Storage Encryption: A Cryptographer’s View

Abstract

Encryption is the bread-and-butter of cryptography, with well-established notions of security and a large variety of schemes to meet these notions. So what is left for researchers in cryptography to look at when it comes to encrypting storage? In this talk I will cover cryptography issues that arise when introducing encryption to real-world storage systems, with some examples drawn from the work of the IEEE 1619 standard committee that deals with standardizing aspects of storage encryption. The issues that I plan to touch upon include:

Encryption Schemes and Modes-of-Operation: The use of “authenticated” vs. “transparent” encryption, “wide block” vs. “narrow block” transparent encryption modes, and other considerations.

Issues with Key-Management and IV-Management: How to avoid nonce collision when your nonces are only 96-bit long, why you may want to use deterministic encryption for key-wrapping, what is the difference between key-wrapping and KEM/DEM, and related questions.

Self-Encryption of Keys: Can an encryption scheme remain secure when used to encrypt its own secret key? It turns out that this requirement sometimes comes up when encrypting storage. I will talk about several aspects of this problem, including the not-so-bad, the bad, and the ugly.