Hi Jim,
On Dec 14, 2005, at 4:18 PM, james hughes wrote:
The 520 byte mode is important because it contains a CRC and other
"stuff" to determine the authenticity of the data...
there may be confidentiality motivations for encrypting the CRC, in
addition to the authentication method that you mention below.
Consider the case in which an attacker knows 508 bytes of plaintext,
but not the full 512 bytes of plaintext. If there is a four-byte CRC
of the plaintext in the clear, then the attacker can recover all of
the information. (Of course, if the CRC is over the ciphertext
rather than the plaintext, then this concern doesn't apply.)
If we did a mode that encrypted the extra 8 bytes using the
counters in this 8 as part of the tweak, and somehow manipulated
the CRC so that tamper anywhere in the packet will randomize the
(puny 16 bit) crc, this would be valuable? This way, the operation
of the encryptor will be validated end to end???
I think that if each block and each extra 8 bytes was encrypted using
an independent random codebook, this would turn the CRC check into a
validation check. I think that some extension of LRW can essentially
do this (we'd need to have the last LRW block be a 24-byte block).
For sure XCB does this.
This would mean that the storage devices can not check the 2 CRC?
Stated another way, is it legal to have a 520 byte sector that does
conform to the extra 8 standard above the encryptor and below the
encryptor is a true 520 byte sector?
I'm not quite sure what you mean. Sorry, but my ignorance of disk
systems is showing ;-)
David
Comment?
Thanks
jim
