I'm resending this message because it was rejected by the e-mail
server. I noticed that this has happened to other people as
well. Here is an error message that Jim forwarded to me after the
last meeting:
The enclosed message, found in the STDS-P1619 mailbox and shown under
the spool
ID 2510543 in the system log, has been identified as a possible
delivery error
notice for the following reason: "Sender:", "From:" or
"Reply-To:" field
pointing to the list has been found in mail body.
I suspect that it's necessary to delete instances of certain
strings within the message body. I've gone through and
deleted all instances of the string 'From:' in hopes that this
won't get bounced.
-Matt
-----Original Message-----
***** Matt Ball
Sent: Monday, March 27, 2006 9:27 AM
To: 'laszlo'; [EMAIL PROTECTED]
Subject: RE: P1619 - non-removable
Hi Lazlo,
I recommended the GCM mode of P1619.1 because it would also be well-
suited to a hard disk implementation. Although the scope for P1619.1
states that it is "an architecture for protection of data in
variable-length block storage devices", the solution is equally
applicable to fixed-block storage devices such as disk drives.
The only requirement for a 1619.1-compliant disk drive is that the
drive appends a 16-byte MAC to each 'record'. Since many disk
drives already have provisions for supporting a CRC, it would not
be too difficult to replace this with a cryptographically secure
Message Authentication Code.
GCM mode in particular would be an excellent solution for a disk
drive. The hardware complexity is roughly equivalent to that
of LRW (one AES-encr block, and one 128-bit Galois multiplier).
Here are a couple of other useful features for GCM:
- Uses a 128-bit message authentication code (MAC)
- Uses counter (CTR) mode encryption, allowing any size for the plaintext
and ciphertext.
- Allows Additional Authenticated Data (AAD), which is included
in the MAC computation, but is not encrypted
- It is possible to incrementally compute the MAC because of the
linear nature of the Galois field multiplier. This allows for
parallel implementations (GCM essentially uses GMAC)
- NIST is nearly ready to approve GCM mode for FIPS 140-2 (or FIPS 140-3).
Since most new disk drives will begin support 4096-byte sectors,
it would be possible to add a 16-byte MAC to each sector without
incurring too much overhead (overhead = 0.4% for 4096-byte sector).
The only trick with GCM mode is that it is much more important to make
sure the IV is unique across different vendors. The P1619.1-D5 draft
current mitigates this problem by providing a standard key-transform
algorithm, or imposes requirements for an IV that is derived from a
cryptographically-secure pseudo-random number generator.
See the latest P1619.1-D5 draft for more details. Let me know if
you have any other questions!
-Matt
-----Original Message-----
***** stds-p1619@LISTSERV.IEEE.ORG
[mailto:[EMAIL PROTECTED] Behalf Of laszlo
Sent: Friday, March 24, 2006 7:31 PM
To: [EMAIL PROTECTED]
Subject: RE: P1619 - non-removable
Matt,
>> Have you considered using the GCM mode of P1619.1 for your disk drives?
We are not involved in the tape business, so I did not pay attention.
Could you tell in a nutshell, what are the advantages of GCM over the
simple AES counter mode?
>> I can't see any reason to make any more changes to P1619 at this time.
In the last teleconference I expressed my concerns that the WG would not
take the security of non-removable storage seriously. I was promised
that the WG would fully support it. The last two weeks and your comment
show the opposite. I only voted for submitting the draft for editorial
review, because I believed that alternatives would be added to it. I
cannot change my cast vote, but it proved to be a mistake. I can only
repeat, what I have said several times: the current proposal is useless
for the overwhelming majority of secure storage applications. I thought
it was a damn good reason for changing the draft.
Laszlo
> -------- Original Message --------
> Subject: RE: P1619 - non-removable
> ***** "Matt Ball"
> Date: Fri, March 24, 2006 6:42 pm
> To: laszlo, stds-p1619
>
> Hi Lazlo,
>
> Have you considered using the GCM mode of P1619.1 for your disk drives?
> I think it has most or all the features you're looking for.
>
> I skimmed through your document, and it looks like there's a lot of
> stuff in there that has already been covered by the SATA spec (like
> master passwords and such), or will likely be covered by the
> Trusted Computing Group (user authentication and access control).
> These things are beyond the scope of this working group.
>
> The other complaints are basically handled by the GCM mode.
>
> I can't see any reason to make any more changes to P1619 at this
> time.
>
> -Matt
