Re: Hard Drive Destruct System?

From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 11/28/04 

Date: 28 Nov 2004 18:52:04 GMT

In article <41a9d01d$0$78749$e4fe514c@news.xs4all.nl>,
Casper H.S. *** <Casper.***@Sun.COM> wrote:
:Right; but for random access disks "CBC" mode is not possible
:unless you can be sure that all accesses will be of equal size
:and on the appropriate boundaries. Or you would need to reset the
:IV every 512 bytes (which still doesn't help much).

That's pretty much what I said ;-)

:AES CTR (counter) mode is much more promissing; this basically turns
:AES into a Random number generator with a different random number
:for each encrypted block:

: Encrypt(Key, Nonce + Counter) Xor^ Plaintext

:where Nonce is a random but fixed number and Counter is the block
:index (block cipher blocks, not disk blocks)

How would you know the proper nonce and counter to use for
any particular disk block? You have distinguished between the
nonce and the key, so either "nonce + counter" is calculated by
a constant formula for any given disk block, or else the user
would have to enter two "keys", one of which is really the nonce.

Recall that this isn't a message transmission stream where a nonce
can be generated and security interchanged during the authentication
phase.

If "nonce + counter" is calculated by a constant formula for any
particular disk sector, then if the attacker can get access to
the system while it is operational with the valid key, they can
read the encrypted contents of a disk block and then have the system
write the block with known contents (e.g., all blanks.) They would
then read off the encrypted result and xor it with the contents
they knew they wrote there, and that would give them
the Encrypt(Key, Nonce + Counter) that was valid for that disk block.
They would take that value and xor it with the previously recorded
encrypted contents, and the result they would get back would be
the original unencrypted content of the block.

Further to this: if the attackers can gain read access to the encrypted
drive even when it is not writing under the aegis of the appropriate
key, they can image the disk and withdraw. At a later time when
some interesting information has been written to the disk, they can
come back and re-image it. If they then xor the two recorded images,
the Encrypt(Key, Nonce + Counter) for each disk block will cancel
out, leaving them with the xor of the changes to the drive contents.
In any block in which the original plaintext content was NULLs
[e.g. because nothing had been written there yet], the new disk
block content after the series of xor's will be the plaintext of the
new disk block contents; similarily, in any block in which the
original plaintext content was not null but was overwritten with NULLs
[e.g., because the block was released from use], the new disk block
content after the series of xor's will be the plaintext of the
original block contents.