5

I have a disk on which each sector can only be written once (like a journal, only appending is possible). Unused sectors are reported as being filled with zeroes, while used sectors should not be readable without authentication (achieved over a separate channel with the drive).

Since an attacker can never gather two ciphertexts for the same block, is there any advantage of using AES-XTS over AES-CTR? If not, should I still use AES-XTS, since it makes it clear that we are effectively dealing with FDE (although in a write-once fassion) and reviewers might (correctly) argue that CTR should not be used for FDE? Or should I use AES-CTR, because its security guarantees are proven better?

The goal is to make it possible to send the encrypted data to the manufacturer (who also holds the key) in case the password is lost to allow data recovery (which is a regulatory requirement). Each disk uses a unique key.

EDIT: this is not a duplicate of Why do we use XTS over CTR for disk encryption?, because I am concerned about write-once storage, not a regular disk drive that will be overwritten with different data regularly, thus the attack surface is very different.

nioncode
  • 151
  • 3

1 Answers1

1

Analyzing the risks and correctly setting the threat model is important when choosing the encryption schemes.

If the attacker is a passive attacker, that he can only read the hard disk while transmitted, as it pointed out in the comparison of the XTS vs CTR question, there is no benefit against for passive attacker.

When the attacker, however, is an active attacker you will need authentication. CTR and XTS modes are not authenticated encryption modes. In CTR mode, when the attacker modified a bit the ciphertext will turn into a valid plaintext. It is also possible in XTS mode, a little harder to achieve. To mitigate, you can hash the whole disk and then apply a digital signature on it. The signature can be transmitted over another channel.

You can see a discussion here Why not authenticate full-disk encryption? about integrating the authentication into a filesystem.

kelalaka
  • 49,797
  • 12
  • 123
  • 211