中文 English

The Methods Of Memory Encryption To Protect Data In Use

The cipher algorithms and modes that can be used to protect data stored in and accessed from memory.

popularity

In my blog “The Importance of Memory Encryption for Protecting Data in Use,” I discussed the growing industry consensus on the imperative of incorporating memory encryption in computing architectures. In part two of this series, I’ll explore the cipher algorithms and modes that can be used to protect data stored in and accessed from memory, or in other words, used to protect data in use.

Memory encryption technology must ensure confidentially of the data. If a “lightweight” algorithm is used, there are no guarantees the data will be protected from mathematic cryptanalysts given that the amount of data used in memory encryption is typically huge. Well known, proven algorithms are either the NIST approved AES or OSCAA approved SM4 algorithms.

The recommended key-length is also an important aspect defining the security strength. AES offers 128, 192 or 256-bit security, and SM4 offers 128-bit security. Advanced memory encryption technologies also involve integrity and protocol level anti-replay techniques for high-end use-cases. Proven hash algorithms like SHA-2, SHA-3, SM3, or (AES-)GHASH can be used for integrity protection purpose.

Once one or more of the cipher algorithms are selected, the choice of secure modes of operation must be made. Block Cipher algorithms need to be used in certain specific modes to encrypt bulk data larger than a single block of just 128 bits.

XTS mode, which stands for “XEX (Xor-Encrypt-Xor) with tweak and CTS (Cipher Text Stealing)” mode (yes, it’s an acronym of acronyms) has been widely adopted for disk encryption. CTS is a clever technique which ensures the number of bytes in the encrypted payload is the same as the number of bytes in the plaintext payload. This is particularly important in storage to ensure the encrypted payload can fit in the same location as would the unencrypted version.

Technologies like BitBlocker for Microsoft Windows, FBE (File Based Encryption) on Android, or FileVault for Apple use AES-XTS to protect data from leaking even when the device is physically stolen from its owners. XTS mode has been proven able to secure large randomly addressable and frequently updated memory in storage media (data at rest).

In addition to disk encryption, XTS also provides a very good means of encrypting system memories. It has been used in Intel TME/MKTME (Total Memory Encryption/Multiple Key TME) technologies, and it is also compatible with the Arm CCA standard requirement for memory encryption.

In modern CPUs, most of the read/write operations are from/to the LLC (Last Level Cache). Access to DRAM is handled in 32-Byte or 64-Byte blocks. Thus, in most cases, padding and CTS mode (which are required for data that is not an exact multiple of the block cipher block size, most often 128 bits) are not required, which means the XEX mode could handle memory encryption most of the time.

XTS/XEX mode uses multiple keys (e.g. Key1 and Key2). Memory systems will have different blocks of data processed together, much like in a disk storage system. Memory typically uses a “paging system.” Memory locations in a page would have identical access permissions and possibly the same keys for encryption.

To ensure that each of the sectors in a page is processed differently, the XTS mode uses two keys, one key for block encryption, and another key to process a “tweak.” The tweak ensures every block of memory is encrypted differently. Any changes in the plaintext result in a complete change of the ciphertext. With this implementation, an attacker cannot obtain any information about the plaintext. The “known-plaintext-attack” or flip-bit attack cannot be applied to systems protected with the XEX/XTS mode.

As a leading provider of security IP, at Rambus we are experts in helping SoC and FPGA makers deploy memory encryption technology in their products. In the final blog in this series, I’ll cover the design and implementation challenges for the instantiation of memory encryption in processor and accelerator chips.

Additional resources:



Leave a Reply


(Note: This name will be displayed publicly)