Skip to content

Instantly share code, notes, and snippets.

@mimoo

mimoo/disk_encryption.md

Last active March 9, 2019 01:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mimoo/18fe085f74d577f8d25b2e7712488dd5 to your computer and use it in GitHub Desktop.
Save mimoo/18fe085f74d577f8d25b2e7712488dd5 to your computer and use it in GitHub Desktop.
Download ZIP
Disk Encryption: Tweakable Wide-block ciphers
Raw
disk_encryption.md

Introduction

This is useful for disk encryption. We need:

  • wide blocks, because we can't store an authentication tag
  • tweakable, because we can't store a nonce

But why can't we transform the metadata into a nonce? Maybe that's what tweak is (or can be).

It looks like:

  • Microsoft Bitlocker wanted to use Elephant, but uses XTS
  • Apple Filevault uses XTS
  • Google wants to use Adantium, perhaps for Chromebooks and Android phones?

Timeline

There are many stream ciphers, but by their very nature, they allow the attacker to flip arbitrary bits in the plaintext. This lack of diffusion makes them entirely ineffective for poor-man’s authentication.

Any time you want to encrypt data, AES-CBC is a leading candidate. In this case it is not suitable, due to the lack of diffusion in the CBC decryption operation

Bear and Lion are two large-block block ciphers proposed by Ross Andersen and Eli Biham [...] Bear and Lion seem ideally suited, except for the fact that they are too slow. Both ciphers make three passes over the data. If we were to use SHA-256 for the hash function and AES-CTR for the stream cipher, the overall cipher would need close to 100 cycles/byte.

Mercy is a block cipher specifically designed for disk sector encryption [3]. Unfortunately, it was broken in 2001 by Scott Fluhrer

LRW provides some level of poor-man’s authentication, but the relatively small block size of AES (16 bytes) still leaves a lot of freedom for an attacker

CMC and EME are two block cipher modes proposed by Halevi and Rogaway [...] However, they have not been widely studied or deployed, making them a relatively high-risk choice from a security point of view. (An earlier version of CMC was in fact broken.)

For BitLocker we want a block cipher whose block size is much larger. The same type of attack is still possible, but it is made harder by two factors: any particular attack point is far less likely to be on a suitable block boundary, and the attacker is forced to randomize more plaintext, increasing the likelihood that he will damage other parts of the system and crash the PC rather than open a usable hole.

CMC [1], EME2 [2], PEP [3], TET [4], HEH[5], XCB [6], HCTR [7], HCH [8].

EME2 is standardized in the IEEE 1619.2 Section ”Wide-Block Encryption” of the IEEE P1619 standard.

There are modes that do not offer security proofs, such as Elephant+CBC [9], modes that do not offer the benefit of a full block permutation such as XTS [10] (XTS is standardized by the IEEE 1619 standard and by the NIST), and there are uses of standard CBC for wide block encryption, most notably, the CBC is one of the two allowed modes in [11].

The market success of wide encryption modes as of year 2014 is very limited. We are not aware of any existing whole disk product that even offers a wide block encryption mode. One likely explanation for this is that the overhead of the the crypto code is perceived as substantial by end-users, especially with solid-state storage media.

Ethic

According to Microsoft sources, BitLocker does not contain an intentionally built-in backdoor; without a backdoor there is no way for law enforcement to have a guaranteed passage to the data on the user's drives that is provided by Microsoft. In 2006 the UK Home Office expressed concern over the lack of a backdoor and tried entering into talks with Microsoft to get one introduced, although Microsoft developer Niels Ferguson and other Microsoft spokesmen state that they will not grant the wish to have one added. Microsoft engineers have said that FBI agents also put pressure on them in numerous meetings in order to add a backdoor, although no formal, written request was ever made; Microsoft engineers eventually suggested to the FBI that agents should look for the hard-copy of the key that the BitLocker program suggests its users to make. Although the AES encryption algorithm used in BitLocker is in the public domain, its implementation in BitLocker, as well as other components of the software, are proprietary; however, the code is available for scrutiny by Microsoft partners and enterprises, subject to a non-disclosure agreement. (source)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment