Full Disk Encryption: Bridging Theory and Practice

International audienceWe revisit the problem of Full Disk Encryption (FDE), which refers to the encryption of each sector of a disk volume. In the context of FDE, it is assumed that there is no space to store additional data, such as an IV (Initialization Vector) or a MAC (Message Authentica-tion Code) value. We formally define the security notions in this model against chosen-plaintext and chosen-ciphertext attacks. Then, we classify various FDE modes of operation according to their security in this setting, in the presence of various restrictions on the queries of the adversary. We will find that our approach leads to new insights for both theory and practice. Moreover, we introduce the notion of a diversifier, which does not require additional storage, but allows the plaintext of a particular sector to be encrypted to different ciphertexts. We show how a 2-bit diversifier can be implemented in the EagleTree simulator for solid state drives (SSDs), while decreasing the total number of Input/Output Operations Per Second (IOPS) by only 4%

The Key-Dependent Message Security of Key-Alternating Feistel Ciphers

Key-Alternating Feistel (KAF) ciphers are a popular variant of Feistel ciphers whereby the round functions are defined as $x \mapsto F(k_i \oplus x)$, where k_i are the round keys and F is a public random function. Most Feistel ciphers, such as DES, indeed have such a structure. However, the security of this construction has only been studied in the classical CPA/CCA models. We provide the first security analysis of KAF ciphers in the key-dependent message (KDM) attack model, where plaintexts can be related to the private key. This model is motivated by cryptographic schemes used within application scenarios such as full-disk encryption or anonymous credential systems. We show that the four-round KAF cipher, with a single function $F$ reused across the rounds, provides KDM security for a non-trivial set of KDM functions. To do so, we develop a generic proof methodology, based on the H-coefficient technique, that can ease the analysis of other block ciphers in such strong models of security

Generic Attack on Duplex-Based AEAD Modes using Random Function Statistics

Duplex-based authenticated encryption modes with a sufficiently large key length are proven to be secure up to the birthday bound 2^(c/2), where c is the capacity. However this bound is not known to be tight and the complexity of the best known generic attack, which is based on multicollisions, is much larger: it reaches (2^c)/α where α represents a small security loss factor. There is thus an uncertainty on the true extent of security beyond the bound 2^(c/2) provided by such constructions. In this paper, we describe a new generic attack against several duplex-based AEAD modes. Our attack leverages random functions statistics and produces a forgery in time complexity O(2^(3c/4)) using negligible memory and no encryption queries. Furthermore, for some duplex-based modes, our attack recovers the secret key with a negligible amount of additional computations. Most notably, our attack breaks a security claim made by the designers of the NIST lightweight competition candidate Xoodyak. This attack is a step further towards determining the exact security provided by duplex-based constructions

Chiffrement de disque

This thesis is dedicated to the analysis of modes of operation in the context of disk protection usage. Firstly, we give modes of operation secure in the Full Disk Encryption (FDE) model where additional data storage are not allowed. Inthis context, encryption has to be length preserving which implies length-preserving encryption. However, it is possible to use a value already present in the system, called a diversifier, to randomize the encryption and to have a better security.Then, we introduce two methods to analyse symmetric primitive in the very constraint Key-Dependent Message (KDM) model which is of interest for disk encryption because the encryption key can end up in the disk. It enables to analyse the KDM security of the Even-Mansour and the Key-Alternating Feistel constructions which are the basis of different block-ciphers. Moreover, knowing that data authenticity cannot be ensured in the FDE model because tag storage is not allowed, we relax this constraint which gives us two models: the Authenticated Disk Encryption model (ADE) and the Fully Authenticated Disk Encryption (FADE). A secure mode in the ADE model ensures data authenticity of a sector but can be vulnerable to replay attacks; and a secure mode in the FADE model ensures the authenticity of the entire disk even against replay attacks. Storage is not the only point to take into account, the read and write delays on a sector is a competitive argument for disk manufacturers since disk performances tightly depend on it and adding the computation of codes of authentication does not help. That is why, we tend to analyse incremental Message Authentication Codes: they have the property to be updatable in a time proportional to the corresponding modification.Cette thèse est dédiée à l’analyse de modes opératoires pour la protection des disques durs. Dans un premier temps, l’analyse des modes opératoires permettant de protéger la confidentialité des données est réalisée dans le modèle Full Disk Encryption (FDE). Ce modèle est très contraignant puisqu’il exclut tout mode qui ne conserve pas la longueur (la valeur en clair et chiffrée du secteur doivent avoir la même taille) et seuls des modes déterministes peuvent avoir cette propriété. Néanmoins, il est possible de tirer partie d’une valeur du système nommée le diversifiant, qui originellement a un autre but, dans le but d’améliorer la sécurité des modes opératoires. Dans un second temps, nous introduisons deux méthodologies d’analyse dans le modèle Key-Dependent Message, où l’adversaire est autorisé à chiffrer des messages qui dépendent de la clé de chiffrement, qui nous ont permis d’analyser la sécurité des schémas Even-Mansour et Key-Alternating Feistel. Enfin, sachant qu’il est impossible de garantir l’authenticité des données dans le modèle FDE, la présence de codes d’authentification étant nécéssaire, deux modèles où le stockage de métadonnées est possible sont envisagés : le modèle Authenticated Disk Encryption (ADE) et le modèle Fully Authenticated Disk Encryption (FADE). Le premier permet de garantir l’authenticité au niveau du secteur mais est vulnérable aux attaques par rejeu et le second garantit l’authenticité du disque en entier et prévient ce type d’attaque. La securité des mécanismes cryptographiques utilisés pour protéger le contenu du disque n’est pas le seul paramètre à prendre en compte : les vitesses de lecture et d’écriture sont un enjeu de taille pour les constructeurs puisque ces dernières conditionnent fortement les performances d’un disque. C’est la raison pour laquelle, nous avons étudié les codes d’authentification incrémentaux puisque ces derniers ont la propriété d’être mis à jour en un temps proportionnel à la modification réalisée

Chiffrement de disque intégrale et au-delà

Equipe cascade, ENS, InriaThis thesis is dedicated to the analysis of modes of operation in the context of disk protection usage. Firstly, we give modes of operation secure in the Full Disk Encryption (FDE) model where additional data storage are not allowed. In this context, encryption has to be length preserving which implies length-preserving encryption. However, it is possible to use a value already present in the system, called a diversifier, to randomize the encryption and to have a better security. Then, we introduce two methods to analyse symmetric primitive in the very constraint Key-Dependent Message (KDM) model which is of interest for disk encryption because the encryption key can end up in the disk. It enables to analyse the KDM security of the Even-Mansour and the Key-Alternating Feistel constructions which are the basis of different block-ciphers. Moreover, knowing that data authenticity cannot be ensured in the FDE model because tag storage is not allowed, we relax this constraint which gives us two models: the Authenticated Disk Encryption model (ADE) and the Fully Authenticated Disk Encryption (FADE). A secure mode in the ADE model ensures data authenticity of a sector but can be vulnerable to replay attacks; and a secure mode in the FADE model ensures the authenticity of the entire disk even against replay attacks. Storage is not the only point to take into account, the read and write delays on a sector is a competitive argument for disk manufacturers since disk performances tightly depend on it and adding the computation of codes of authentication does not help. That is why, we tend to analyse incremental Message Authentication Codes: they have the property to be updatable in a time proportional to the corresponding modification.Cette thèse est dédiée à l’analyse de modes opératoires pour la protection des disques durs. Dans un premier temps, l’analyse des modes opératoires permettant de protéger la confidentialité des données est réalisée dans le modèle Full Disk Encryption. Ce modèle est très contraignant puisqu’il exclut tout mode qui ne ne conserve pas la longueur (la valeur en clair et chiffrée du secteur doivent avoir la même taille) et seuls des modes déterministes peuvent avoir cette propriété. Néanmoins, il est possible de tirer parti d’une valeur du système nommée le diversifiant, qui originellement a un autre but, pour apporter de l’aléa utile pour améliorer la sécurité des modes opératoires. Dans un second temps, nous introduisons deux méthodologies d’analyse dans le modèle Key-Dependent Message, où l’adversaire est autorisé à chiffrer des messages qui dépendent de la clé de chiffrement, qui nous ont permis d’analyser la sécurité des schémas Even-Mansour et Key-Alternating Feistel. Enfin, sachant qu’il est impossible de garantir l’authenticité des données dans le modèle FDE, la présence de codes d’authentification étant nécessaire, deux modèles où le stockage de métadonnées est possible sont envisagés : le modèle ADE pour Authenticated Disk Encryption et le modèle FADE pour Fully Authenticated Disk Encryption. Le premier permet de garantir l’authenticité au niveau du secteur mais est vulnérable aux attaques par rejeu et le second garantit l’authenticité du disque en entier et prévient ce type d’attaque. Le stockage n’est pas le seul point à prendre en compte : les vitesses de lecture et d’écriture sont un enjeu de taille pour les constructeurs puisque ces dernières conditionnent fortement les performances d’un disque. C’est la raison pour laquelle, nous avons étudié les codes d’authentification incrémentaux puisque ces derniers ont la propriété d’être mis à jour en un temps proportionnel à la modification réalisée

Generic Attack on Duplex-Based AEAD Modes Using Random Function Statistics

International audienceDuplex-based authenticated encryption modes with a sufficiently large key length are proven to be secure up to the birthday bound 2c2, where c is the capacity. However this bound is not known to be tight and the complexity of the best known generic attack, which is based on multicollisions, is much larger: it reaches 2cα where α represents a small security loss factor. There is thus an uncertainty on the true extent of security beyond the bound 2c2 provided by such constructions. In this paper, we describe a new generic attack against several duplex-based AEAD modes. Our attack leverages random functions statistics and produces a forgery in time complexity O(23c4) using negligible memory and no encryption queries. Furthermore, for some duplex-based modes, our attack recovers the secret key with a negligible amount of additional computations. Most notably, our attack breaks a security claim made by the designers of the NIST lightweight competition candidate Xoodyak. This attack is a step further towards determining the exact security provided by duplex-based constructions