INFORMATION

SECURITY
(CSD-410)
(Lecture 14)
XTS: A MODE OF AES FOR ENCRYPTING HARD
DISKS
▪ In 2010, NIST approved an additional block cipher mode of operation,

XTS-AES.

▪ IEEE standard, IEEE Std. 1619-2007.

▪ Developed by the IEEE Security in Storage Working Group.

▪ Standard describes a method of encryption for data stored in

sector-based devices
 THE MOTIVATION FOR XTS
▪ Hard disks are partitioned into circular paths called tracks.

▪ Tracks are in turn partitioned into fixed-sized logical sectors, which can
be individually read from or written to a disk.

▪ Sectors are the smallest accessible subdivision of a track, typically 512

bytes.

▪ A sector might be subdivided into logical blocks, which are the same size

as the block of data encrypted by a block cipher.

DISK: PHYSICAL AND VIRTUAL GEOMETRY
 THE MOTIVATION FOR XTS
▪ Because a sector’s bytes are all dedicated to storage, no additional space

is available for other information.

▪ So, inputs to an encryption algorithm for data on hard disks should include

only:
▪ the data itself,

▪ the key used in the encryption algorithm,

▪ and available metadata such as the sector number and the block number in that
sector.

▪ XTS does exactly this!

 TWEAKABLE BLOCK CIPHERS
▪ The XTS-AES mode is based on the concept of a tweakable block cipher.
▪ A tweakable block cipher is one that has three inputs:
1. a plaintext P
2. a symmetric key K,
3. a tweak T
▪ Produces a ciphertext output C.
C = E (K, T, P)
▪ The tweak need not be kept secret.
▪ The purpose of the key is to provide security and the purpose of the tweak is to
provide variability.
▪ The use of different tweaks with the same plaintext and same key produces different
outputs.
BASIC STRUCTURE OF TWEAKABLE BLOCK
CIPHERS
 TWEAKABLE BLOCK CIPHERS
▪ Encryption can be expressed as:

C = H(T) ⊕ E(K, H(T) ⊕ P)

▪ Decryption can be expressed as:

H(T) ⊕ C = E(K, H(T) ⊕ P)

D[K, H(T) ⊕ C] = H(T) ⊕ P

H(T) ⊕ D(K, H(T) ⊕ C) = P

STORAGE ENCRYPTION REQUIREMENTS
▪ Encrypting stored data, also referred to as “data at rest” differ somewhat from
those for transmitted data.

▪ The P1619 standard was designed to have the following characteristics:

1. The ciphertext is freely available for an attacker.

2. The data layout is not changed on the storage medium and in transit.

3. Data are accessed in fixed sized blocks, independently from each other.

4. Encryption is performed in 16-byte blocks, independently from other blocks.

5. The same plaintext is encrypted to different ciphertexts at different locations,

6. but always to the same ciphertext when written to the same location again.
 OPERATION ON SINGLE BLOCK
▪ The operation involves two instances of the AES algorithm with two keys.

▪ The following parameters are associated with the algorithm:

Key The 256 or 512 bit XTS-AES key; Key = Key1 || Key2

Pj The jth block of plaintext. All blocks except possibly the final block have a length of 128
bits. A plaintext data unit, typically a disk sector, consists of a sequence of plaintext
blocks P1, P2, … , Pm.
Cj The jth block of ciphertext. All blocks except possibly the final block have a length of 128
bits.
j The sequential number of the 128-bit block inside the data unit.
i The value of the 128-bit tweak. Each data unit (sector) is assigned a tweak value that is a
nonnegative integer.
α A primitive element of GF(2128)
αj A multiplied by itself j times, in GF(2128).
⊕ Bitwise XOR.
⊗ Modular multiplication of two polynomials with binary coefficients modulo.
XTS-AES OPERATION
ON SINGLE BLOCK
 OPERATION ON A SECTOR
▪ The plaintext of a sector or data unit is organized into blocks of 128 bits.

▪ Blocks are labeled P0, P1, …, Pm.

▪ The last block my be null or may contain from 1 to 127 bits.

▪ Exception occurs when the last block has less than 128 bits.

▪ Therefore, the last two blocks are encrypted/decrypted using a

ciphertext-stealing technique instead of padding.

▪ Ciphertext-stealing: the processing of the last block “steals” a temporary

ciphertext of the previous block to complete the cipher block.
RC4
 RC4
▪ RC4 means Rivest Cipher 4 invented by Ron Rivest in 1987 for RSA Security.

▪ It is a Stream Ciphers.

▪ Stream Ciphers operate on a stream of data byte by byte.

▪ RC4 stream cipher is one of the most widely used stream ciphers because of its
simplicity and speed of operation.

▪ It is a variable key-size stream cipher with byte-oriented operations.

▪ It uses either 64 bit or 128-bit key sizes.

▪ It is generally used in applications such as Secure Socket Layer (SSL), Transport

Layer Security (TSL), and also used in IEEE 802.11 wireless LAN std.
 HISTORY OF RC4 ENCRYPTION
▪ RC4 was designed by Ron Rivest in 1987 while working under RSA Security.

▪ Rivest Cipher 4 is an official name while it is also known as Ron’s Code.

▪ Initially, RC4 was trade secret but once it’s code spread in the public domain it was no
more a trade secret.
 TYPES OF RC4
1. SPRITZ: Spritz can be used to build a cryptographic hash function, a deterministic random
bit generator (DRBG), an encryption algorithm that supports authenticated encryption
with associated data (AEAD).

2. RC4A: Souraduyti Paul and Bart Preneel have proposed an RC4 variant, which they call
RC4A, which is stronger than RC4.

3. VMPC: VMPC is another variant of RC4 which stands for Variably Modified Permutation
Composition.

4. RC4A+: RC4A+ is a modified version of RC4 with a more complex three-phase key
schedule which takes about three times as long as RC4 and a more complex output
function which performs four additional lookups in the S array for each byte output, taking
approximately 1.7 times as long as basic RC4.
 RC4
▪ RC4 relies on:

▪ Key inputs. This tool generates an eight-bit number (cipher) that's impossible
to guess.

▪ Keystreams. The cipher scrambles plain text.

▪ Product. An X-OR operation combines the keystream with the cipher.

 MATHEMATICAL CONCEPTS
▪ RC4 relies on two mathematical concepts:

1. KSA: A key-scheduling algorithm initializes the process in an array typically

referred to as "S." That "S" is processed 256 times, and bytes from the key are
mixed in too.

2. PRGA: Data is fed in byte by byte, and a mathematical model modifies it. The
model looks up values, add them to 256, and uses the sum as the byte within the
keystream. It swaps each element with another at least once every 256 rounds.
 RC4 ALGORITHM
▪ The algorithm operates on a user-selected variable-length key(K) of 1 to 256
bytes (8 to 2048 bits), typically between 5 and 16 bytes.

▪ To generate a 256-byte state vector S, the master key is used.

1. The first step is the array initialization. It is a character array of size 256 i.e.
S[256]. After that, for every element of the array, we initialize S[i] to i.

2. Run the KSA algorithm:

▪ KSA is going to use the secret key to scramble this array.

3. KSA has been scrambled, S[256] array i.e. used to generate the PRGA(Pseudo
Random Generation Algorithm).
 WORKING OF RC4
▪ Encryption Procedure
1. The user inputs a plain text file and a secret key.

2. The encryption engine then generates the keystream by using KSA and PRGA
Algorithm.

3. This keystream is now XOR with the plain text, this XORing is done byte by byte to
produce the encrypted text.

4. The encrypted text is then sent to the intended receiver, the intended receiver will then
decrypted the text and after decryption, the receiver will get the original plain text.

▪ Decryption Procedure

1. Decryption is achieved by doing the same byte-wise X-OR operation on the

Ciphertext.
 ADVANTAGES OF RC4
▪ RC4 stream ciphers are simple to use.

▪ The speed of operation in RC4 is fast as compared to other ciphers.

▪ RC4 stream ciphers are strong in coding and easy to implement.

▪ RC4 stream ciphers do not require more memory.

▪ RC4 stream ciphers are implemented on large streams of data.

 DISADVANTAGES OF RC4
▪ If RC4 is not used with strong MAC then encryption is vulnerable to a bit-flipping
attack.

▪ RC4 stream ciphers do not provide authentication.

▪ RC4 algorithm requires additional analysis before including new systems.

▪ RC4 stream ciphers cannot be implemented on small streams of data.

▪ RC4 fails to discard the beginning of output keystream or fails to use non-random
or related keys for the algorithm.