Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Re: Threat Model

To: SISWG <stds-p1619@IEEE.ORG>
Subject: Re: Threat Model
From: Shai Halevi <shaih@WATSON.IBM.COM>
Date: Wed, 14 Apr 2004 09:40:36 -0400
In-Reply-To: <68CA5FA0-8DB4-11D8-B6F3-000A95A27482@stortek.com>
Organization: IBM
References: <200404132101.23118.shaih@watson.ibm.com> <68CA5FA0-8DB4-11D8-B6F3-000A95A27482@stortek.com>
Sender: owner-stds-p1619@LISTSERV.IEEE.ORG
User-Agent: KMail/1.5

> If we consider the application is adding these 8 bytes and then later
> we are EME (or similar) the entire 520 bytes, if the attacker tampers
> with the data then the 8 byte check will be garbage and the reader
> knows this.

hmm.. EME-AES is designed for integral number of 16-byte blocks. We
did have an extension that works for any number of bytes, but we never
published it anywhere, and also never wrote a proof of security for it.
(It adds only a single AES encryption operation over the current EME if
you can fit the the tweak and the guard in one 16-byte block, and two
AES encryptions otherwise.) Anyone knows why they decided on 64 bits?

> The points along the way (between the host and the encryptor) can check
> the 8 bytes for validity, and the points after the encryptor just
> passes the bits.
>
> This is more coverage than just adding an 8 byte integrity field
> because it does not protect between the encryptor and the host, it
> only protects between the encryptor and the disk and back...

The protection between the encryptor and the host is non-cryptograpic,
though. And it is not quite "protection" until you specify precisely
how the application should check this block.

-- Shai

Follow-Ups:
- Re: Threat Model
  - From: james Hughes

References:
- Re: Threat Model
  - From: Shai Halevi
- Re: Threat Model
  - From: james Hughes

Prev by Date: Re: Threat Model
Next by Date: Re: Threat Model
Prev by thread: Re: Threat Model
Next by thread: Re: Threat Model
Index(es):
- Date
- Thread