Full Disk Encryption: Bridging Theory and Practice
We revisit the problem of Full Disk Encryption (FDE), which refers to the encryption of each sector of a disk volume. In the context of FDE, it is assumed that there is no space to store additional data, such as an IV (Initialization Vector) or a MAC (Message Authentication Code) value. We formally define the security notions in this model against chosen-plaintext and chosen-ciphertext attacks. Then, we classify various FDE modes of operation according to their security in this setting, in the presence of various restrictions on the queries of the adversary. We will find that our approach leads to new insights for both theory and practice. Moreover, we introduce the notion of a diversifier, which does not require additional storage, but allows the plaintext of a particular sector to be encrypted to different ciphertexts. We show how a 2-bit diversifier can be implemented in the EagleTree simulator for solid state drives (SSDs), while decreasing the total number of Input/Output Operations Per Second (IOPS) by only 4%.
KeywordsDisk encryption theory Full Disk Encryption FDE XTS IEEE P1619 Unique first block Diversifier Provable security
Nicky Mouha is supported by a Postdoctoral Fellowship from the Flemish Research Foundation (FWO-Vlaanderen), by a JuMo grant from KU Leuven (JuMo/14/48CF), and by FWO travel grant 12F9714N. Certain algorithms and commercial products are identified in this paper to foster understanding. Such identification does not imply recommendation or endorsement by NIST, nor does it imply that the algorithms or products identified are necessarily the best available for the purpose. Damien Vergnaud is supported in part by the French ANR JCJC ROMAnTIC project (ANR-12-JS02-0004).
We thank Matias Bjørling, Luc Bouganim, Niv Dayan and Javier Gonzalez for their useful comments and suggestions on SSD technology.
- 3.Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th FOCS, pp. 394–403. IEEE Computer Society Press (1997)Google Scholar
- 5.Bellare, M., Rogaway, P.: Introduction to Modern Cryptography. In: UCSD CSE 207 Course Notes, 207 pages (2005). http://cseweb.ucsd.edu/~mihir/cse207/
- 8.Dayan, N., Svendsen, M.K., Bjørling, M., Bonnet, P., Bouganim, L.: EagleTree: exploring the design space of SSD-based algorithms. PVLDB 6(12), 1290–1293 (2013)Google Scholar
- 9.Dworkin, M.: Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices. NIST SP 800–38E (2010)Google Scholar
- 10.Ferguson, N.: AES-CBC + Elephant diffuser: A Disk Encryption Algorithm for Windows Vista (2006). http://www.microsoft.com/en-us/download/details.aspx?id=13866
- 11.Fruhwirth, C.: New methods in hard disk encryption. Master’s thesis, Vienna University of Technology (2005)Google Scholar
- 13.Götzfried, J., Müller, T.: Analysing android’s full disk encryption feature. JoWUA 5(1), 84–100 (2014)Google Scholar
- 14.Halcrow, M., Savagaonkar, U., Ts’o, T., Muslukhov, I.: EXT4 Encryption Design Document (public version). Google Technical report (2015)Google Scholar
- 15.Halevi, S.: Re: Lrw key derivation (formerly pink-herring). IEEE P1619 Mailing List, May 2006Google Scholar
- 17.IEEE: IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices. IEEE Std 1619–2007, pp. 1–32 (2008)Google Scholar
- 19.Jutla, C.: Attack on Free-MAC (2000). https://groups.google.com/d/msg/sci.crypt/4bkzm_n7UGA/5cDwfju6evUJ
- 21.Khati, L., Mouha, N., Vergnaud, D.: Full Disk Encryption: Bridging Theory and Practice. Cryptology ePrint Archive, Report 2016/1114, full version of this paper (2016)Google Scholar
- 25.Rogaway, P.: Evaluation of Some Blockcipher Modes of Operation. Technical report, CRYPTREC Investigation Report (2011)Google Scholar