I don't know anything about the compliance tests, I just see that the XTS mode is in the code and that it looks inconsistent with the other modes.
I suppose "Feature rather than bug?" is the question I'm trying to get answered. The XTS documentation (IEEE Std 1619-2007) is pretty clear in section 5.1 that mapping between the encryption data units and the placement on the storage device isn't defined by the standard. So I don't think there's anything that should limit the encryption data units to a single contiguous block (i.e. one call to CipherUpdate). Greg Bryant From: [email protected] [mailto:[email protected]] On Behalf Of Peter Waltenberg Sent: Saturday, April 27, 2013 6:08 AM To: [email protected] Subject: Re: AES-XTS mode doesn't chain between successive calls to EVP_CipherUpdate? The OpenSSL implementation passes the NIST XTS compliance tests ? XTS was designed to do in-place encryption of blocks of data. (disk encryption etc). Feature rather than bug ? Pete [email protected]<mailto:[email protected]> wrote: ----- To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> From: "Greg Bryant (grbryant)" Sent by: [email protected]<mailto:[email protected]> Date: 04/26/2013 11:32PM Subject: AES-XTS mode doesn't chain between successive calls to EVP_CipherUpdate? I sent this to openssl-users a couple of days ago, but haven't gotten a reponse. Perhaps it's more of a "dev" question: Looking at the xts128.c code, it looks like the "tweak" is recalculated from scratch every time CRYPTO_xts128_encrypt() is called: memcpy(tweak.c, iv, 16); (*ctx->block2)(tweak.c,tweak.c,ctx->key2); It seems like this would break the chaining between successive calls to EVP_CipherUpdate, requiring that the plaintext be encrypted in its entirety with one call to EVP_CipherUpdate. Other chaining modes preserve the chaining state in the context (CTR mode, for example, saves the ctr in "IVEC"). There's nothing in the XTS context structure that would preserve the "tweak", though. Am I missing where this chaining occurs? Or is this a bug? Or is it a requirement that XTS mode only use a single call to EVP_CipherUpdate per data stream? (which seems to violate the definition of EVP_CipherUpdate.) I saw this in openssl-1.0.1, but I've checked that the relevant code in openssl-1.0.1e is no different. thanks, Greg Bryant Technical Leader Cisco Systems, Inc. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected]<mailto:[email protected]> Automated List Manager [email protected]<mailto:[email protected]>
