1. XTS: A Mode of AES�for Encrypting Hard Disks Dr. Miguel Angel León Chávez
GR4
3. The Motivation for XTS Hard disks are partitioned into circular paths called tracks
Tracks are in turn partitioned into fixed-sized logical sectors, which can be individually read from or written to a disk.
Sectors are the smallest accessible subdivision of a track, typically 512 bytes.
A sector might be subdivided into logical blocks, which are the same size as the block of data encrypted by a block cipher.
4. Disk: physical and virtual geometry
5. The Motivation for XTS Because a sectors bytes are all dedicated to storage, no additional space is available for other information.
So, inputs to an encryption algorithm for data on hard disks should include only:
the data itself,
the key used in the encryption algorithm, and
available metadata such as the sector number and the block number in that sector.
XTS does exactly this!
6. Tweakable Block Ciphers
7. Tweakable Block Ciphers C = EK (T, M), where T is the tweak
The tweak operates much like an initialization vector but has different security properties: an IV must be random, whereas a tweak doesnt have to be.
A tweak aims to provide variability of the ciphertext
Secret key provides security against an adversary recovering the plaintext.
8. Rogaways XEX Suppose that N and ?1 through ?k are elements of GF(2n)* and that i1 through ik are integers.
Rogaway showed that if E is a secure block cipher, then:
EK(N, i1,
, ik, M) = EK (M ? ?) ? ?, where
? = ?1i1
?kik Ek (N), and
?1i1
?kik ? 1
is also a secure block cipher that uses the k + 1 tweaks N and i1 through ik.
9. Rogaways XEX
10. Security of general XEX transform Rogaway showed that this mode is secure as long as the number of blocks that are encrypted under the same key is sufficiently smaller than the birthday bound value of 2n/2, where n is the block size in bits of the underlying block cipher.
Some attacks become possible when the number of blocks approaches the 2n/2 value.
This implies that except for the error term of 4.5 q2/2n + e, the only attacks that are possible against XEX are the ones that are inherent from the use of transparent encryption with the granularity of n-bit blocks,
It yields strong security guarantee as long as the same key is not used to encrypt much more than a terabyte of data (q=36)
11. XTS IEEE 1619 modified XEX by limiting the number of tweaks to two and using two keys instead of one.
The two tweaks correspond to the sector and block number where data is stored.
This standard use separate keys for tweaking and encryption purposes
It is considered a good security design practice
However, XEX mode is only proven secure with one key !
12. XTS EK1, K2 (i, j, M) = EK1 (M ? ?) ? ?
? = ?i EK2 (j)
It sets the value of j to the sector number being encrypted and sets the value of i to the block number in this sector.
13. XTS The constant ? is either:
the primitive element GF(2128) represented by the value 2 if the elements of GF(2128) are represented as bit strings, or
multiplication by 2 is inexpensive
the polynomial x if the elements of GF(2128) are represented by polynomials.
Modular multiplication (?) of two polynomials over the binary field GF(2), modulo x128 + x7 + x2 + x + 1
14. XTS
15. Diagram of XTS-AES blockEnc procedure
16. Diagram of XTS-AES blockDec procedure
17. Ciphertext Stealing Suppose we want to use E and K to encrypt m blocks of messages M1 through Mm to produce ciphertext blocks C1 through Cm, where M1 through Mm-1 are the same size as the cipher block but Mm is shorter, having only s bits instead of the full n.
To encrypt this sequence of messages using ciphertext stealing, we initially encrypt the first m - 2 blocks normally to get C1 through Cm-2.
18. Ciphertext Stealing Let B[1,
, l] denote the lowest l bits of message block B.
To process the last two blocks, we first create an intermediate value C = EK (Mm-1) and parse this value into C = Cm [1,
, s] ?? C'.
We then calculate the value of Cm-1 as
Cm-1 = EK (Mm [1,
, s] ?? C').
19. Ciphertext Stealing
20. XTS-AES encryption of last two blocks when last block is 1 to 127 bits
21. XTS-AES decryption of last two blocks when last block is 1 to 127 bits
22. XTS It seems to have been fairly successful so far.
Software: BestCrypt, dm-crypt, FreeOTFE, TrueCrypt, DiskCryptor, FreeBSD and OpenBSD
Hardware: SPYRUS Hydra PC Digital Attaché and the Kingston DataTraveler 5000.
Amending IEEE 1619-2007 to include the option of using only one key.
This will simplify key management slightly at no cost in cryptographic security.
Future versions of the standard might also let you use additional metadata as tweaks
23. Transparent encryption vulnerabilities Traffic analysis
Replay
Randomizing a sector
24. Reference Liskov, M., Rivest, R., and Wagner, D., Tweakable block ciphers. In Advances in Cryptology-CRYPTO 02. LNCS, vol 2442, pp. 3146. Springer-Verlag, 2002.
Rogaway, P., Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. Advances in CryptologyAsiacrypt 2004. LNCS, vol. 3329, pp. 1631. Springer-Verlag, 2004.
IEEE Std. 1619-2007, Cryptographic Protection of Data on Block-Oriented Storage Devices, IEEE, 2008.2.
25. Reference Dworkin, M., Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices, NIST Special Publication 800-38E, US Natl Inst. of Standards and Technology, 2010.
Martin, L., XTS: A Mode of AES for Encrypting Hard Disks, IEEE Security and Privacy, pp. 68-69, May/June 2010.
Liskov, M., and Minematsu, K. Comments on XTS-AES, sep. 2008.
