Re: Hard Drive Destruct System?

From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 11/28/04 

Date: 28 Nov 2004 19:07:48 GMT

roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) writes:

]:AES CTR (counter) mode is much more promissing; this basically turns
]:AES into a Random number generator with a different random number
]:for each encrypted block:

]: Encrypt(Key, Nonce + Counter) Xor^ Plaintext

]:where Nonce is a random but fixed number and Counter is the block
]:index (block cipher blocks, not disk blocks)

]How would you know the proper nonce and counter to use for
]any particular disk block? You have distinguished between the

Nonce = general for disk. Counter= block number.

]nonce and the key, so either "nonce + counter" is calculated by
]a constant formula for any given disk block, or else the user
]would have to enter two "keys", one of which is really the nonce.

encrypt(encrypt(key,Nonce+counter)XOR plaintext)
or probably even just
encrypt(key, counter XOR plaintext)

]Recall that this isn't a message transmission stream where a nonce
]can be generated and security interchanged during the authentication
]phase.

]If "nonce + counter" is calculated by a constant formula for any
]particular disk sector, then if the attacker can get access to
]the system while it is operational with the valid key, they can
]read the encrypted contents of a disk block and then have the system
]write the block with known contents (e.g., all blanks.) They would
]then read off the encrypted result and xor it with the contents
]they knew they wrote there, and that would give them
]the Encrypt(Key, Nonce + Counter) that was valid for that disk block.
]They would take that value and xor it with the previously recorded
]encrypted contents, and the result they would get back would be
]the original unencrypted content of the block.

]Further to this: if the attackers can gain read access to the encrypted
]drive even when it is not writing under the aegis of the appropriate
]key, they can image the disk and withdraw. At a later time when
]some interesting information has been written to the disk, they can
]come back and re-image it. If they then xor the two recorded images,
]the Encrypt(Key, Nonce + Counter) for each disk block will cancel
]out, leaving them with the xor of the changes to the drive contents.
]In any block in which the original plaintext content was NULLs
][e.g. because nothing had been written there yet], the new disk
]block content after the series of xor's will be the plaintext of the
]new disk block contents; similarily, in any block in which the
]original plaintext content was not null but was overwritten with NULLs
][e.g., because the block was released from use], the new disk block
]content after the series of xor's will be the plaintext of the
]original block contents.

Quantcast