NIST Approves XTS-AES
NIST approved XTS-AES for the secure encryption of block devices in NIST Special Publication 800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Block-Oriented Storage Devices (Draft August 2009)(available at http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/follow-up_XTS_comments-Ball.pdf) subject to a caveat on the file size. The IEEE P1619 task group completed work on an AES standard for the XTS encryption algorithm in December 2007. The algorithom was designed to be suitable “for encryption of stored data in a fixed-block device, and a standard for an XML-based key-export format. XTS stands for ‘XEX TCB with ciphertext stealing’ and is a narrow-block cryptographic mode. (XEX stands for ‘XOR-Encrypt-XOR’, and TCB is Tweakable CodeBook mode encryption).”
On Sept 4, 2008, NIST completed a public review for XTS-AES. Based on these comments, NIST made the decision to adopt XTS-AES as an approved mode of operation under FIPS 140-2.The number of blocks that can be securely encrypted using this method is 2^20 blocks. The Advanced Encryption Standard (AES) is a FIPS-approved cryptographic algorithm (Rijndael, designed by Joan Daemen and Vincent Rijmen, published in 1998) that may be used by US federal departments and agencies to cryptographically protect sensitive information. There are various modes of operation some of them are approved by NIST FIPS 140-2. NIST’s decision approves the use of XTS-AES for encrypting block devices (hard drives, optical media, etc.) is particularly significant because TrueCrypt is an open source implementation of AES.
TrueCrypt provides a cost effective alternative to other encryption solutions available in the market. It is distributed without cost and the source code is available for download at http://www.truecrypt.org. TrueCrypt can operate in various modes for example by creating a virtual encrypted disk within a file or an encrypted volume on an individual partition. Unlike most encryption utilities available on the market TrueCrypt supports Microsoft Windows, Mac OS X and Linux. TrueCrypt limits the size of an encrypted file or volume to one petabyte (or 1000 terabytes) for security reasons.
TrueCrypt
The XTS-AES mode is an implementation of XEX that can only encrypt sequences of complete blocks (string that is a multiple of 128 bits) however, XTS-AES is not subject to the same limitation utilizing Ciphertext Stealing. Ciphertext stealing reorders the transmission of the last two blocks of ciphertext by padding the last block (which is possibly incomplete) with the high order bits from the second to last ciphertext block (stealing the ciphertext from the second to last block). The last block can be encrypted, and then exchanged with the second to last ciphertext block, which is then truncated to the length of the final plaintext block, removing the bits that were stolen.
Seagate submitted comments last year when NIST was evaluating the security of XTS-AES. Seagate argued that other methods were more secure, faster and simpler. XTS-AES is based on an IEEE Standard 1619-2007. All comments and other supporting documentation is available at http://csrc.nist.gov/groups/ST/toolkit/BCM/comments.html. Interesting, an alternative mode of operation “ECB” is FIPS 140-2 approved but not secure, the acceptance of XTS-AES may mean that the certification of products using ECB will be retired with the implementation FIPS 140-3. (http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/follow-up_XTS_comments-Ball.pdf
The license for TrueCrypt is not an industry accepted “open source” license; the ambiguity (un-litigated) license may discourage broad adoption of TrueCrypt within commercial enterprises; however it is relatively certain other solutions will soon be on the market utilizing this same algorithm. Nevertheless TrueCrypt and more generally XTS-AES deserves your attention as one option for unauthenticated encryption of data at rest. See http://en.wikipedia.org/wiki/Disk_encryption_theory#XTS for a more involved discussion of the algorithm.
The following is a simple python implementation XTS-AES (see http://www.bjrn.se/code/pytruecrypt/truecrypt5py.txt).
Other NIST publications recently updated include: “
1. Draft Special Publication 800-73 -3 Interfaces for Personal Identity Verification (4 Parts)
Pt. 1- End Point PIV Card Application Namespace, Data Model and Representation
Pt. 2- PIV Card Application Interface
Pt. 3- PIV Client Application Programming Interface
Pt. 4- The PIV Transitional Data Model and Interfaces
http://csrc.nist.gov/publications/PubsDrafts.html#800-73-3
2. NIST Interagency Report (IR) 7611, Use of ISO/IEC 24727 — Service Access Layer Interface for Identity (SALII): support for development and use of interoperable identity credentials is now available. See http://csrc.nist.gov/news_events/index.html#aug14; http://csrc.nist.gov/publications/PubsNISTIRs.html#nistir7611.
3. Special Publication 800-53 Revision 3 was updated last Friday to include an errata page, and all the supporting files were also updated and uploaded Friday, August 14.
Related posts:
- NIST announced the publication of Initial Public Draft Special Publication 800-128, Guide for Security Configuration Management of Information Systems. Configuration management remains a challenging issue especially for small and...
- Business Associate and Covered Entity HIPAA Compliance — Auditing Questions and NIST 800-53 Security Controls. This article discusses techniques for implementing the updated requirements of...
- Fear Mongering or Legitimate Criticism — “HHS guts health-care breach notification law, groups warn” I am a little unclear as to why privacy advocates...