Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Is it possible to leverage a preexisting implementation of AES-GCM to provide th

ID: 648505 • Letter: I

Question

Is it possible to leverage a preexisting implementation of AES-GCM to provide the key security benefits essential for full-disk encryption (similar to AES-XTS)?

GCM is a popular encryption mode supported by several libraries and with fast implementations in hardware, and on its own GCM has nice properties including parallelism. Because of GCM's built-in authentication functionality and due to its performance, it is beneficial to consider that as a starting point; a hardware implementation may implement AES-GCM as a self-contained performance routine.

But on the other hand, a critical requirement of GCM (essential to its security) is that it must have unique random IVs, just like CCM. So if the IV that is chosen is derived from the sector or block offset (even if there's an intermediate hash), the very fact that on a disk it's common to write and overwrite data in place (coupled with GCM and CCM behaving nearly like stream ciphers) makes it potentially dangerous to derive the IV in that deterministic way. But just like many encryption modes are based upon compositions of cryptographic primitives, I'm wondering if it's possible to start with GCM (and its AEAD property) and build upon that to also attain the secure capability of writing to disk at sector offsets.

Explanation / Answer

If you don't mind that the ciphertext is longer than the plaintext, GCM is perfectly fine for storage encryption. Every time you write a block to disk, choose a fresh nonce and write the resulting ciphertext to disk. (You can ask for even stronger security properties, but then everything gets more expensive. Basically, build a tree structure for tags. Reads and writes are no longer constant time, but logarithmic in the size of the disk. This is bad for spinning disks when you have significant seek times, but may be ok otherwise.)

If you want non-expanding encryption (ciphertext length is the same as plaintext length), then GCM is not appropriate, because it is very weak when IV's are reused, and there's no space for the authentication tag (GCM without authentication is just a form of counter mode).

If you just have a black-box implementation of GCM, I would expect it to be difficult to use that as a building block for a secure non-expanding scheme in any sensible way.

If you have access to the components used to build GCM (the block cipher, finite field arithmetic, etc.), then they may be useful for building a secure scheme.

Related Questions

Is it now clear why matter waves (such as inthe electron microscope) are often p
Question #1679499
Is it ok to enter the following statements in Matlab? Why? >> P= \'Programming\'
Question #3788349
Is it okay to store single-use beta keys in plain-text in the database? I\'ll be
Question #655784
Is it permissible in java to define two methods in a class that have identical m
Question #3816603
Is it possible for a country to have a comparative advantage in producing a good
Question #1189582
Is it possible for a country with a relatively large GDP to have a relatively sm
Question #1238940
Is it possible for a demand curve to be upward sloping? Yes, for normal goods wh
Question #1121703
Is it possible for a lead bullet to completely melt when fired by a rifle at a f
Question #1549626
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Is it possible to know how many purines and pyrimidines there would be in a 200b
Next
Is it possible to make a photovoltaic cell that would only absorb the invisible

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.