1 / 25

XTS: A Mode of AES for Encrypting Hard Disks

paul
Télécharger la présentation

XTS: A Mode of AES for Encrypting Hard Disks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. XTS: A Mode of AES for Encrypting Hard Disks Dr. Miguel Angel Len Chvez GR4

    3. The Motivation for XTS Hard disks are partitioned into circular paths called tracks Tracks are in turn partitioned into fixed-sized logical sectors, which can be individually read from or written to a disk. Sectors are the smallest accessible subdivision of a track, typically 512 bytes. A sector might be subdivided into logical blocks, which are the same size as the block of data encrypted by a block cipher.

    4. Disk: physical and virtual geometry

    5. The Motivation for XTS Because a sectors bytes are all dedicated to storage, no additional space is available for other information. So, inputs to an encryption algorithm for data on hard disks should include only: the data itself, the key used in the encryption algorithm, and available metadata such as the sector number and the block number in that sector. XTS does exactly this!

    6. Tweakable Block Ciphers

    7. Tweakable Block Ciphers C = EK (T, M), where T is the tweak The tweak operates much like an initialization vector but has different security properties: an IV must be random, whereas a tweak doesnt have to be. A tweak aims to provide variability of the ciphertext Secret key provides security against an adversary recovering the plaintext.

    8. Rogaways XEX Suppose that N and ?1 through ?k are elements of GF(2n)* and that i1 through ik are integers. Rogaway showed that if E is a secure block cipher, then: EK(N, i1, , ik, M) = EK (M ? ?) ? ?, where ? = ?1i1 ?kik Ek (N), and ?1i1 ?kik ? 1 is also a secure block cipher that uses the k + 1 tweaks N and i1 through ik.

    9. Rogaways XEX

    10. Security of general XEX transform Rogaway showed that this mode is secure as long as the number of blocks that are encrypted under the same key is sufficiently smaller than the birthday bound value of 2n/2, where n is the block size in bits of the underlying block cipher. Some attacks become possible when the number of blocks approaches the 2n/2 value. This implies that except for the error term of 4.5 q2/2n + e, the only attacks that are possible against XEX are the ones that are inherent from the use of transparent encryption with the granularity of n-bit blocks, It yields strong security guarantee as long as the same key is not used to encrypt much more than a terabyte of data (q=36)

    11. XTS IEEE 1619 modified XEX by limiting the number of tweaks to two and using two keys instead of one. The two tweaks correspond to the sector and block number where data is stored. This standard use separate keys for tweaking and encryption purposes It is considered a good security design practice However, XEX mode is only proven secure with one key !

    12. XTS EK1, K2 (i, j, M) = EK1 (M ? ?) ? ? ? = ?i EK2 (j) It sets the value of j to the sector number being encrypted and sets the value of i to the block number in this sector.

    13. XTS The constant ? is either: the primitive element GF(2128) represented by the value 2 if the elements of GF(2128) are represented as bit strings, or multiplication by 2 is inexpensive the polynomial x if the elements of GF(2128) are represented by polynomials. Modular multiplication (?) of two polynomials over the binary field GF(2), modulo x128 + x7 + x2 + x + 1

    14. XTS

    15. Diagram of XTS-AES blockEnc procedure

    16. Diagram of XTS-AES blockDec procedure

    17. Ciphertext Stealing Suppose we want to use E and K to encrypt m blocks of messages M1 through Mm to produce ciphertext blocks C1 through Cm, where M1 through Mm-1 are the same size as the cipher block but Mm is shorter, having only s bits instead of the full n. To encrypt this sequence of messages using ciphertext stealing, we initially encrypt the first m - 2 blocks normally to get C1 through Cm-2.

    18. Ciphertext Stealing Let B[1, , l] denote the lowest l bits of message block B. To process the last two blocks, we first create an intermediate value C = EK (Mm-1) and parse this value into C = Cm [1, , s] ?? C'. We then calculate the value of Cm-1 as Cm-1 = EK (Mm [1, , s] ?? C').

    19. Ciphertext Stealing

    20. XTS-AES encryption of last two blocks when last block is 1 to 127 bits

    21. XTS-AES decryption of last two blocks when last block is 1 to 127 bits

    22. XTS It seems to have been fairly successful so far. Software: BestCrypt, dm-crypt, FreeOTFE, TrueCrypt, DiskCryptor, FreeBSD and OpenBSD Hardware: SPYRUS Hydra PC Digital Attach and the Kingston DataTraveler 5000. Amending IEEE 1619-2007 to include the option of using only one key. This will simplify key management slightly at no cost in cryptographic security. Future versions of the standard might also let you use additional metadata as tweaks

    23. Transparent encryption vulnerabilities Traffic analysis Replay Randomizing a sector

    24. Reference Liskov, M., Rivest, R., and Wagner, D., Tweakable block ciphers. In Advances in Cryptology-CRYPTO 02. LNCS, vol 2442, pp. 3146. Springer-Verlag, 2002. Rogaway, P., Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. Advances in CryptologyAsiacrypt 2004. LNCS, vol. 3329, pp. 1631. Springer-Verlag, 2004. IEEE Std. 1619-2007, Cryptographic Protection of Data on Block-Oriented Storage Devices, IEEE, 2008.2.

    25. Reference Dworkin, M., Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices, NIST Special Publication 800-38E, US Natl Inst. of Standards and Technology, 2010. Martin, L., XTS: A Mode of AES for Encrypting Hard Disks, IEEE Security and Privacy, pp. 68-69, May/June 2010. Liskov, M., and Minematsu, K. Comments on XTS-AES, sep. 2008.

More Related