Secure Data Deletion for USB Flash Memory*

JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 27, 933-952 (2011)

933

Secure Data Deletion for USB Flash Memory*

BYUNGHEE LEE, KYUNGHO SON, DONGHO WON AND SEUNGJOO KIM+

Information Security Group Sungkyunkwan University

Gyeonggi-do, 440-746 Korea E-mail: {bhlee; khson; dhwon}@security.re.kr +Center for Information Security Technologies

Korea University Seoul, 136-713 Korea

E-mail: [email protected]

People commonly use USB flash memory because of its convenience and portabil-

ity. It stores various data such as documents, pictures, certificates, and private data (e.g., passwords, account numbers). These data, especially private data, should not be revealed to the outside. However, even when the stored data is deleted, these data can be recov-ered using data recovery programs. To prevent this problem, various techniques have been proposed. In this paper, we review previous methods and analyze the security of these methods. We then propose a secure deletion method that requires only one write or erase operation. Our benchmark study shows the proposed method satisfies government agencies’ requirements for the secure deletion and performs better than the previous methods. The main contribution of this paper is two-fold: (1) we show our method satis-fies the government’s recommendations for secure data deletion and (2) our proposed method has better performance than previously proposed method because only one write or write-then-erase operation is performed. Keywords: flash memory, file recovery, forensic, sanitize, wiping, secure delete

1. INTRODUCTION

Information Technology (IT) and its increasing prevalence have impacted human life radically in the last few decades. People regularly use various electronic products even if they are not an IT expert. One of such devices is USB flash memory, which stores data in a mass storage device. This portable device is commonly used by people because they can carry large-size files within a small size device. However, a downside is, due to its small size, people can easily lose it. When a user loses his/her flash memory where confidential data is stored, the data can be exposed to and abused by a third person. To prevent these weaknesses, vendors are developing various security functions to secure and to protect stored data.

In this paper, we analyze various secure deletion methods for flash memory and re-view each government agency’s recommendations for deleting data securely so that it can no longer be recovered. We then show the previously proposed methods do not meet

Received October 9, 2009; revised July 19 & September 6, 2010; accepted October 25, 2010. Communicated by Tei-Wei Kuo. * This work was supported by the IT R&D program of MKE, Korea[Development of Privacy Enhancing Cryp-

tography on Ubiquitous Computing Environment] and also supported by the MKE (Ministry of Knowledge Economy), Korea, under the ITRC (Information Technology Research Center) support program supervisedby the NIPA (National IT Industry Promotion Agency) (NIPA-2010-(C1090-1031-0005)).

+ Corresponding author.

BYUNGHEE LEE, KYUNGHO SON, DONGHO WON AND SEUNGJOO KIM

934

the government’s recommendations and cannot secure delete data. To overcome these problems, we propose a method that can improve these weaknesses and show that the proposed method performs better than the previous methods. To the best of our knowl-edge, the proposed method is novel and satisfies government’s recommendations to de-lete data securely for flash memory.

The rest of this paper is organized as follows. The next section surveys the related works. In section 3, we describe the security analysis of the previous methods. Following that section, we propose a secure deletion method. We then compare our method with the previous deletion methods in section 5, and the paper concludes with a brief summary in section 6.

2. RELATED WORKS

2.1 Flash Memory Flash memory is non-volatile storage media that can be erased and reprogrammed

electrically. It is commonly used in memory card, USB flash drive, or SSD. Flash mem-ory does not need power to maintain stored information and has better shock resistance than hard disk. By courtesy of these advantages, the popularity of the flash memory is increased steadily.

There are two-types of flash memories, NOR and NAND. The differences between NOR and NAND flash memory are shown in Table 1 [1-3]. NAND flash memory allows only page access and read/write operation is performed in page units, while, NOR flash memory allows random-access and data can be read/written by byte or word units. Thus, page does not exist in NOR flash memory.

Table 1. Differences between NOR and NAND. NOR NAND

Write Unit Byte or Word Page Erase Unit Block Block Page Size − 4 KB(typically)

# of Page per Block − 32(typically) Block Size 64 KB(typically) 128 KB(typically)

Block Endurance 104-105 times 104-106 times

Programs stored in NOR flash memory can be executed directly from the NOR flash memory without copying to Random Access Memory (RAM) first, so that NOR flash memory is used to hold and execute firmware primarily. While, NAND flash memory has a fast write operation speed and mass storage capacity than NOR flash memory, thus it is mainly used as data storage device like USB flash memory, memory card, etc.

In addition to these features, there are two variants of flash memories, SLC (Single Level Cell) and MLC (Multi Level Cell) according to data bit stored per cell. That is, SLC flash memory stores one bit value per cell, while MLC flash memory stores multiple val-ues. Although SLC flash memory has some advantages such as reliability and read opera-tion speed, most of storage based on flash memory use MLC flash memory due to cost.

SECURE DATA DELETION FOR USB FLASH MEMORY

935

Throughout this paper, we only consider MLC NAND flash memory because most storage device such as USB flash memory uses NAND flash memory.

2.2 Secure Deletion

Recently, the study of computer forensics has come into the spotlight. In particular,

secure deletion from a storage medium is one of the most attractive research areas. In-deed, secure deletion on HDD has been researched for a long time and various methods have been developed.

P. Gutmann [4] has proposed a technique that takes 35 synchronous passes over da-ta to degauss the magnetic media. The proposed technique in [4] has been implemented in user-level tools and in a Linux file system [5]. In addition to the overwrite method, there are methods that modify the file systems to support secure deletion. N. Joulov [6] has designed Purgefs, a file system extension that transparently overwrites files on a per- delete basis. Purgefs can be automatically added to most existing file systems such as the Ext2, vfat, msdosfs, ranmfs, NFS, and Base0fs file systems. With this portability and transparency, users can conveniently delete data. Furthermore, in [7], a file system is modified to encrypt data on a disk, and data can be securely deleted by deleting the cor-responding encryption key. To add to these works, [8] deals with how and where some files are created and how to securely remove them from a system. The main focus of [8] is Microsoft Windows operating systems, and the paper shows various application pro-grams that delete files securely. References [9] surveys methods to delete digital data and cite an increase in lawsuits and news reports on unauthorized disclosures due to a poor understanding of data longevity and a lack of secure deletion tools.

In addition to aforementioned papers, many systems for secure deletion on HDD are patented. Most of these patents are based on overwriting. References [10-12] develop sys-tems and methods for the secure erasing of files by overwriting. Furthermore, [13] ap-plies for a patent for a Graphical User Interface (GUI) that allows the user to trigger and set parameters for the secure data file erasure process. With the GUI, users can set over-write numbers, patterns, etc. and easily delete data which is stored on the storage medium.

With the increasing usage of flash memory, concerns about secure deletion on flash memory also are increased. However, due to the characteristic of flash memory that an erase operation can be performed about 104-106 times on each block [14], techniques that are usually used in HDD are not applicable to flash memory. Because of these limitations, there are few existing methods for secure deletion from flash memory.

So far, two secure deletion methods for flash memory were proposed in 2008. The first method is overwriting the entire data of a file [15]. The second one is encrypting the file data and using the first method to delete an encryption key securely [16].

In the following section, we examine these two methods of secure deletion methods for flash memory.

2.2.1 Hybrid method (Sun et al.’s method)

[15] has proposed an adaptive hybrid scheme that combines zero-over-writing and

block erase. Fig. 1 shows the zero overwrite and the block erase processes.


936

(a) Zero overwrite process. (b) Block erase process.

Fig. 1. Process of Sun et al.’s method.

Zero overwrite is a deletion method that overwrites pages with 0x00 so that existing

data can be securely deleted. In contrast, block erase deletes entire data that is stored on a block by performing an erase operation. At this time, if valid pages remain on the blocks, these pages should be moved to another block, so additional read/write operations are necessary. The adaptive hybrid scheme proposed in [15] combines the above two meth-ods to minimize the cost of operation. The Sun et al.’s method follows the step shown below.

1. Search a page to be deleted. 2. Check whether the overwrite cost on the deleted pages is cheaper than erasing the

block that contains the deleted pages. If the overwrite cost is cheaper than erasing the block, zero overwriting is performed as shown in Fig. 1 (a).

3. Otherwise, valid pages are copy to another block and the block erase is applied to de-lete data as shown in Fig. 1 (b).

The erase operation converts all bits from ‘0’ to ‘1’ in a block, whereas the write

operation selectively changes bits from ‘1’ to ‘0’ in a page. Due to this mechanism, in block erase, the block on which the erase operation was performed is filled with 0xFF. Furthermore, valid pages that are contained in the deleted block are moved to another block to preserve the data stored on valid pages.

In a Sun et al.’s method, as described above, the deletion method is selected ac-cording to the number of deleted pages. In other words, if the cost of zero overwriting is less than that of block erase, zero overwriting is performed. On the other hand, if there are more deleted pages than valid pages in a block, overwriting is more efficient.

2.2.2 Encryption method (Lee et al.’s method)

In contrast to [15], [16] has proposed a secure deletion method based on data en-

cryption. Fig. 2 shows the process of data storing and deleting. Encryption keys are randomly generated, and data are encrypted using these encryp-

tion keys. The encryption keys of a specific file are stored on one block, as shown in Fig. 2 (a). Therefore, only one erase operation is needed to delete data securely. Fig. 2 (b) shows that during the deletion process, a specific file’s key is deleted. Although the de-leted file’s data still remains in flash memory, the file data are encrypted, and the decryption


937

(a) Process of data storing in encryption method.

(b) Process of data deletion in encryption method.

Fig. 2. Process of Lee et al.’s method.

keys have been already deleted, so that we can regard the deleted file as a securely de-leted file. The process below explains the deletion mechanism in Lee et al.’s method. 1. Search a page that stores encryption keys of deleted data. 2. Check whether a block contains valid encryption keys other than the deleted keys. If

valid encryption keys are stored, these keys are copied to another block. 3. Delete the block which was copied in the previous step.

Furthermore, the block which stores a specific file’s encryption key also has that

file’s meta-data, thus, after the deletion, both file encryption keys and all meta-data re-lated to this file are securely removed.

3. SECURITY ANALYSIS

In this section, we analyze the previous methods whether they meet the require-ments for secure deletion.

In many file systems, when a specific file is deleted, only the file’s meta-data are deleted. With these mechanisms, the user recognizes which file is deleted, however, the file actually remains on the storage medium until the space occupied by other files. The remaining data on a storage medium can be easily recovered by data recovery programs


938

Fig. 4. File recovery using FinalData.

like Encase [17], FinalData [18]. To show the remaining data, we conduct experiment. In this experiment, we use a SUM-LCB1, SAMSUNG USB flash memory product, and FinalData.

Fig. 3 shows that various files are stored on USB flash memory. When a user de-letes all files stored on a device, all of the files disappear and, therefore, the user can check that every file has been deleted. However, as we already mentioned, deleted files can be recovered easily using data recovery programs.

Fig. 4 shows that deleted files can be recovered by using FinalData, among other data recovery programs.

As shown in Fig. 4, even though some recovered files do not have the correct file names, these files can be normally executed. Overall, these features can corrupt the con-fidentiality of deleted files.

Fig. 3. Files stored on USB flash memory.


939

To solve these problems, wiping technology on HDD has been studied for many years. Table 2 describes the recommendations for secure data deletion from HDD given by various government agencies and algorithms.

Table 2. Data deletion methods on HDD [8]. Deletion method Description

Single pass Overwrites once with either 0x00, 0xff or pseudo-random data

DoD 5220.22-M Step 1: Overwrites with random single value Step 2: Overwrites with complement of that value Step 3: Repeats step 1-2 seven times

NATO standard Step 1: Overwrites with 0x00 Step 2: Overwrites with 0xff Step 3: Repeats step 1-2 six times

NSA Step 1: Overwrites with 0x00 Step 2: Overwrites with 0xff Step 3: Repeats step 1-2 seven times

Table 3. Data deletion methods on flash memory. Deletion method Description

DoD 5220.22-M-Sup 1 (Feb. 1995) [19]

Step 1: Erase all data Step 2: Overwrites with a single character Step 3: Overwrites with complement of that value Step 4: Overwrites with random single character Step 5: Check whether additional procedures are required.

DoD 5220.22-M (Jul. 1997) [20]

Step 1: Overwrites with a single character Step 2: Erase overwritten areas.

NSA/CSS storage device declassifi-

cation manual [21]

Step 1: Overwrites with a known unclassified pattern Step 2: Verify that only the known pattern can be recovered by

randomly re-reading.

Media Clearing, Purging, and

Destruction [22]

Step 1: Erase all data Step 2: Overwrites with pseudo-random values twice Step 3: Overwrites with a known pattern Step 4: Check whether additional procedures are required.

In flash memory, an erase operation can be performed about 104-106 times on each block [14]. A block which has exceeded the predetermined number of times becomes a ‘bad block’. Due to this characteristic, the overwriting method used on HDD is not ap-plicable to flash memory, so each agency has announced overwrite times to delete data securely when data is stored on flash memory. Table 3 shows their respective recommendations.

Recently, besides the above recommendations, efficient secure deletion methods for flash memory have been proposed, as mentioned in section 2. Because the cost of erase operation on flash memory is more expensive than read/write operations, [15, 16] have proposed efficient secure deletion methods.

The methods proposed in [15, 16], however, do not perform secure deletion accord-ing to the above recommendations. Each agency’s recommendations include carrying out


940

erase-then-overwrite operations or overwrite-then-erase operations at least once, except the NSA/CSS storage device declassification manual. Table 4 shows that the hybrid method and encryption method cannot satisfy the secure deletion recommendations.

Table 4. Security analysis of previous methods.

Deletion method Operation to delete data Satisfaction of recommendations

Sun et al.’s method Overwrite or Erase X Lee et al.’s method Erase X

As shown in Table 4, Sun et al.’s method and Lee et al.’s method cannot satisfy the secure deletion recommendations. Even though zero overwriting, which is a part of the Sun et al.’s method, satisfies the secure deletion recommendation of NSA/CSS, block erase, which is also a part of the Sun et al.’s method, does not satisfy the recommenda-tion, thus we can conclude that the Sun et al.’s method cannot satisfy the requirement.

In this paper, we propose an improved method that satisfies the above recommenda-tion and performs secure deletion on flash memory.

4. PROPOSED METHOD

In section 3, we examined secure deletion recommendations that each agency has announced. Compared to these recommendations, as mentioned in section 3, the methods proposed by Sun et al. and Lee et al. are insecure in terms of the recommendations for secure file deletion. According to each agency’s recommendations, erase-then-overwrite operations or overwrite-then-erase operations should be performed at least once, except the NSA/CSS storage device declassification manual. In Sun et al.’s method and Lee et al.’s method, there is, however, no overwriting and only an erase operation is performed to securely delete files, except in the case of zero overwriting. Thus, the methods pro-posed by Sun et al. and Lee et al. do not satisfy the requirements for secure deletion. In addition to overwrite operation, some agency’s recommendations may require additional steps. Especially, NSA/CSS storage device declassification manual requires verifying which data is written by randomly re-reading. This step is a verification step, but deletion step. For this reason, in this paper, we regard the verification step as a subsidiary step, not essential step, for secure deletion.

The overall procedure of proposed method is below.

• File Encryption Key (FEK) is generated. At this time, CSPRNG() is performed and FEK is generated.

• Before file is stored, file is encrypted by using FEK. After file encryption is completed, FEK is encrypted based on user’s password and stored into header block.

• When user wants to delete specific files, the proposed method only overwrites or erases header block where deleted file’s encryption key is stored.

The proposed method is based on an encryption method. Namely, all data are en-


941

crypted and encryption key for a specific file are stored on one block. Actually, however, it cannot be said that Lee et al.’s method proposed in [16] performs secure deletion be-cause Lee et al.’s method cannot satisfy any agency’s recommendations. The reason why Lee et al.’s method cannot satisfy any agency’s recommendations will be described in section 5 in detail. We propose an improved secure deletion method by adding additional operation, while has better efficiency than previous works.

In this section, we describe notations and the proposed method at some length.

4.1 Notation The following notations are used throughout this paper.

• M: plaintext • C: ciphertext • ||: concatenation • Hn(): cryptographic hash function that performs hash function n-times. • CSPRNG(): cryptographically secure pseudo-random number generator. • FEKi: file encryption key for file i. • MasterKey: password-derived key to encrypt FEKi. • EK(): encryption function of symmetric cipher using a secret key K. • IV: initialization vector.

4.2 Key Generation

As a first step, FEK should be generated by applying various key generation func-

tions. For instance, key is randomly generated using a random number generator (RNG) or pseudo-random number generator (PRNG). Especially, PRNG with properties that make it suitable for use in cryptography is called cryptographically secure pseudo-random number generator (CSPRNG). There are several CSPRNG standards such as ANSI X9.82 [23], NIST SP 800-90 [24] and PKCS#14 (under development) [25], etc. The key can also be created using a passphrase and a key generation algorithm, usually involving a cryptographic hash function such as SHA-1 [26]. To prevent brute-force attack [27], passphrase can be hashed multiple by using the algorithm [28].

Recently, user authentication program has application to many flash memory prod-ucts such as USB memory and password-based authentication is the most widely used among of the various authentication measures. So, in our proposed method, we use two methods, CSPRNG and password-based authentication to protect data by using user password. The entire key generation process follows the step below. 1. First, FEKi is generated by using CSPRNG and encrypted.

FEKi = CSPRNG()

All files are encrypted with keys which differ from file to file. Thus, whenever files are created, the above function should be performed and file i should be encrypted using FEKi.


942

2. After FEKi has been generated, MasterKey should be generated as below. MasterKey = Hn(user password)

This method is based on key derivation functions in PKCS#5 (Password-based Cryp-tography Standard) [29]. At this time, n means the total number of times hash function has been performed. By performing hash function repeatedly, the cost of exhaustive search for passwords, brute-force attack, will be increased significantly. In [29], it is recommended that hash function should be performed at least 1000-times.

The FEKi, which is generated in step 1, is encrypted by using MasterKey as follows,

EMasterKey(FEKi).

Then the encrypted FEKi is stored on header block. The entire key generation process is represented in Fig. 5.

Fig. 5. Key generation process.

EFS is a file system that provides filesystem-level encryption in Windows XP Pro-fessional or Windows 2000, etc. The above technique is similar to method which applied to Windows DAPI (Data Protection API) [30], EFS (Encrypting File System) [31] except that several steps are added. The added steps are listed below.

• User private-key is used to encrypt FEK. • Masterkey is used to encrypt user private-key. • Password-derived key is used to encrypt Masterkey.

Because FEK is stored on flash memory in the form of cipher, even if a third person

who does not know password could obtain the flash memory, he cannot recover plaintext from cipher stored on flash memory.


943

4.3 Data Store

1. File should be encrypted before being stored into memory using FEKi which is gener-ated in the key generation process. To encrypt a file, file’s data should be separated into blocks.

File’s data = M1||M2||M3|| … ||Mn

The block size is different for different encryption algorithms. For instance, DES al-gorithm [32] has 64-bits block size, while AES algorithm [33] has 128-bits block size. Furthermore, in symmetric cipher, there are several modes of operation: ECB (Elec-tronic codebook), CBC (Cipher-block chaining), CFB (Cipher feedback), OFB (Out-put feedback), and CTR (Counter), etc.

Fig. 6. Data encryption process.

Among of these modes, CBC has been the most commonly used mode of operation. In Bitlocker which is included in Windows Vista and Windows 7, for instance, data is encrypted using AES-CBC [34]. Our proposed method also adopts CBC mode. By using one of symmetric encryption algorithms and CBC mode, file’s data can be en-crypted. The data encryption process is shown as Fig. 6.

2. Finally, encryption key is stored on header block and encrypted data are stored on data block. The overall process of data store is depicted in Fig. 7.

Fig. 7. Store process in the proposed method.


944

4.4 Data Deletion Each FEKi occupies one page and they are stored in one block. Because of these

features, only one erase operation is required for secure deletion of one file. Besides the erase operation, our method overwrites the deleted block, so that we can satisfy secure deletion according to the above recommendations. Fig. 8 shows our file deletion process.

To delete an encryption key securely, the proposed method follows below steps.

(a) Overwriting process in the proposed method.

(b) Erasure process in the proposed method.

Fig. 8. Deletion process in the proposed method.

1. Search a block that stores the FEKi of the deleted file i. 2. Overwrite the page where the deleted FEKi is stored with known unclassified pat-

tern(here, we use 0x00 as a pattern), as shown in Fig. 8 (a). 3. Check whether there are valid pages in that block. If there are valid pages that contain

FEK which are not to be deleted, the deletion process ends. 4. If there are no valid pages, erase that block, as shown in Fig. 8 (b).

In step 2, a page that contains an FEKi to be deleted is overwritten with 0x00. At

this time, overwriting process can be performed through WriteChunkToNAND() func-tion which is provided by YAFFS [35], file-system designed to run on NAND flash memory. By using this function, ‘1’ bits stored in specific valid pages are converted to ‘0’ bits, but the opposition is not formed. Through this operation, our method keeps the recommendation of NSA/CSS from the above recommendations. Finally, in step 3, an erase operation is performed when there are no more valid pages.

Namely, the proposed method carries out an erase operation after the overwrite op-eration is executed. Therefore, the proposed method can satisfy the requirement of secure deletion, because the proposed method satisfies NSA/CSS and DoD 5220.22-M among the above recommendations.


945

5. COMPARISON

In general, secure deletion takes a long time because overwrite or erase must be ex-ecuted multiple times. To minimize the time, Sun et al. [15] and Lee et al. [16] have pro-posed methods to improve the efficiency of secure deletion. In this section, we compare our method with the methods proposed by Sun et al. and Lee et al. in terms of security and efficiency.

5.1 Security Comparison

In this section, we describe security comparison in terms of agency’s recommenda-

tions. Each agency’s recommendations to secure delete for flash memory are already described in Table 3. By analyzing each agency’s recommendations, we find that each recommendation combines the four major steps such as ‘erase all data’, ‘overwrites with a known value’, ‘overwrite with complement of that value’, ‘overwrite with random val-ue’ (see Table 5). Besides overwrite or erase operations, some recommendations contains verification step. However, this step is just confirmation step whether or not overwritten data are written properly or another steps are required additionally. In other words, the verification step does not involve operation related to data deletion itself thus we regard the step as subsidiary step, not essential step, for secure deletion.

Based on Table 5, we examine why Sun et al.’s method and Lee et al.’s method cannot satisfy the requirements for secure deletion in detail.

Table 5. Step comparison among recommendations and methods. Agency’s

recommendations The previous methodsNo Step [19] [20] [21] [22] [15]-1 [15]-2 [16]

Proposed method

1 Erase all data O O X O X O O O

2 Overwrites

with a known value

O O O O O X X O

3

Overwrites with com-plement of that value

O X X X X X X X

4 Overwrite

with random value

O X X O X X X X

[15]-1: Zero overwrite (Sun et al.’s method). [15]-2: Block erase (Sun et al.’s method). [16]: Lee et al.’s method.

It was already mentioned in section 2 that Sun et al.’s method consists of two parts: zero overwrite and block erase. However, as shown in Table 5, while zero overwriting satisfies the NSA/CSS recommendation [21] which requires only one overwrite, block erase performs the erase operation only once and it can be said that Sun et al.’s method


946

cannot satisfy any requirements for secure deletion. Lee et al.’s method is similar to block erase. Therefore, as with block erase, Lee et

al.’s method cannot satisfy any recommendations because only one erase operation is performed.

On the other hand, our method executes overwriting on the page that contains the FEK of the file to be deleted. After performing overwriting process several times, when all pages of a block are overwritten with known value (0x00), the erase operation is exe-cuted so that block may be reused. Eventually, our method performs both overwrite and erase operations, and it can be said that our method satisfies the deletion recommenda-tions of NSA/CSS [21] and DoD 5220.22-M [20] which require overwrite-then-erase.

5.2 Efficiency Comparison

Besides security comparison, we also discuss the efficiency aspect of the above

methods. Here, efficiency comparison is described based on the number of deleted pages. In this efficiency comparison, we assume some conditions as below.

• Flash memory’s capability is 512MB and the total number of blocks is 4,096 (= 512MB

* 1,024/128KB) [2]. • Each block contains 32 pages [2]. • While read or write operation is performed in page units, erase operation is performed

in block units. • Read time (TR), write time (TW), and erase time (TE) are 30μs, 200μs, and 1800μs, re-

spectively [2]. • Deleted pages are stored uniformly on multiple blocks. We assume that each block con-

tains n deleted pages.

5.2.1 Number of overwrite operations In Sun et al.’s method, zero overwrite performs a write operation on a page. We as-

sume that each block contains n deleted pages and therefore the number of overwrite operation to be performed is also n * Nblock where Nblock is the number of block that con-tains deleted pages.

On the other hand, in our method, the target to be deleted is FEK, not actual data which may be stored on multiple pages. Since each file has one FEK and the FEK of specific file is stored on a one page, if we want to delete one file, the number of over-write operation to be performed is 1 in our method.

5.2.2 Number of erase operations

Erase operation is performed when block erase or Lee et al.’s method is applied. In

case of block erase, the number of erase operation to be performed depends on the num-ber of block that contains deleted page. If the data to be deleted are stored on multiple blocks, erase operation should be performed to those blocks and the execution count of the erase operation is increasing linearly. For example, if 6 pages are stored on 5 blocks, 5 erase operations should be performed.


947

Lee et al.’s method also uses an erase operation to delete the FEK. Because the FEK of a specific file is stored on one page, if we want to delete one file, just one erase opera-tion on the block which includes that page is required to delete the encryption key.

Our method overwrites with 0x00 to be deleted page which stores specific FEK so that only one overwrite operation is performed to that page. When all pages of a given block contain only 0x00; at this time, an erase operation is performed on that block. Therefore, our proposed method entails only one erase operation.

5.2.3 Additional operations

In case of block erase and Lee et al.’s method, a block which contains deleted pages

may also have valid pages. To preserve these valid pages, additional operation is re-quired prior to erase operation. In other words, before erase operation is performed, read/write operation should be performed to copy valid page to another block.

We assumed that the number of deleted pages is n and each block contains 32 pages. Based on these assumptions, in block erase, there are (32 − n) valid pages which should be preserved. In order to preserve these pages, read-then-write operation should be per-formed (32 − n) times per a block.

However, in Lee et al.’s method, the number of deleted page is only one page which stores the FEK so that read-then-write operation should be performed 31 times.

5.2.4 Execution time

In this section, we compare our method with the previous methods from the view-

point of execution time. Figs. 9-11 show the cost of each method depending on blocks and deleted pages.

Sun et al.’s method is hybrid method that consists of zero overwrite and block erase. Each method’s execution time is like below.

Tzero_overwrite = (n * TW) * Nblock Tblock_erase = {(32 – n) * (TR + TW) + TE} * Nblock

where Nblock is the number of blocks that contains deleted pages.

Fig. 9. Execution time of Sun et al.’s method. Fig. 10. Execution time of Lee et al.’s method.


948

Fig. 11. Execution time of our method.

In zero overwrite, deleted pages are stored on n pages and the execution time is (n * TW) per block. Therefore, the total execution time of zero overwrite is (n * TW) * Nblock. On the other hand, block erase has different execution time. Before erase operation, valid pages which contain data not to be deleted should be copied to another block to preserve data stored on valid pages. In order to preserve (32 – n) valid pages, read-then-write op-eration should be performed (32 – n) times. After read-then-write operation, erase opera-tion is performed to that block. Therefore, the total execution time of block erase is {(32 – n) * (TR + TW) + TE} * Nblock.

Unlike Sun et al.’s method, Lee et al.’s method and our method only need to delete the one block or page which stores the FEK of the file, not actual data, so only one erase or write operation is performed. Therefore, Lee et al.’s method and our method have al-ways a constant cost regardless of the number of pages or blocks.

However, as mentioned in section 5.2.3, Lee et al.’s method has additional opera-tions to preserve valid pages. These additional operations are similar with block erase which is the part of Sun et al.’s method except that deleted page is only one page. There-fore, the number of valid pages 31 and total execution time is 31 * (TR + TW) + TE.

Our method just performs write or write-then-erase operation as mentioned in sec-tion 4.4. Thus, our method’s execution time is TW or TW + TE.

The execution time of Lee et al.’s method and our method is like below. TLee at al.’s_method = 31 * (TR + TW) + TE Tour_method = TW or TW + TE In Table 6, we summarize section 5 which compares our method with previous methods.

6. CONCLUSIONS

Secure deletion is an important technique to prevent private data from leakage. Peo-ple believe that data cannot be recovered when they delete the data from storage device (e.g., HDD, Flash memory). However, as we showed that there are various data recovery programs, and any person can recover the deleted data using these programs.


949

Table 6. Comparison our method with previous methods. Sun et al.’s method Deletion method Zero overwrite Block erase

Lee et al.’s method

The proposed method

Satisfaction of recommendation NSA/CSS X X

NSA/CSS or DoD

5220.22-M # of overwrite

operations n * Nblock 0 0 1

# of erase operations 0 Nblock 1 0 or 1

Additional operations 0

Read/write operation:

(32 – n) times

Read/write operation: 31 times

0

Execution time (μs) (n * 200) * Nblock

{(32 – n) * (30 + 200) + 1800}

* Nblock

31 * (30 + 200) + 1800

200 or (200 + 1800)

Many researchers already explored in the area of secure deletion. Secure deletion methods for HDD have been proposed and various secure deletion programs have been developed. By degaussing or overwriting specific patterns many times, stored data on HDD can be deleted and these data cannot be recovered.

When we consider the erase operation can only be performed about 104~106 times on each block of flash memory, secure deletion methods for HDD cannot be applied to flash memory. To overwrite on flash memory, a block which contained deleted pages should be erased before overwrite with specific patterns and this process can shorten life-time of flash memory. In addition, an erase operation on flash memory requires more time than read/write operations, so secure deletion by simply overwriting can cause inef-ficiency in terms of performance and endurance of flash memory.

To overcome these shortcomings, various deletion methods for flash memory have been proposed. Sun et al.’s method combines block erase and zero overwriting, and one of these methods is applied to delete data securely according to the number of valid pages. In Lee et al.’s method, all data in a file is encrypted using a key that differs from other files, and the key of the file is stored on one block. Through this mechanism, only one erase operation is required to delete a specific file’s data. However, these methods cannot satisfy the recommendations that each government agency has presented.

To remedy these problems, we propose an efficient secure deletion method that sat-isfies the secure deletion recommendations. To our knowledge, the proposed method is the first method that satisfies government’s recommendations to delete data securely for flash memory. The method not only satisfies NSA/CSS and DoD 5220.22-M recom-mendations, but also has a better performance cost than previous methods.

In the future work, we will focus on file system for flash memory to improve a se-cure deletion method. Especially, by considering wear leveling which is a technique for prolonging the service life of some kinds of erasable computer storage media such as flash memory and solid-state drive, we will develop a secure deletion method in file sys-tem level.


950

REFERENCES

1. M. Freeman and A. Woodward, “Secure state deletion: Testing the efficacy and in-tegrity of secure deletion tools on solid state drives,” in Proceedings of the 7th Aus-tralian Digital Forensics Conference, 2009, pp. 32-40.

2. J. Kim, J. M. Kim, S. H. Noh, S. L. Min, and Y. Cho, “A space-efficient flash trans-lation layer for CompactFlash systems,” IEEE Transactions on Consumer Electron-ics, Vol. 48, 2002, pp. 366-375.

3. M-Systems, “Two technologies compared: NOR vs. NAND,” White Paper, 2003. 4. P. Gutmann, “Secure deletion of data from magnetic and solid-state memory,” in

Proceedings of the 6th USENIX UNIX Security Symposium, 1996, pp. 77-90. 5. S. Bauer and N. B. Priyantha, “Secure data deletion for Linux file systems,” in Pro-

ceedings of the USENIX Security Symposium, 2001, pp. 153-164. 6. N. Joulov and E. Zadok, “Adding secure deletion to your favorite file system,” in

Proceedings of the 3rd International IEEE Security in Storage Workshop, 2005, pp. 63-70.

7. D. Boneh and R. Lipton, “A revocable backup system,” in Proceedings of the USENIX Security Symposium, 1996, pp. 91-96.

8. J. R. Mallery, “Secure file deletion: Fact or fiction?” GSEC Practical Assignment Version 1.2e, 2006.

9. S. L. Garfinkel and A. Shelat, “Remembrance of data passed: A study of disk saniti-zation practices,” IEEE Security and Privacy, Vol. 1, 2003, pp. 17-27.

10. P. Jensen, “System and method of erasing non-volatile recording media,” US 2006/ 012023 A1, Jun. 8, 2006.

11. P. H. Tran, A. Shahindoust, and M. Yeung, “System for secure erasing of files,” US 7,246,209 B2, Jul. 17, 2007.

12. M. J. Kalos, R. A. Kubo, and J. A. Yanes, “System and method for implementing hard disk drive data clear and purge,” US 2008/0028141 A1, Jan. 31, 2008.

13. K. G. Bunker and E. P. deJong, “Secure data file erasure,” US 6,731,447 B2, May, 4, 2004.

14. M. Breeuwsma, M. de Jongh, C. Klaver, R. van der Knijff, and M. Roeloffs, “Foren-sic data recovery from flash memory,” Small Scale Digital Device Forensics Journal, Vol. 1, 2007, pp. 1-17.

15. K. Sun, J. Choi, D. Lee, and S. H. Noh, “Models and design of an adaptive hybrid scheme for secure deletion of data in consumer electronics,” IEEE Transactions on Consumer Electronics, Vol. 54, 2008, pp. 100-104.

16. J. Lee, J. Heo, Y. Cho, J. Hong, and S. Shin, “Secure deletion for NAND flash file system,” in Proceedings of ACM Symposium on Applied Computing, 2008, pp. 1710- 1714.

17. Encase, http://www.guidancesoftware.com. 18. FinalData, http://www.finaldata.com. 19. National Industrial Security Program Operating Manual Supplement, http://www.fas.

org/sgp/library/nispom_sup.pdf, Feb. 1995. 20. National Industrial Security Program Operating Manual, http://www.usaid.gov/policy

/ads/500/d522022m.pdf, Jul. 1997. 21. NSA/CSS Storage Device Declassification Manual, http://www.nsa.gov/ia/_files/gov-


951

ernment/MDG/NSA_CSS_Storage_Device_Declassification_Manual.pdf, Nov. 2000. 22. Media Clearing, Purging, and Destruction, http://www.ornl.gov/doe/doe_oro_dmg/

TMR/TMRs/DOE%20CIO%20Guidance%20CS-11.pdf, Jan. 2007. 23. ANSI X9.82-3-2007, “Random number generation part 3: Deterministic random bit

generators,” Accredited Standards Committee X9 Incorporated, Sep. 2007. 24. NIST, “Recommendations for random number generation using deterministic ran-

dom bit generators,” National Institute of Standards and Technology, SP800-90, Mar. 2007.

25. RSA Laboratories, “Public-key cryptography standards (PKCS),” http://www.rsa.com/ rsalabs/node.asp?id=2308.

26. NIST, “Secure hash standard,” Federal Information Processing Standard, FIPT-180- 1, 1995.

27. Brute-force attack, http://en.wikipedia.org/wiki/Brute_force_attack. 28. T. Auro and M. Roe, “Strengthening short hash values,” http://research.microsoft.com/

enus/um/people/tuomaura/misc/aura-roe-submission.pdf. 29. RSA Laboratories, “PKCS#5 v2.1: Password-based cryptography standard,” 2006. 30. NAI Labs, “Windows data protection,” http://msdn.microsoft.com/en-us/library/ms9

95355.aspx, 2001. 31. Best Practices for the Encrypting File System, http://support.microsoft.com/kb/2233

16/EN-US/, 2009. 32. NIST, “Data encryption standard (DES),” Federal Information Processing Standard,

FIPS-46-3, 1999. 33. NIST, “Announcing the advanced encryption standard (AES),” Federal Information

Processing Standards, FIPS-197, 2001. 34. NVlabs, “Bitlocker and windows vista,” http://www.nvlabs.in/uploads/projects/nvbit/

nvbit_bitlocker_white_paper.pdf. 35. YAFFS: Yet Another Flash File System, http://www.yaffs.net.

Byunghee Lee received B.S. and M.S. degrees in Computer Engineering from Sungkyunkwan University in 2005 and 2007, respectively. During 2005-2007, he worked in Information Secu-rity Group (ISG). He is currently Ph.D. course student of the School of Information and Communication Engineering. His in-terests are information security, reverse engineering, and infor-mation assurances.


952

Kyungho Son received B.S. and M.S. degrees in Computer Engineering from Sungkyunkwan University in 2005 and 2007, respectively. During 2005-2007, he worked in Information Secu-rity Group (ISG). He is currently Ph.D. student of the School of Information and Communication Engineering. His interests are network security and information assurance.

Dongho Won received his B.E., M.E., and Ph.D. degrees from Sungkyunkwan University in 1976, 1978, and 1988, respec-tively. After working at the Electronics and Telecommunications Research Institute (ETRI) from 1978 to 1980, he joined Sung-kyunkwan University in 1982, where he is currently a Professor of the School of Information and Communication Engineering. His interests are cryptology and information security. He was the president of the Korea Institute of Information Security and Cryp-tology (KIISC) in 2002.

Seungjoo Kim received his B.S. (1994), M.S. (1996), and Ph.D. (1999) in Information Engineering from SungKyunKwan University (SKKU) in Korea. Prior to joining the faculty at Korea University (KU) in 2011, he served as Associate Professor at SKKU for 7 years. Before that, he served as Director of the Cryp- tographic Technology Team and the (CC-based) IT Security Eva- luation Team of the Korea Information Security Agency (KISA) for 5 years. Now he is Associate Professor of CIST (Center for Information Security Technologies) at KU. He has served as an executive committee member of Korean E-Government, and as

an advisory committee member of several public and private organizations, such as the National Intelligence Service of Korea, Digital Investigation Advisory Committee of the Supreme Prosecutors’ Office, Ministry of Justice, The Bank of Korea, the Electronic and Telecommunication Research Institute (ETRI), and the Korea Information Security Agency (KISA), etc. His research interests include cryptography, information security, and information assurance. He is the corresponding author.

.

Documents

Secure Data Deletion for USB Flash Memory*