Authenticated Encryption with Length Expansion for Storage Devices

NB_1907

2/14/24, 8:22 AM

Recently, I've been working on disk encryption. I started with the AES-XTS mode which is the standard for this purpose and tried to understand the concept of disk encryption in general.

I know that AES-XTS is preferable from many aspects for disk encryption as long as authentication is not requested. You don't need to store additional data for an authentication tag or IV and it is more resistant against malleability. However, this resistance is not sufficient for proper authentication since an attacker can still make changes on data without being detected.

In this conncept, I reviewed the IEEE Std 1619.1-2018 document which is the IEEE Standard for Authenticated Encryption with Length Expansion for Storage Devices. The cryptographic modes of operation allowed as alternatives by this standard are given in Table 1. Again, the parameter limits of these modes are shown in Table 2. I think these mods are not much different from each other in terms of performance - maybe I'm wrong- . Could you compare these modes in terms of security? If you had a choice from this table, which one would you choose? If your choice depends on usage scenarios, which one would you choose under what conditions?

0 + 4

modes-of-operation

authenticated-encryption

xts

Amit

2/15/24, 5:03 PM

All of the above are considered as secure except perhaps for: CBC-AES-256-HMAC-SHA-1 because SHA-1 is largely considered as deprecated (HMAC-SHA-1 however is still considered okay, but I would still recommend avoiding it). So you probably need to focus on assessing them for exactly what kind of disk encryption you're interested in. Are the files only going to be decrypted once, when the operating system starts? Are they encrypted every time a file is saved? Etc. In other words: performance considerations. And for this, I suggest you consult published benchmark results.

NB_1907

2/20/24, 12:28 PM

Thank you for your response. Actually, there is no specific requirement for encryption process. Could you give your recommendations for different usage scenarios? In addition, is there any paper you can suggest for benchmark results?

Amit

2/20/24, 2:28 PM

(1) @NB_1907 -- I can only give you a general pointer which is that stream ciphers are in general more performance friendly in particular when you need to modify existing ciphertext blocks or insert data in the middle of a file, as opposed to appending data. That's because stream ciphers by construction operate on the bit level and not on the block level. However -- this can become somewhat more complicated owing to the fact that recalculating MACs after data modification is also an operation that differs from cipher to cipher, and this is always required, whether if it's a block or a stream..

Amit

2/20/24, 2:30 PM

(2) .. cipher. So to summarize I guess it goes full circle to benchmarking and in particular it's important to find a benchmark that tests different record size configurations, since I am assuming in the table above the "record size" is also related to the size of the chunks on which each MAC tag is calculated.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Authenticated Encryption with Length Expansion for Storage Devices

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.