unlike the other two strategies, using the Forward strategy
\textbf{``Waste''.} Unlike the other two strategies, using the Forward strategy
does not dramatically reduce the total usable space on the drive by the
end-user. This is because the Forward strategy allows differently-ciphered
nuggets to co-exist contiguously on the backing store. Since the Mirrored and
......@@ -242,7 +242,7 @@ Selective strategies require partitioning the backing store into some number of
regions---where the writeable size reported back to the OS is some function of
region size---there is a necessary reduction in usable space.
\textbf{Performance:} The Selective and Mirrored strategies can read data from
\textbf{Performance.} The Selective and Mirrored strategies can read data from
the backing store with low overhead, reaching performance parity with prior
work. This is because switching ciphers using these strategies amounts to
offsetting the read index so it lands in the proper region, which has little
......@@ -326,18 +326,18 @@ parameters~\cite{random-output1,Freestyle,random-output2} (normally an
unacceptable confidentiality-breaking overwrite condition), and on there being
penalties for supplying the wrong key when attempting to decrypt (\ie{an
attacker should have to do more work than the
defender})~\cite{scrypt,Freestyle,others2}.\\
\\
defender})~\cite{scrypt,Freestyle,others2}.
\textbf{1) Output randomization (OR).} A cipher with output randomization
generates different ciphertexts non-deterministically given the same key, nonce,
and message. This makes chosen-ciphertext (CCA) and other attacks where the
ciphertext is in full control of the adversary much more difficult.
generates different ciphertexts non-\\deterministically given the same key,
nonce, and message. This makes chosen-ciphertext (CCA) and other attacks where
the ciphertext is in full control of the adversary much more difficult.
This is a binary feature in that a cipher either outputs deterministically given
the same input or it does not. A cipher with non-deterministic output given the
same key, nonce, and message as inputs scores a 1 for this feature while a
cipher with deterministic output given the same input scores a 0.\\
\\
cipher with deterministic output given the same input scores a 0.
\textbf{2) Resistance to brute force and offline/dictionary attacks (RBF).} We
narrowly define ``standard resistance'' versus brute-force and
offline/dictionary attacks with respect to the time taken to finish decrypting
......@@ -351,8 +351,8 @@ correct key with high probability.
Scores for this feature range from 0 to 1, where 0 represents no resistance, 0.5
is standard resistance to brute-force and offline/dictionary attacks, and 1 is
the aforementioned ``enhanced resistance''.\\
\\
the aforementioned ``enhanced resistance''.
\textbf{3) Relative round count and key length (RR/RK).} The ciphers we examine
in this research are all constructed around the notion of \emph{rounds}, where a
higher number of rounds typically implies a stronger confidentiality guarantee
......
......@@ -45,10 +45,8 @@ initially rather than have the backing store consist of all zeroes. This is a
one-time cost paid during initialization and has no tangible effect on
performance. SSDs that support ISE can accomplish this with minimal wear.}
\subsection{Freestyle Configurations}
As Freestyle is highly configurable, we implement it in three different
configurations: a ``fast'' mode with parameters
Finally, as the Freestyle cipher is highly configurable, we implement it in
three different configurations: a ``fast'' mode with parameters
\\\texttt{FreestyleFast($R_{min}$=$8$, $R_{max}$=$20$, $H_I$=$4$, $I_C$=$8$)}, a
``balanced'' mode with parameters \texttt{FreestyleBalanced($R_{min}$=$12$,
$R_{max}$=$28$, $H_I$=$2$, $I_C$=$10$)}, and a ``secure'' mode with parameters
......@@ -73,7 +71,8 @@ which area of the backing store receives I/O.
In the case of Forward switching, it is tempting to implement it such that a
nugget is completely re-ciphered during I/O every time its metadata indicates
that it was previously encrypted using a non-active cipher. However, such a
naive implementation can have disastrous effects on performance. \TODO{It is not clear why that would be disastrous.}
naive implementation can have disastrous effects on performance. \TODO{It is not
clear why that would be disastrous.}
First, a nugget is considered \emph{pristine} if it has not had any data written
into it yet. SwitchCrypt determines if a nugget is pristine by checking the
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment