On Tue, 8 Jul 2008, Perry E. Metzger wrote:
| >> Has anyone had any real-world experience with these yet? Are there
| >> standards for how they get the keys from the BIOS or OS? (I'm
| >> interested in how they deal with zeroization on sleep and such.)
| >
| > Most manufacturer (will) implement the TCG Storage Specification:
| > https://www.trustedcomputinggroup.org/groups/storage/
| >
| >> Lastly, anyone have any idea of whether the manufacturers are doing
| >> the encryption correctly or not?
| >
| > I know that Seagate Secure does not use XTS mode, but something CBC
| > based.
| Where do they get their IVs from?
I have no idea what they actually *do*, but the obvious way to get an IV
is to use the encryption of the block number.  Guaranteed known to
whoever needs to decrypt the disk block, and unique for each disk block.
(Using the disk block number itself as the IV is actually reasonably
safe, too, though it seems a bit too structured - one can imagine files
which have a leading count or even a copy of the disk block number in
each disk block leading to an initial zero input to the encryption.)

(I think one of Phil Rogoway's papers suggest this kind of approach for
a "safe" CBC API:  Given an existing CBC API that takes an IP as input,
instead build one that takes no explicit IP, but (a) maintains an
internal counter; (b) prepends the current counter value to the
supplied input and increments the counter; (c) supplies the underlying
API with an IP of 0.  The modified API can't be abused by accidentally
re-using an IP.)

| In general, I feel like the only way to really verify that these
| things are being done correctly is to be able (in software) to read
| the ciphertext and verify that it is encrypted with the right key in
| the right mode. The small amount I've heard about the design leads me
| to worry that this is not actually possible.
Somehow we still haven't learned the lesson that the security can only
come from (a) published, vetted algorithms and modes; (b) a way to check
that the alleged algorithm is what the "black box" actually implements.

Of course, for all you know it implements the algorithm while hiding a
copy of the key away somewhere "just in case"....  But that's a whole
other problem.
                                                        -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to