Re: [P1619-2] Question: Should we only allow one data unit size within a key scope?

[Matt Ball <matt.ball@xxxxxxxx>]

Hi Bob,

If we want to keep more consistency with XTS-AES (as approved by NIST in draft SP 800-38E), it would be better to keep the data units the same size within a key scope.  Ideally, the size should be static based on design (e.g., the data unit is always a 512-byte hark disk logical block) so that an attacker can't change this size and change the meaning of the data.

Personally, I take this as a security-relevant issue because in P1619.2 encryption, we're assuming that there is no authentication, including within the metadata.  If the data unit size is fixed, the only knob an attacker has is randomizing an entire data unit.  If the data unit size is variable, the attacker can also arbitrarily change data unit sizes, potentially making them so small that the benefit of wide-block encryption is negated.  It would also be possible to shift the data geometry by changing data unit sizes.

Let me pose the question slightly differently:  What is an example of a system where using P1619.2 encryption with variable data unit sizes is a secure solution, but it is not possible in the same system to use an authenticated encryption mode (like those in IEEE Std 1619-2007)?  I can't think of such a system off-hand.  On the other hand, I can think of many ways to abuse P1619.2 encryption by allowing variable data unit sizes, but omitting cryptographic integrity checking.

Any other thoughts?

Cheers,
-Matt

On Fri, Oct 23, 2009 at 12:07 PM, Robert A. (Bob) Lockhart <rlockhart@xxxxxxxx> wrote:

Matt,

If I understand what you are asking I think this is an implementation issue and not a specific mode issue.  If someone wants to build an implementation that makes use of variable data unit sizes that should be their call as long as they can determine the sizes of the data units.

 

Doesn't do much for interoperability but it does leave the mode extensible for different applications and open to other standards to make use of it in a way that suits their needs.

 

Bob L.

Robert A. (Bob) Lockhart
Senior Solutions Architect

Thales Information Systems Security

Matt Ball wrote:

Hi Folks,

One of the questions from the P1619.2 sponsor ballot is as follows:

(Page 4, Subclause 5, line 12): Note that for IEEE Std 1619-2007, all data units within a particular key scope are required to have the same size. The sentence here allows for them to be different sizes. Do we want this? If different sizes are allowed, how does an implementation track each size, and are there security implications with an adversary being potentially able to change these sizes, since there is no authentication in this system?

What are the thoughts from the group?

--
Thanks!

Matt Ball, Chair, IEEE P1619 Security in Storage Working Group
Staff Engineer, Sun Microsystems, Inc.
500 Eldorado Blvd, Bldg #5 BRM05-212, Broomfield, CO 80021
Work: 303-272-7580, Cell: 303-717-2717

-- 
Thanks!

Matt Ball, Chair, IEEE P1619 Security in Storage Working Group
Staff Engineer, Sun Microsystems, Inc.
500 Eldorado Blvd, Bldg #5 BRM05-212, Broomfield, CO 80021
Work: 303-272-7580, Cell: 303-717-2717