Abstract
We revisit the problem of Full Disk Encryption (FDE), which refers to the encryption of each sector of a disk volume. In the context of FDE, it is assumed that there is no space to store additional data, such as an IV (Initialization Vector) or a MAC (Message Authentication Code) value. We formally define the security notions in this model against chosen-plaintext and chosen-ciphertext attacks. Then, we classify various FDE modes of operation according to their security in this setting, in the presence of various restrictions on the queries of the adversary. We will find that our approach leads to new insights for both theory and practice. Moreover, we introduce the notion of a diversifier, which does not require additional storage, but allows the plaintext of a particular sector to be encrypted to different ciphertexts. We show how a 2-bit diversifier can be implemented in the EagleTree simulator for solid state drives (SSDs), while decreasing the total number of Input/Output Operations Per Second (IOPS) by only 4%.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
These blocks should not be confused with the blocks of the block cipher, nor with the “block” (actually “sector”) in the term Logical Block Address (LBA).
References
Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: On-line ciphers and the hash-CBC constructions. J. Cryptology 25(4), 640–679 (2012)
Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and efficiently searchable encryption. In: Menezes, A. (ed.) Advances in Cryptology - CRYPTO 2007. LNCS, vol. 4622, pp. 535–552. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74143-5_30
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th FOCS, pp. 394–403. IEEE Computer Society Press (1997)
Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000). doi:10.1007/3-540-44448-3_24
Bellare, M., Rogaway, P.: Introduction to Modern Cryptography. In: UCSD CSE 207 Course Notes, 207 pages (2005). http://cseweb.ucsd.edu/~mihir/cse207/
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Berlin (2006). doi:10.1007/11761679_25
Campbell, C.M.: Design and specification of cryptographic capabilities. IEEE Commun. Soc. Mag. 16(6), 15–19 (1978)
Dayan, N., Svendsen, M.K., Bjørling, M., Bonnet, P., Bouganim, L.: EagleTree: exploring the design space of SSD-based algorithms. PVLDB 6(12), 1290–1293 (2013)
Dworkin, M.: Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices. NIST SP 800–38E (2010)
Ferguson, N.: AES-CBC + Elephant diffuser: A Disk Encryption Algorithm for Windows Vista (2006). http://www.microsoft.com/en-us/download/details.aspx?id=13866
Fruhwirth, C.: New methods in hard disk encryption. Master’s thesis, Vienna University of Technology (2005)
Gjøsteen, K.: Security notions for disk encryption. In: Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 455–474. Springer, Heidelberg (2005). doi:10.1007/11555827_26
Götzfried, J., Müller, T.: Analysing android’s full disk encryption feature. JoWUA 5(1), 84–100 (2014)
Halcrow, M., Savagaonkar, U., Ts’o, T., Muslukhov, I.: EXT4 Encryption Design Document (public version). Google Technical report (2015)
Halevi, S.: Re: Lrw key derivation (formerly pink-herring). IEEE P1619 Mailing List, May 2006
Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24660-2_23
IEEE: IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices. IEEE Std 1619–2007, pp. 1–32 (2008)
Joux, A., Martinet, G., Valette, F.: Blockwise-adaptive attackers revisiting the (in)security of some provably secure encryption modes: CBC, GEM, IACBC. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 17–30. Springer, Berlin (2002). doi:10.1007/3-540-45708-9_2
Jutla, C.: Attack on Free-MAC (2000). https://groups.google.com/d/msg/sci.crypt/4bkzm_n7UGA/5cDwfju6evUJ
Jutla, C.S.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 529–544. Springer, Heidelberg (2001). doi:10.1007/3-540-44987-6_32
Khati, L., Mouha, N., Vergnaud, D.: Full Disk Encryption: Bridging Theory and Practice. Cryptology ePrint Archive, Report 2016/1114, full version of this paper (2016)
Müller, T., Freiling, F.C.: A systematic assessment of the security of full disk encryption. IEEE Trans. Dependable Sec. Comput. 12(5), 491–503 (2015)
Nandi, M.: Two new efficient CCA-secure online ciphers: MHCBC and MCBC. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 350–362. Springer, Heidelberg (2008). doi:10.1007/978-3-540-89754-5_27
Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). doi:10.1007/978-3-540-25937-4_22
Rogaway, P.: Evaluation of Some Blockcipher Modes of Operation. Technical report, CRYPTREC Investigation Report (2011)
Rogaway, P., Zhang, H.: Online ciphers from tweakable blockciphers. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 237–249. Springer, Heidelberg (2011). doi:10.1007/978-3-642-19074-2_16
Saarinen, M.-J.O.: Encrypted watermarks and linux laptop security. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 27–38. Springer, Heidelberg (2005). doi:10.1007/978-3-540-31815-6_3
Acknowledgments
Nicky Mouha is supported by a Postdoctoral Fellowship from the Flemish Research Foundation (FWO-Vlaanderen), by a JuMo grant from KU Leuven (JuMo/14/48CF), and by FWO travel grant 12F9714N. Certain algorithms and commercial products are identified in this paper to foster understanding. Such identification does not imply recommendation or endorsement by NIST, nor does it imply that the algorithms or products identified are necessarily the best available for the purpose. Damien Vergnaud is supported in part by the French ANR JCJC ROMAnTIC project (ANR-12-JS02-0004).
We thank Matias Bjørling, Luc Bouganim, Niv Dayan and Javier Gonzalez for their useful comments and suggestions on SSD technology.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Khati, L., Mouha, N., Vergnaud, D. (2017). Full Disk Encryption: Bridging Theory and Practice. In: Handschuh, H. (eds) Topics in Cryptology – CT-RSA 2017. CT-RSA 2017. Lecture Notes in Computer Science(), vol 10159. Springer, Cham. https://doi.org/10.1007/978-3-319-52153-4_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-52153-4_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-52152-7
Online ISBN: 978-3-319-52153-4
eBook Packages: Computer ScienceComputer Science (R0)