Integrated authenticity check using AES in XTS mode




I am implementing a random access encrypted data format. I am using AES
encryption in an XTS mode. The user data is broken into separately
encrypted blocks. The block number is used in the XTS tweak. The data
format is write once, so it is trivial to prevent a single key-tweak pair from being reused.

In addition to encryption, I need authenticity validation. My current
implementation stores a SHA256 hash of each block in a block hash list,
generates a hash of the block hash list, and signs the final hash.

My question is on the security of eliminating the separate hash
calculation on each block, instead encrypting a known additional amount
of data at the end of each block, and using the encrypted value of this
known data as the hash for the block. Could this yield a similar level of authenticity validation as generating a SHA256 hash of each block? Are any of the other block cipher modes better suited?

Joe Lowe

--
Posted via a free Usenet account from http://www.teranews.com

.



Relevant Pages

  • RE: Signing before Encryption and Signing after Encryption
    ... The property that a hash match is supposed to verify (is this ... Signing before Encryption and Signing after Encryption ... Signing with symmetric keys is a lot more ...
    (Security-Basics)
  • Re: Newbie - Is this Reasonable?
    ... because this hash is stored in the database. ... So you use PKCS5v2 to generate a key hash from a salt and the user's passphrase, then store the salt and the hash in a database. ... are even more critical in database applications because the payoff from tampering with selected fields may be much higher, fields tend to be fixed-length so it's easier to tamper with them in a meaningful way, and databases lend themselves to off-line analysis, so the attacker can marshall more resources and take more time to attack your system. ... You're using a stream cipher for encryption. ...
    (sci.crypt)
  • Authenticity check using XTS mode AES
    ... I am implementing a random access encrypted file format using AES in XTS mode. ... The file format is write once, so it is trivial to prevent a single key-tweak pair from being reused. ... In addition to encryption, I need authenticity validation. ... I am achieving this by storing a SHA256 hash of each block in a block hash list, generating a hash of the block hash list, and signing the final hash. ...
    (sci.crypt)
  • Re: Signing before Encryption and Signing after Encryption
    ... Hash: SHA1 ... Encryption and Signing after Encryption ... are signature schemes that only require symmetric keys. ...
    (Security-Basics)
  • Re: Backup of encrypted Data in the Cloud
    ... Unix timestamp at encryption time and the secure hash of the plaintext ... that there is none.If it is secure, then using the timestamp is overkill. ... Thus I need a second value apart from the plaintext hash, here the timestamp at encryption time fit in quite well. ...
    (sci.crypt)