Hi Jamie,

Has the paper you mention below providing details of Diffuser and the
overall encryption algorithm available yet?

If not, a question: Can you describe a bit more about how a 256-bit AES key
is used to "mix up the bits" (all 512 bytes) of an *entire* sector, when the
key itself is only 32 bytes long?

Thanks!



"Jamie Hunter [MS]" wrote:

Tavis, you keep firing good questions at me

The FVEK (Full Volume Encryption Key) contains 2 keys, one for the AES
algorithm, and one for the Diffuser algorithm. This ensures the diffuser
cannot weaken AES (a shared key would be an architecture concern). The
diffuser is applied to an entire sector before encryption and can be
described as "mixing the bits of the sector prior to encryption". The IV
(initial vector) for both algorithms is derived from the sector number to
ensure that sectors cannot be swapped.

Consider this in reverse, a single bit change will result in a moderate
change c/o CBC, however this change gets diffused throughout all the bits of
the sector resulting in an entire sector change. This mitigates creative
attacks where someone would try to introduce a minor change into some code
or data to change OS behavior in a desirable way.

A paper giving the details of the Diffuser (and other low level details) is
forthcoming, before RTM.
-
Jamie Hunter [MS]

"tavis" wrote in message
...
How does the diffuser work under BitLocker encryption?

Is the diffuser applied to each block of cyphertext within a sector, or is
it somehow applied across several blocks concurrently or across the entire
sector at once, some how?

I'm assuming that for an AES-256 bit key, BitLocker encrypts the entire
512-byte sector using 32-byte blocks of data. The Cypher Block Chaining
(CBC), XOR's the cyphertext output of the previous block with the
plaintext
of the current block. How is diffusion applied, and how is the diffuser
generated?

Some nice references on good ol' wikipedia:
http://en.wikipedia.org/wiki/Confusion_and_diffusion
http://en.wikipedia.org/wiki/Block_c...s_of_operation

Thanks!

Hi Tavis, haven't forgotton you!
I'll try and chase this up tomorrow. Niels presented this paper recently, so
if it's not downloadable yet, I'll make sure it's downloadable soon.

Niels is the crypto expert on the team, I've seen him draw the explaination
on the board dozens of times, but I still look in awe

Caution, this is the not so crypto expert reply:

AES in CBC mode, in encryption behavior has a chain effect where each block
effects the previous block
(http://en.wikipedia.org/wiki/Block_c...s_of_operation look for CBC,
gives a good diagram of this). However when considering an attack that
modifies data prior to decryption, and looking at the decrypted data, it is
possible to cause only minor changes to earlier CBC blocks whilst causing
major changes to other CBC blocks.

A good diffuser with no key mixes bits from each CBC block, so that each
decrypted block is a mix determined from the entire sector, and on reverse,
a slight change in the decrypted result of one CBC block would be
distributed among the remaining CBC blocks. An additional key allows the
details of the mixing to change from sector to sector and disk to disk.

I think of the diffuser as a net spread over the sector, and any
modification of the encrypted data in an attempt to effect the decrypted
data will cause the net to get tangled.
-
Jamie Hunter [MS]
---

"tavis" wrote in message
...
Hi Jamie,

Has the paper you mention below providing details of Diffuser and the
overall encryption algorithm available yet?

If not, a question: Can you describe a bit more about how a 256-bit AES
key
is used to "mix up the bits" (all 512 bytes) of an *entire* sector, when
the
key itself is only 32 bytes long?

Thanks!



"Jamie Hunter [MS]" wrote:

Tavis, you keep firing good questions at me

The FVEK (Full Volume Encryption Key) contains 2 keys, one for the AES
algorithm, and one for the Diffuser algorithm. This ensures the diffuser
cannot weaken AES (a shared key would be an architecture concern). The
diffuser is applied to an entire sector before encryption and can be
described as "mixing the bits of the sector prior to encryption". The IV
(initial vector) for both algorithms is derived from the sector number to
ensure that sectors cannot be swapped.

Consider this in reverse, a single bit change will result in a moderate
change c/o CBC, however this change gets diffused throughout all the bits
of
the sector resulting in an entire sector change. This mitigates creative
attacks where someone would try to introduce a minor change into some
code
or data to change OS behavior in a desirable way.

A paper giving the details of the Diffuser (and other low level details)
is
forthcoming, before RTM.
-
Jamie Hunter [MS]

"tavis" wrote in message
...
How does the diffuser work under BitLocker encryption?

Is the diffuser applied to each block of cyphertext within a sector, or
is
it somehow applied across several blocks concurrently or across the
entire
sector at once, some how?

I'm assuming that for an AES-256 bit key, BitLocker encrypts the entire
512-byte sector using 32-byte blocks of data. The Cypher Block
Chaining
(CBC), XOR's the cyphertext output of the previous block with the
plaintext
of the current block. How is diffusion applied, and how is the
diffuser
generated?

Some nice references on good ol' wikipedia:
http://en.wikipedia.org/wiki/Confusion_and_diffusion
http://en.wikipedia.org/wiki/Block_c...s_of_operation

Thanks!