Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Re: A revised 'Key Backup Format' document

To: SISWG <stds-p1619@IEEE.ORG>
Subject: Re: A revised 'Key Backup Format' document
From: Shai Halevi <shaih@WATSON.IBM.COM>
Date: Tue, 13 Apr 2004 12:31:02 -0400
In-Reply-To: <OF00F757C5.712D854F-ONC2256E75.004F5FA0-C2256E75.0050489A@il.ibm.com>
Organization: IBM
References: <OF00F757C5.712D854F-ONC2256E75.004F5FA0-C2256E75.0050489A@il.ibm.com>
Sender: owner-stds-p1619@listserv.ieee.org
User-Agent: KMail/1.5

* The section numbering is wrong (courtesy of MS-Word): Section 5 has
subsections 4.1, 4.2, etc..

* The description of the KEY_SCOPE variables in the table and also in
subsection 4.3 is not quite accurate (I think). As I understand it,
the KEY_SCOPE_START describes the index of the first "wide block" on
the storage media which is encrypted under the current key, and the
KEY_SCOPE_LENGTH describes the number of "wide blocks" encrypted under
the current key. What consistutes a "wide block" is transform dependent,
however. For EME-32-AES a "wide block" is 512 bytes, but for LRW-1-AES
a "wide block" is 16 bytes.

Here's an example: suppose you have a disk with 2^34 bytes on it. The
first quarter (2^32 bytes) are encrypted under one key using EME-32-AES,
and the rest in encrypted unedr another key using LRW-1-AES.

Then the key structure of the first part would have KEY_SCOPE_START=1
and KEY_SCOPE_LENGTH=2^23 (i.e., start at the first 512-byte sector and
use it for 2^23 sectors = 2^32 bytes). The key-structure of the second
part would have KEY_SCOPE_START=2^28+1 and KEY_SCOPE_LENGTH=3*2^28 (i.e.,
start at the 16-byte block number 2^28 +1 (i.e., after 2^32 bytes) and
use it for 3 * 2^28 blocks (i.e., 3 * 2^32 bytes).

* The STANDARD_NEMBER and VERSION: You certainly must spcify the
number and version of the key-backup standard (or else no one would be
able to read this structure). Specifying the number and version of the
key-transform standard is also possible (or else this can be part of
the TRANSFORM_NAME field).

* Section 4.5 does not belong here. It belongs in the individual documents
describing the transforms.

* [HR1] Should be [HR03], and [LRW] should be [LRW02].

-- Shai

On Tuesday 13 April 2004 11:33 am, Dalit Naor wrote:
> Below is a revised version of the document 'Key Backup format for Wide
> Block Encryption'. Please prepare any comments for the next meeting.
> Specifically, there are a number of open issues:
> - Which transforms we need/want to support
> - Key Wrapping: techniques, should it be mandatory?
> - The notion of a Key Scope
>
> Dalit.

Follow-Ups:
- Re: A revised 'Key Backup Format' document
  - From: Dalit Naor

References:
- A revised 'Key Backup Format' document
  - From: Dalit Naor

Prev by Date: Re: Threat Model
Next by Date: A revised 'Key Backup Format' document
Prev by thread: A revised 'Key Backup Format' document
Next by thread: Re: A revised 'Key Backup Format' document
Index(es):
- Date
- Thread