I'm resending this message because it was rejected by the e-mail server. I noticed that this has happened to other people as well. Here is an error message that Jim forwarded to me after the last meeting:
The enclosed message, found in the STDS-P1619 mailbox and shown under the spool ID 2510543 in the system log, has been identified as a possible delivery error notice for the following reason: "Sender:", "From:" or "Reply-To:" field pointing to the list has been found in mail body. I suspect that it's necessary to delete instances of certain strings within the message body. I've gone through and deleted all instances of the string 'From:' in hopes that this won't get bounced. -Matt -----Original Message----- ***** Matt Ball Sent: Monday, March 27, 2006 9:27 AM To: 'laszlo'; [EMAIL PROTECTED] Subject: RE: P1619 - non-removable Hi Lazlo, I recommended the GCM mode of P1619.1 because it would also be well- suited to a hard disk implementation. Although the scope for P1619.1 states that it is "an architecture for protection of data in variable-length block storage devices", the solution is equally applicable to fixed-block storage devices such as disk drives. The only requirement for a 1619.1-compliant disk drive is that the drive appends a 16-byte MAC to each 'record'. Since many disk drives already have provisions for supporting a CRC, it would not be too difficult to replace this with a cryptographically secure Message Authentication Code. GCM mode in particular would be an excellent solution for a disk drive. The hardware complexity is roughly equivalent to that of LRW (one AES-encr block, and one 128-bit Galois multiplier). Here are a couple of other useful features for GCM: - Uses a 128-bit message authentication code (MAC) - Uses counter (CTR) mode encryption, allowing any size for the plaintext and ciphertext. - Allows Additional Authenticated Data (AAD), which is included in the MAC computation, but is not encrypted - It is possible to incrementally compute the MAC because of the linear nature of the Galois field multiplier. This allows for parallel implementations (GCM essentially uses GMAC) - NIST is nearly ready to approve GCM mode for FIPS 140-2 (or FIPS 140-3). Since most new disk drives will begin support 4096-byte sectors, it would be possible to add a 16-byte MAC to each sector without incurring too much overhead (overhead = 0.4% for 4096-byte sector). The only trick with GCM mode is that it is much more important to make sure the IV is unique across different vendors. The P1619.1-D5 draft current mitigates this problem by providing a standard key-transform algorithm, or imposes requirements for an IV that is derived from a cryptographically-secure pseudo-random number generator. See the latest P1619.1-D5 draft for more details. Let me know if you have any other questions! -Matt -----Original Message----- ***** stds-p1619@LISTSERV.IEEE.ORG [mailto:[EMAIL PROTECTED] Behalf Of laszlo Sent: Friday, March 24, 2006 7:31 PM To: [EMAIL PROTECTED] Subject: RE: P1619 - non-removable Matt, >> Have you considered using the GCM mode of P1619.1 for your disk drives? We are not involved in the tape business, so I did not pay attention. Could you tell in a nutshell, what are the advantages of GCM over the simple AES counter mode? >> I can't see any reason to make any more changes to P1619 at this time. In the last teleconference I expressed my concerns that the WG would not take the security of non-removable storage seriously. I was promised that the WG would fully support it. The last two weeks and your comment show the opposite. I only voted for submitting the draft for editorial review, because I believed that alternatives would be added to it. I cannot change my cast vote, but it proved to be a mistake. I can only repeat, what I have said several times: the current proposal is useless for the overwhelming majority of secure storage applications. I thought it was a damn good reason for changing the draft. Laszlo > -------- Original Message -------- > Subject: RE: P1619 - non-removable > ***** "Matt Ball" > Date: Fri, March 24, 2006 6:42 pm > To: laszlo, stds-p1619 > > Hi Lazlo, > > Have you considered using the GCM mode of P1619.1 for your disk drives? > I think it has most or all the features you're looking for. > > I skimmed through your document, and it looks like there's a lot of > stuff in there that has already been covered by the SATA spec (like > master passwords and such), or will likely be covered by the > Trusted Computing Group (user authentication and access control). > These things are beyond the scope of this working group. > > The other complaints are basically handled by the GCM mode. > > I can't see any reason to make any more changes to P1619 at this > time. > > -Matt