Gracewipe: Secure and Verifiable Deletion under Coercion
Download: Paper (PDF)
Date: 8 Feb 2015
Document Type: Briefing Papers
Additional Documents: Slides
Associated Event: NDSS Symposium 2015
Abstract:
For users in possession of password-protected encrypted data in persistent storage (i.e., ‘data at rest’), an obvious problem is that the password may be extracted by an adversary through dictionary attacks or by coercing the user. Techniques such as multi-level hidden volumes with plausible deniability, or software/hardware-based full disk encryption (FDE) cannot adequately address such an attacker. For these threats, making data verifiably inaccessible in a quick fashion may be the preferred choice, specifically for users such as government/corporate agents, journalists, and human rights activists with highly confidential secrets, when caught and interrogated in a hostile territory. Using secure storage on a Trusted Platform Module (TPM) and modern CPU’s trusted execution mode (e.g., Intel TXT), we design Gracewipe to enable secure and verifiable deletion of encryption keys through a special deletion password. An attacker cannot distinguish between a deletion and real password. He can guess the real password to unlock the target encryption key only through the valid Gracewipe environment; guessing the deletion password will trigger deletion of the real key. When coerced, a user can fake compliance, and enter the deletion password; and then the user can prove to the attacker that Gracewipe has been executed and the real key is no longer available (through a TPM quote), hoping that a reasonable adversary then will find no reason to keep holding the victim, and may even release her. We implement two prototypes of Gracewipe: software-based FDE system with plausible deniability (using TrueCrypt with hidden volume), hardware-based FDE (using a Seagate self-encrypting drive (SED)). Our choice of booting Windows at the end of a Gracewipe session (for the possibility of immediate adoption), poses some unique challenges. Through the design and prototypes of Gracewipe, we hope to raise awareness of a special but critical use-case of FDE systems.