Re: On-Disk Encryption and Data Integrity

Hi Kristian,

On Jan 27, 2:42 am, Kristian Gjøsteen <kristiag+n...@xxxxxxxxxxxx>
Jeffrey Walton  <noloa...@xxxxxxxxx> wrote:

This question is very similar, but the threat model is slightly
different. Suppose I store encrypted data on disk. I believe I can
persist E( m || h(m) ). I think this is appropriate since on-disk
suffers from fewer threats than over the air. Is this correct? Or
should I punt and use a MAC (I think a Digital Signature would not be
required since it is a stronger primitive providing non-repudiation).
The downside of a MAC is that I must make to passes over the data
(i.e., the message) with the block cipher - one for the MAC, the
second for the Encrpytion. So I would prefer to use a unkeyed hash.

I'd use an authenticating mode of encryption such as CCM or GCM.

Alternatively, you can use dedicated disk encryption modes like EME, that
are non-expanding. Note that they provide different security properties
than CCM or GCM do.
Perverted on Super Bowl Sunday in the United States, but I was reading
NIST's SP 800-38D (GCM mode). It seems GCM is probably not well suited
for file encryption and most likely not suited for whole disk
encryption (where a typical Microsoft installation is gigabytes). From
Authentication Assurance, page 26:

As with any tag-based authentication mechanism, if the
adversary chooses a t-bit tag at random, it is expected
to be correct for given data with probability 1/2**t.
With GCM, however, an adversary can choose tags that
increase this probability, proportional to the total
length of the ciphertext and AAD. Consequently, GCM is
not well-suited for use with short tag lengths or
very long messages.

To prevent cut-and-paste attacks, you should include the sector address
in the authenticated data (you don't need to store it, of course).

Nontheless, these modes will be subject to sector replay attacks.
If you _really_ need integrity for the entire disk image, then you may
need hash trees or other somewhat expensive constructions.