Post on 11-Mar-2018
transcript
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
Security Analysis and Decryption of FileVault 2IFIP WG 11.9
Omar Choudary Felix Grobert Joachim Metz
29 January 2013
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 1
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
FileVault 2
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 2
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
Goals and Motivations
Goals
Reverse engineer and analyse FileVault 2Develop our own tool to read encrypted volumes
Motivations
Need to know if secureUse in forensic investigationsCannot trust OS if compromisedInteroperability, need to access files remotely
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 3
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
Full Disk Encryption
Need to encrypt all data
Encryption requires a key that must be stored or derivedsomehow
Practical requirement to encrypt disk sectors independentlyfor fast access
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 4
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
AES-XTS: tweakable encryption
AES-enc
Key_2
i
a^j
T
P
AES-enc
PP
Key_1
CC
C
Uses AES-ECB
2 keys
volume key (key 1)tweak key (key 2)
tweak value persector (modified perAES block)
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 5
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
Tools
GDB
IDA Pro
3 MacBooks
The Sleuth Kit
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 6
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
Structure analysis
GPTheader
Recovery HD(HFS Plus)
Machintosh HD(CoreStorage) ... others
Entire disc
Encrypted plistCS Header
Encrypted Volume
Encrypted Metadata
Disk Label Metadata
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 7
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
The quest
What are the key derivation mechanisms?
How is the data encrypted?
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 8
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
General volume encryption architecture
Encrypted volume
encrypted volume metadata
encrypted key blob intermediary key
key derivation
full volume master key
decrypt
Decrypted volume
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 9
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
EncryptedRoot.plist file
File encrypted with AES-XTS using key from volume header
Data for different users (including recovery key)
Key encryption key (KEK) and volume key encryptedstructures
Unknown algorithms (found by reverse engineering)
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 10
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
PBKDF2
Output keys of arbitrary lengths from any text
Slow brute force attacks on passwords by iterating hash
3 parameters: iterations, salt, password
Option of PRF (e.g. HMAC-SHA256)
Used in FileVault 2 to derive a KEK from user password orrecovery key
salt and iterations? given in EncryptedRoot.plist
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 11
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
AESWrap
Used to encrypt a key with another key
Based on AES
Needs IV, useful to verify correct decryption
Used in FileVault 2 to decrypt volume KEK and volume key
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 12
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
FileVault 2 key derivation overview
+HDGHU�RI�&RUH6WRUDJH�9ROXPH
(QFU\SWHG5RRW�SOLVW�ZLSHNH\�ILOH�RQ�5HFRYHU\�9ROXPH $(6�;76����
.(.:UDSSHG9ROXPH.H\
3DVVSKUDVH:UDSSHG.(. .H\:UDSSHG.(.
)LOH9DXOW0DVWHU�3ULYDWH�.H\
5)&�����.H\XQZUDSSLQJ
5)&�����.H\XQZUDSSLQJ
3%.')��������[�6+$����
56$�3.&6�(QFU\SWHG�.(.�%ORE
5HFRYHU\�.H\
(QFU\SWHG5RRW�SOLVW
SDVVZRUG�HQWU\ ���E\WH�VDOW
.(.�
5)&�����.H\XQZUDSSLQJ
9ROXPH.H\
.H\�(QFU\SWLRQ�.H\V
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 13
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
Tweak key?
AES-enc
Key_2
i
a^j
T
P
AES-enc
PP
Key_1
CC
C
?
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 14
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
Searching the tweak key
Looking at HFS+ metadata (misleading, found/fixed bug)
Searching metadata
Chasing encryption via GDB (no luck, found many unknownkeys)
Comparing memory with disk data (found encryptionparameters, not our key)
Finally found using IDA Pro (difficult due to C++)
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 15
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
Computing the tweak key
Get volume key
Find metadata blocks and decrypt some blocks which areencrypted
Obtain logical volume family (lvf) UUID
Compute the tweak key as follows:
tweak key = trunc128(SHA256(volume key | lvf UUID))
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 16
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
FileVault 2 Overview
GPTheader
Recovery HD(HFS Plus)
Machintosh HD(CoreStorage) ... others
Entire disc
Encrypted plistCS Header
Encrypted Volume
Encrypted Metadata
Disk Label Metadata
AES Key 1 PV UUIDAES-XTS
Decrypted plist
passwordOR
recovery keyOR
private key
Key derivation
Volume master key
AES-XTS
LV FAMILY UUID
SHA-256
Volume tweak key
Decrypted Volume
(HFSPlus)AE
S-X
TS
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 17
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
Volume layout
CoreStorage volume sections
header section
plaintext section
end section
zoom in sections
end of diskmetadata
encrypted metadata
header block
backup header
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 18
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
Random number generator
Used for derivation of recovery key (and possibly other keys)
Randomness taken from /dev/random
Performed detailed analysis and seems OK (see paper)
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 19
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
libfvde
Open source tool to decrypt and mount CoreStorage volumes
Available at Google code:http://code.google.com/p/libfvde/
Ongoing investigation for the more general CoreStorageformat and how to handle partially encrypted disks
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 20
Background Startup kit First steps Key derivation Last steps Implementation Analysis libfvde
Questions?
Omar Choudary: omar.choudary@cl.cam.ac.ukFelix Grobert: felix@groebert.orgJoachim Metz: joachim.metz@gmail.com
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 21
Additional Material
How to use the AES block cipher?
Straight AES-CBC is not suitable
Random IV in metadata does not allow independent sectorencryption
Constant IV poses problems of watermarking data
Sector-based IV is better
Tweakable encryption is the best option now
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 22
Additional Material
Other issues with FileVault 2
Keys can be extracted from memory, so cold boot attackspossible
Even the good password derivation mechanism does notprotect against very bad passwords
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 23
Additional Material
How to use libfvde
Get EncryptedRoot.plist.wipekey file (e.g. via mmls/fls/icat)
Then run the tool to mount the volume or image:
fvdemount -e EncryptedRoot.plist.wipekey -r35AJ-AC98-TI1H-N4M3-HDUQ-UQFG /dev/sda2/mnt/fvdevolume/
Finally mount the underlying HFS+ file system:
mount -o loop,ro /mnt/fvdevolume/fvde1/mnt/hfs file system
Omar Choudary, Felix Grobert, Joachim Metz Security Analysis and Decryption of FileVault 2 Slide 24