webinos secure storage: a cross-platform dilemma.

Encrypted storage for sensitive data and credentials is an obvious requirement for any system with pretences towards being secure. As part of the webinos project, we have been thinking about solutions to this problem which work across multiple platforms.

As a brief recap: the webinos project aims to design and deliver an open source web runtime for four types of device: smartphones, media centres, PCs and in-car computers.  It will provide a set of standard JavaScript APIs for accessing device features from web applications, as well as synchronising data and providing a “seamless” end user experience.  We’re working on it with over 20 other companies and are primarily researching the security and privacy aspects of the system.  More details are available on our website: http://www.cs.ox.ac.uk/projects/webinos/

In webinos we think we have (at least) the following data to protect:

  • Application data.  Web applications can store data using HTML5 web storage.  While we can’t be sure what each application will store, following a “secure by default” principle would imply that we encrypt all application data unless told otherwise.  In some scenarios, there may be performance reasons why this is not a good idea.
  • XACML access control policy rule files.  Webinos access control is managed through XACML policies, stored as files on the system. The biggest threat is that these could be modified to grant a malicious party access to device capabilities.  In addition, they may be confidential, too, for privacy reasons.  One might be uncomfortable with the whole world knowing who you’ve given access to your home computer to, for example.  This is perhaps of secondary importance to integrity.
  • Credentials.  The webinos platform (and webinos applications) want to access online services.  Doing so requires credentials, and webinos (like a browser) will need to save some of these credentials to avoid tedious re-entry of usernames and passwords.  The confidentiality of these stored credentials is paramount.
  • Lists of trusted (and untrusted) user identities.  Much like policies, user identities must be protected from modification (an application should not be able to replace Bob’s public key with Ivan’s) but are also private.  Revealing trust relations may violate user privacy expectations
  • Context data.  This is perhaps the most interesting.  The webinos platform will (optionally) collect information about what actions you have performed, what applications you have used, and your wider environment.  This is intended to enhance the user experience, but will also result in a large amount of private information which must remain confidential.  The challenge with context data is that it must be stored rapidly and searched quickly, or it becomes significantly less useful.  Encryption of this data is likely to add an unreasonable performance and battery-life cost.

Given this range of objects to protect, what specific attacks are we most worried about?  For one, we want to protect end users should they lose their devices or have them stolen.  A thief (perhaps part of a larger organised crime syndicate) should not be able to access user data or perform subsequent identity theft or social engineering based attacks.  On some operating systems we might get this for free, but on others we do not.  Another concern is malware: should a malicious application run on webinos (or on the OS hosting webinos) it should not gain access to user data or credentials.  Encrypted storage may not be enough here: key management and authentication is necessary.  Finally, we have to worry about recovery of encrypted data should passwords or keys be lost, backups, and migration of data between devices.

As well as security requirements, we have some technical ones.  Whatever solution we come up with, it has to work across all devices, and it would make sense for encrypted data items to be portable.  As mentioned earlier, performance on mobile devices is also particularly important, as encryption can have a big impact on battery life.  The project is also limited in what it can do: it can’t control the operations system or insist that every device has a secure token or TPM installed.  As no cross-platform, portable secure storage solution currently exists, these technical challenges are clearly significant.

There are a number of implementation options, and NIST have published an overview of recommendations for secure storage on end user devices, which go through the main alternatives.  Full disk encryption, where every file is protected either through a self-encrypting drive or some pre-boot software; virtual disk encryption; volume encryption; and individual file/folder encryption.  Inevitably, a hybrid is required for webinos.  Full disk encryption does not provide much protection against malware, and is unlikely to exist on every device.  Volume encryption also tends to be platform specific, and is unlikely to prevent against malware.  Virtual disk encryption (where a filesystem is encrypted into a single encrypted file) can be more portable, but can have poor performance.  File/folder encryption may allow for more selective policies on encryption, but is also harder to make available to all parts of the system.

For webinos, we probably want a mixture of options, but cross-platform requirements limit what is practical.  Where available, we intend to take advantage of existing device capabilities, such as key storage (e.g. the Android KeyStore), secure elements and encrypted drives.  However, each device category has a slightly different protection profile.  Mobile operating systems seem to do a good job of isolating applications and storage, making malware less of an issue.  Add to this the fact that mobile devices are more prone to theft and loss, and an encrypted drive seems like the best solution, assuming the performance is adequate.  On PC, application-specific encryption might work best to protect data from malware, as OS level application-specific access control rules are seldom implemented.  Home media centres and cars may have different requirements altogether.  What is abundantly clear is that what started out as a fairly simple requirement — protect data at rest — has become a significant challenge already, and that’s before backups and recovery are considered.

The savvy reader will note that what I haven’t done in this post is explain what webinos will do to protect its storage.  That’s because the final result will inevitably require testing for performance and usability, and will be affected by technical constraints, such as the platform capabilities currently available.  Ultimately, this post does not have many answers, but has hopefully highlighted some of the issues in cross-platform secure storage, as well as providing an insight into the issues currently facing webinos researchers.

Comments are closed.