Disk encryption standards (was: RE: Two ideas for random number g eneration]

Trei, Peter ptrei at rsasecurity.com
Fri Apr 26 14:17:05 EDT 2002

> Bill Stewart[SMTP:bill.stewart at pobox.com] wrote:
> At 12:49 PM 04/25/2002 -0400, Trei, Peter wrote:
> >Of particular humor is his repeated insistance that anywhere one
> >might use a PRNG, a RNG would be better. Jim, try implementing
> >SSL with a true RNG instead of RC4. The ciphertext may be quite
> >secure, but it's not very useful.
> I've been thinking about a somewhat different but related problem lately,
> which is encrypted disk drives.  You could encrypt each block of the disk
> with a block cypher using the same key (presumably in CBC or some similar 
> mode),
> but that just feels weak.  So you need some kind of generator of
> pretty-random-looking keys so that each block of the disk gets a different
> key,
> or at the very least a different IV for each block of the disk,
> so in some sense that's a PRNG.  (You definitely need a different key for
> each
> block if you're using RC4, but that's only usable for Write-Once media, 
> i.e. boring.)
> Obviously you need repeatability, so you can't use a real random number 
> generator.
> I've been thinking that Counter Mode AES sounds good, since it's easy
> to find the key for a specific block.   Would it be good enough just to
> use
>          Hash( (Hash(Key, block# ))
> or some similar function instead of a more conventional crypto function?

Bill: you might want to look at: www.siswg.org, which is looking at just
problem. Here's the meat of a couple messages I received about it:

> The IEEE Technical Committee on Information Assurance has 
> started a standards project on storage encryption, covering 
> encryption algorithms, integrity algorithms, and key management. 
> A common criteria protection profile is also proposed. Jim Hughes 
> (Storage Tek) is chair and invites cryptographers to participate in 
> the project.
> This work potentially has wide application, from hard disk storage 
> to PDAs.

A call for algorithms will be issued shortly. The WG chair, Jim Hughes,

"What I will be asking for is a mode that allows disk blocks to be
encrypted using an implicit IV (disk block number) and be non-mallable.
That is if any bit is tampered then the entire disk block is randomized.
Disk blocks can be any small multiple of 512 bytes. Typical values are
512, 1024, 2048 etc. bytes."  

Have fun.

Peter Trei

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list