IEEE Scramble
This document specifies a scramble mechanism to use in storage security.
Synopsis:
Author(s):
Yaron Klein, Sanrad Ltd.
Edit & Review:
Revision Level:
1.0
Revision Date: Jan. 18, 04
Introduction
This document specifies an IEEE P1619 r=1 scramble algorithm. The scramble algorithm
may be use in compliance to the IEEE Tweak algorithm for additional strength or on its
own for a low level encryption.
This document includes the following sections:
- Definitions, acronyms and symbols.
- Mathematical properties
- Specification
- Implementation issues
Definitions
AES
Bit
Byte
Sector
Disk
Volume
File System
Advanced Encryption Standard
A binary digit having a value of 0 or 1
A group of eight bits
A basic storage unit of a disk (usually a 512 byte).
A physical storage element of sectors.
A storage element constructed of parts from one or more disks.
A method of storing user’s files on a volume.
Motivation
Protecting data in a shared storage elements (or data at rest) differs from protecting data
in a communication systems (or data in transit) is several ways:

In a shared storage element, the hacker may have unlimited or relatively long time
to decrypt the data, while in communication systems, the data may be irrelevant
after a short time.

In a shared storage element, key exchange is impossible while in data in transit,
the encryption keys may change every short period of time.

In communication systems the data is usually a raw data with no characteristics,
while is storage element the data is stored in a well-known file system. This
includes known patterns in known locations.
The basic storage encryption standard [Tweak] uses AES as a basic encryption algorithm
and a Tweak algorithm to reduce the element of patterns. However, this may be
insufficient for advanced hackers. Those can use the known patterns to decrypt the
information.
Also, for the other side of the scale, the storage encryption standard requires high
computational power from the user’s resources. A low level user may only want to
protect against a simple hacker without the necessity to pay in CPU utilization.
Storage Preliminaries
A storage volume is an array of sectors where each sector indexed. The user can read or
write to each sector. Usually, a layer of file system buffers between the user and the
volumes data. This layer enables the user to interact with the volume with file level API.
The output from the file system layer goes down to a SCSI layer. It encapsulates the read
or write command into a SCSI command. Such command has an index of the start sector,
the size of the data (in sectors) and the data. The main commands are Write Commands
(where data is written from the user to the volume) and Read Command (where data is
read from the volume to the user).
If a virtualization layer exists (e.g., Raid system), the address in the SCSI command is
converted according to the virtual map. Then, it is transferred to the physical disk for
execution.
Mathematical Preliminaries
Consider a volume with N sectors. The sectors are indexed from 0 to N-1 on the discrete
interval 0, N  1. A one to one map from the domain to itself is a function such that:
f (ni )  n j ni  0, N  1 such that:
n j  0, N  1 and:
if ni  nk than f (ni )  f nk 
If we plug a device down from the SCSI layer that on each Write command maps each
sector using such function, we “scramble” the volume’s raw data. In the other direction,
in each Read command, we need to use the inverse function f 1 before executing the
command.
We can say that the process of the scrambling is encryption and the function f is the key.
Such function can be analytical function, e.g.,
f ni   ni  a  b
where, gcd N , a   1
In this case, a and b are the code.
Practical Functions
A different function can be a simple map. That is, the user can set an ordered array of size
N and shuffle it using some random algorithm. In here, f ni   Ani  , where A is the
shuffled array. The key here is the array.
If we consider that 1 GB of storage requires about 2097152 sectors, than such an array
may require an expensive memory space. We can than consider a reduced version of it.
Without loss of generality, assume that N  2 b . Define a shuffled array of 2 b entries.
Denote a corollary function f b ni   Ab ni  to all ni  0,2 b .
For large N, divide the b bits to t intervals b1 , b2 ,..., bt  such that b1  b2  ...  bt  b . For
each interval define a function f bi as above. For each ni  0, N  1, disassemble ni to
elements of bi bits according to the intervals, shuffle using the appropriate f bi function
and assemble the element back. For example, in order to shuffle volume of 1 MB with
sector size of 512 bytes ( 211 sectors), we can use 2 intervals 5,6. The code length is
2 5  2 6  96 bytes.
Without loss of generality, assume that N is a multiple of 2 b , such that N  2 b  M .
Define a shuffled array of 2 b entries. Denote a corollary function f b mi   Ami  to all
 
mi  0,2 b .
Denote the b least significant bits of ni as LS b ni  and the remains most significant bits
as MS b ni  . Note that ni  MS b ni   LS b ni  . Then, we can define a function such that:
f ni   MS b ni   Ab LS b ni 
Complexity
The complexity of the encryption is O1 - one memory fetch.
Efficiency
The above algorithm does not protect the volume from an advanced hacker. Since the
data on the sector is not encrypted, known patterns can be found on the disk. However,
due to the size of typical volume, a brute force hacking is infeasible.
The encryption complexity is trivial, but performance problems may arise because of the
physical nature of the disk. A basic command of continuous data is split into nonsequential commands. Thus, overload the disk’s rotor.
Bibliography
[Tweak] Cyril Guyot, IEEE Tweak.