1、 IEEE Standard for Wide-Block Encryption for Shared Storage Media IEEE Computer Society Sponsored by the Information Assurance Standards Committee and Storage Systems Standards Committee IEEE 3 Park Avenue New York, NY 10016-5997 USA 8 March 2011 IEEE Std 1619.22010 IEEE Std 1619.2-2010 IEEE Standar
2、d for Wide-Block Encryption for Shared Storage Media Sponsor Information Assurance Standards Committee and Storage Systems Standards Committee of the IEEE Computer Society Approved 30 September 2010 IEEE-SA Standards Board Approved 5 May 2011 American National Standards Institute Abstract: EME2-AES
3、and XCB-AES wide-block encryption with associated data (EAD) modes of the NIST AES block cipher, providing usage guidelines and test vectors, are described. A wide-block encryption algorithm behaves as a single block cipher with a large plaintext input and ciphertext output, but uses a narrow block
4、cipher in this case Advanced Encryption Standard (AES) internally. These encryption modes are oriented toward random access storage devices that do not provide authentication, but need to reduce the granularity of a potential attack. Keywords: data-at-rest security, encryption, encryption with assoc
5、iated data (EAD), encrypt-mix-encrypt-v2 mode of operation (EME2), extended codebook mode of operation (XCB), IEEE 1619.2, security, storage The Institute of Electrical and Electronics Engineers, Inc. 3 Park Avenue, New York, NY 10016-5997, USA Copyright 2011 by the Institute of Electrical and Elect
6、ronics Engineers, Inc. All rights reserved. Published 8 March 2011. Printed in the United States of America. IEEE is a registered trademark in the U.S. Patent +1 978 750 8400. Permission to photocopy portions of any individual standard for educational classroom use can also be obtained through the C
7、opyright Clearance Center. iv Copyright 2011 IEEE. All rights reserved. Introduction This introduction is not part of IEEE Std 1619.2-2010, IEEE Standard for Wide-Block Encryption for Shared Storage Media. The purpose of this standard, similar to IEEE Std 1619-2007 B2, is to describe a method of enc
8、ryption for data stored in logical block-based devices, where the threat model includes possible access to stored data by the adversary.aAs in IEEE Std 1619-2007, this standard specifies length-preserving encryption algorithms to be applied to the plaintext logical block before storing it on the sto
9、rage media. This standard improves on IEEE Std 1619-2007 by defining wide-block encryption algorithms. This means that they act on the whole logical block at once, and each bit on the input plaintext influences every bit of the output ciphertext (and vice versa for decryption). In particular, this s
10、tandard specifies the EME2-AES and the XCB-AES wide-block encryption algorithms. Wide-block encryption better hides plaintext statistics and provides better protection than the narrow-block encryption, defined in IEEE Std 1619-2007, against attacks that involve traffic analysis and/or manipulations
11、of ciphertext on the raw storage media. Notice to users Laws and regulations Users of these documents should consult all applicable laws and regulations. Compliance with the provisions of this standard does not imply compliance to any applicable regulatory requirements. Implementers of the standard
12、are responsible for observing or referring to the applicable regulatory requirements. IEEE does not, by the publication of its standards, intend to urge action that is not in compliance with applicable laws, and these documents may not be construed as doing so. Copyrights This document is copyrighte
13、d by the IEEE. It is made available for a wide variety of both public and private uses. These include both use, by reference, in laws and regulations, and use in private self-regulation, standardization, and the promotion of engineering practices and methods. By making this document available for us
14、e and adoption by public authorities and private users, the IEEE does not waive any rights in copyright to this document. aThe numbers in brackets correspond to those of the bibliography in Annex A. v Copyright 2011 IEEE. All rights reserved. Updating of IEEE documents Users of IEEE standards should
15、 be aware that these documents may be superseded at any time by the issuance of new editions or may be amended from time to time through the issuance of amendments, corrigenda, or errata. An official IEEE document at any point in time consists of the current edition of the document together with any
16、 amendments, corrigenda, or errata then in effect. In order to determine whether a given document is the current edition and whether it has been amended through the issuance of amendments, corrigenda, or errata, visit the IEEE Standards Association web site at http:/ieeexplore.ieee.org/xpl/standards
17、.jsp, or contact the IEEE at the address listed previously. For more information about the IEEE Standards Association or the IEEE standards development process, visit the IEEE-SA web site at http:/standards.ieee.org. Errata Errata, if any, for this and all other standards can be accessed at the foll
18、owing URL: http:/standards.ieee.org/reading/ieee/updates/errata/index.html. Users are encouraged to check this URL for errata periodically. Interpretations Current interpretations can be accessed at the following URL: http:/standards.ieee.org/reading/ieee/interp/ index.html. Patents Attention is cal
19、led to the possibility that implementation of this standard may require use of subject matter covered by patent rights. By publication of this standard, no position is taken with respect to the existence or validity of any patent rights in connection therewith. A patent holder or patent applicant ha
20、s filed a statement of assurance that it will grant licenses under these rights without compensation or under reasonable rates, with reasonable terms and conditions that are demonstrably free of any unfair discrimination to applicants desiring to obtain such licenses. Other Essential Patent Claims m
21、ay exist for which a statement of assurance has not been received. The IEEE is not responsible for identifying Essential Patent Claims for which a license may be required, for conducting inquiries into the legal validity or scope of Patents Claims, or determining whether any licensing terms or condi
22、tions provided in connection with submission of a Letter of Assurance, if any, or in any licensing agreements are reasonable or non-discriminatory. Users of this standard are expressly advised that determination of the validity of any patent rights, and the risk of infringement of such rights, is en
23、tirely their own responsibility. Further information may be obtained from the IEEE Standards Association. vi Copyright 2011 IEEE. All rights reserved. Participants At the time this standard was submitted to the IEEE-SA Standards Board for approval, the Security in Storage Working Group had the follo
24、wing sponsorship: James P. Hughes, Sponsor Chair (IASC) Eric A. Hibbard, Sponsor Vice Chair (IASC) John L. Cole, Past Sponsor Chair (IASC) Curtis Anderson, Co-Sponsor Chair (SSSC) At the time this standard was submitted to the IEEE-SA Standards Board for approval, the Security in Storage Working Gro
25、up had the following membership: Matthew V. Ball, Chair Eric A. Hibbard, Vice Chair Walter Hubis, Secretary Fabio Maino, Technical Editor and Past Secretary James P. Hughes, Past Chair Gideon Avida Jim Coomes Robert Elliott Hal Finney John Geldman Bob Griffin Cyril Guyot Shai Halevi Laszlo Hars Larr
26、y Hofer Glen Jaquette Scott Kipp Curt Kolovson Robert Lockhart Charlie Martin David McGrew Gary Moorhead Bob Nixon Landon Curt Noll Jim Norton Scott Painter Dave Peterson Serge Plotkin Niels Reimers Subhash Sankuratripati David Sheehy Bob Snively Joel Spencer Doug Whiting Mike Witkowski Special than
27、ks for their important technical contribution to this standard to the following individuals: Hal Finney Brian Gladman Shai Halevi David McGrew vii Copyright 2011 IEEE. All rights reserved. The following members of the individual balloting committee voted on this standard. Balloters may have voted fo
28、r approval, disapproval, or abstention. Johann Amsenga Khin Mi Mi Aung Matthew V. Ball Rahul Bhushan Juan Carreon Keith Chow John Cole Geoffrey Darnton Russell Dietz Thomas Dineen Robert Elliott Andrew Fieldsend C. Fitzgerald John Geldman Ron Greenthaler Randall Groves Laszlo Hars Eric A. Hibbard We
29、rner Hoelzl Larry Hofer Walter Hubis Raj Jain Scott Kipp Susan Land Kenneth Lang Daniel Levesque Robert Lockhart William Lumpkins G. Luri Fabio Maino Edward McCall Jeffrey Moore Finnbarr Murphy Michael S. Newman Landon Curt Noll Ulrich Pohl Randall Safier Bartien Sayogo Stephen Schwarm Akihiro Shimu
30、ra Gil Shultz Steven Smith Kapil Sood Thomas Starai Rene Struik Walter Struppler Joseph Tardo Brian Weis Oren Yuen When the IEEE-SA Standards Board approved this standard on 30 September 2010, it had the following membership: Robert M. Grow, Chair Richard H. Hulett, Vice Chair Steve M. Mills, Past C
31、hair Judith Gorman, Secretary Karen Bartleson Victor Berman Ted Burse Clint Chaplin Andy Drozd Alexander Gelman Jim Hughes Young Kyun Kim Joseph L. Koepfinger* John Kulick David J. Law Hung Ling Oleg Logvinov Ted Olsen Ronald C. Petersen Thomas Prevost Jon Walter Rosdahl Sam Sciacca Mike Seavey Curt
32、is Siller Don Wright *Member Emeritus Also included are the following nonvoting IEEE-SA Standards Board liaisons: Satish K. Aggarwal, NRC Representative Richard DeBlasio, DOE Representative Michael Janezic, NIST Representative Michelle Turner IEEE Standards Program Manager, Document Development Mich
33、ael D. Kipness IEEE Standards Program Manager, Technical Program Development viii Copyright 2011 IEEE. All rights reserved. Contents 1. Overview 1 1.1 Scope . 1 1.2 Purpose 1 2. Normative references 1 3. Definitions, acronyms, and abbreviations 2 3.1 Definitions . 2 3.2 Keywords. 2 3.3 Acronyms and
34、abbreviations . 3 4. Mathematical conventions 3 5. Wide-block encryption algorithms . 4 5.1 Encryption with associated data 4 5.2 EME2-AES algorithm . 6 5.3 XCB-AES algorithm 12 6. Compliance. 18 Annex A (informative) Bibliography . 19 Annex B (informative) Implementation guidance 20 Annex C (inform
35、ative) Test vectors . 22 1 Copyright 2011 IEEE. All rights reserved. IEEE Standard for Wide-Block Encryption for Shared Storage Media IMPORTANT NOTICE: This standard is not intended to ensure safety, security, health, or environmental protection. Implementers of the standard are responsible for dete
36、rmining appropriate safety, security, environmental, and health practices or regulatory requirements. This IEEE document is made available for use subject to important notices and legal disclaimers. These notices and disclaimers appear in all publications containing this document and may be found un
37、der the heading “Important Notice” or “Important Notices and Disclaimers Concerning IEEE Documents.” They can also be obtained on request from IEEE or viewed at http:/standards.ieee.org/IPR/disclaimers.html. 1. Overview 1.1 Scope This standard specifies an architecture for encryption of data in rand
38、om access storage devices, oriented toward applications that benefit from wide encryption-block sizes of 512 bytes and above. 1.2 Purpose This standard specifies an architecture for media security and enabling components. Wide encryption blocks are well suited to environments where the attacker has
39、repeated access to cryptographic communication or ciphertext, or is able to perform traffic analysis of data access patterns. The standard is oriented toward fixed-size encryption blocks without data expansion, but anticipates an optional data expansion mode to resist attacks involving data tamperin
40、g. 2. Normative references The following referenced documents are indispensable for the application of this document (i.e., they must be understood and used, so each referenced document is cited in text and its relationship to this document is explained). For dated references, only the edition cited
41、 applies. For undated references, the latest edition of the referenced document (including any amendments or corrigenda) applies. IEEE Std 1619.2-2010 IEEE Standard for Wide-Block Encryption for Shared Storage Media 2 Copyright 2011 IEEE. All rights reserved. NIST Federal Information Processing Stan
42、dard 197 (FIPS 197), Advanced Encryption Standard (AES). November 2001.1NIST Special Publication 800-38A (NIST SP 800-38A), Recommendation for Block Cipher Modes of OperationMethods and Techniques. 3. Definitions, acronyms, and abbreviations 3.1 Definitions For the purposes of this document, the fol
43、lowing terms and definitions apply. The IEEE Standards Dictionary: Glossary of Terms or that a certain course of action is preferred but not necessarily required; or that (in the negative form) a certain course of action is deprecated but not prohibited (should equals is recommended to). 1NIST publi
44、cations are available from the National Institute of Standards and Technology, NIST Public Inquiries, NIST, 100 Bureau Drive, Stop 3460, Gaithersburg, MD, 20899-3460, USA (www.nist.gov). 2The IEEE Standards Dictionary: Glossary of Terms more specifically, if the encryption of the plaintext P with th
45、e key K and the associated data A results in the ciphertext C, then the decryption of C with the key K and the associated data A results in the plaintext P. A conforming implementation shall include in the associated data only information that is available, in plaintext form, at the time of encrypti
46、on and the time of decryption. The associated data input shall uniquely identify the plaintext. This is because whenever the same plaintext is encrypted two different times using the same key but with distinct associated data values, the result is IEEE Std 1619.2-2010 IEEE Standard for Wide-Block En
47、cryption for Shared Storage Media 5 Copyright 2011 IEEE. All rights reserved. two distinct ciphertext values. Thus the use of distinct associated data values hides the equality of the plaintexts from an attacker. 5.1.2 Using EAD to protect a string of data blocks An EAD may be used to protect a stri
48、ng of data blocks, such as those in a data-storage disk. In this application, the associated data input to the encryption and decryption procedure should contain the logical index of the block on which the procedure is acting. When this information is included in the associated data, cases in which
49、two distinct data blocks contain identical plaintext values are hidden from an adversary. Figure 1 shows an example of how an EAD performs encryption and decryption. EADEncryptionProcedurePlaintext Block 00Plaintext Block 01Plaintext Block 02Plaintext Block 03Ciphertext Block 00Ciphertext Block 01Ciphertext Block 02Ciphertext Block 03Secret KeyPlaintextAssociated DataCiphertextEADDecryptionProcedurePlaintext Block 00Plaintext Block 01Plaintext Block 02Plaintext Block 03Ciphertext Block 00Ciphertext Block 01Ciphertext Block 02Ciphertext Block 03Secret Key
