Laszlo, Are you worried about the fact that XML parsing is needed to export/import the key? or bothered by the way the key material is encrypted? For the latter, the P1619-D4 document suggests to encrypt the key using standard XML encryption methods; this translates most likely to using AES, which will be an existing tool on a drive that uses LRW-AES. For the former, I can envision that parsing will be done on a different computer but the encrypted key material is transferred into/out of the drive. The original intention for the key export format was to allow it to be stored elsewhere, not on the disk itself.
Dalit. [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] To RG [EMAIL PROTECTED] cc 31/03/2006 01:54 Subject AM P1619-disk: key export w/o encrypting keys The last paragraph of P1619-D4 document says, that the "LRW-AES transform should not be used to encrypt its own secret-key". (I am not aware of this restriction for CBC, ECB or counter mode. Which other encryption modes have this requirement?) With the key export procedure, this represents a serious limitation. It becomes forbidden to export/archive keys with ordinary tools in a computer, with a single encrypting disk drive. When the XML document is created, the OS could swap the memory to disk, or the editor could save temporary copies of the document, which contains the keys in the clear. On the disk these create forbidden encrypted copies of the key. These necessitate the use of specially designed editors, special OS versions (like DOS, which don't swap data to disk) or creating the XML file on another computer (and securely transferring the key there). I understand, that this issue is not to be covered by the standard, but we have to know, that the problem can be solved with reasonable complexity and costs, otherwise we will not be able to manufacture and sell secure LRW storage for the mass market. What was the envisioned procedure? A laptop user has to boot from a CD, specially crafted for his computer (with all the necessary device drivers), and run an XML editor from the CD, which only saves temporary files encrypted with an independent key? There must be something simpler, because the above procedure is too complicated: the user has to burn a special CD with his particular set of device drivers (all a huge set to cover all the cases), boot from this CD, activate the key derivation/extraction procedure to get the key into the document, figure out the scope of the key, etc., enter a high entropy XML encryption key, and then save the encrypted file on the disk. He also has to remember never to decrypt/view the encrypted XML file in his computer under normal working mode, when the OS could swap plaintext data to disk. Laszlo