6. IV collision avoidance The transforms that are defined in this standard depends crucially on the uniqueness of the IV values within the scope of any encryption key: using the same IV value and the same encryption key to encrypt two different records results in data leakage. Each VBdevice shall therefore employ the following strategy to reduce the likelihood of IVcollisions: a) The key transform algorithm as specified in Section 6.1 shall be used to prevent IV collisions when the same key is used with devices from different vendors/technologies or in different contexts. b) Within each context, the IVs for different records shall be generated in sequences: The first IV in every sequence shall either be derived from a cryptographically secure pseudorandom number generator, copied from a globally unique value, or copied from an externally supplied nonce. All other IVs in a sequence shall be derived using a systematic method to ensure that no two IVs in a sequence assume the same value. These options are described in Section 6.2. 6.1 Key transform The purpose of the key transform is to mitigate IV-collisions when the same key is used in different contexts or by devices from different vendors/technologies. Since different vendors/technologies do not have control over each other's IV format, there is an unacceptably high risk that two IVs could have the same value. Hence, the key transform method ensures that the actual encryption keys that are used in the different contexts (or by the different vendors/technologies) will not be the same. Thus, the key transform ensures that IV-collisions between different contexts or different vendors/technologies no longer impact security because the VB-devices are using different keys for encryption. 6.1.1 Key transform using NIST SP 800-90 The key transform algorithm shall produce a 256-bit device key using the following inputs: a) The 256-bit user key b) A 3-byte IEEE OUI that is unique for a particular technology or vendor c) An optional stream of bytes provided by the VB-device The key transform algorithm additionally uses the SHA-2 256-bit hashing function (SHA-256) in the manner outlined by NIST SP 800-90, section 10.4.1 (Derivation Function Using a Hash Function). The following equation describes the transform: DeviceKey = SHA-256(0x01 | 0x00000100 | OUI | FormatSpecific | UserKey) where SHA-256 is the 256-bit SHA-2 transform described in FIPS SP 180-2 DeviceKey is the 256-bit key used by the VB-device to encrypt and decrypt data 0x01 is the 8-bit hexadecimal representation of the integer 1 (see footnote1) 0x00000100 is the 32-bit hexadecimal representation of the integer 256 (see footnote2) OUI is a unique 3-byte integer that identifies this technology family3 UserKey is the 256-bit key provided by the user of the VB-device FormatSpecific is an optional stream of additional data. Its length shall not exceed 15 bytes. | is the concatenation operator that joins two strings in big-endian order. All bytes within this transform are in big-endian order, in which the first (leftmost) bytes contain the most significant bits of an integer. Below we refer to the concatenation of the OUI field and the FormatSpecific field as the context of the device key. The 15-byte string values “auxiliary nonce” and “globally unique” are reserved for the FormatSpecific field. In hexadecimal notations, these strings are respectively: and (61 75 78 69 6c 69 61 72 79 20 6e 6f 6e 63 65)16 (67 6c 6f 62 61 6c 6c 79 20 75 6e 69 71 75 65)16 The value “auxiliary nonce” shall be used if and only if the IV value is derived from a nonce that is supplied externally, as described in Section 6.2.1. (For example when the VB device receives a nonce from the host in conjunction with the UserKey.) The value “globally unique” shall be used if and only if the IV value is derived from a globally unique value, as described in Section 6.2.2. The IEEE OUI selected for the key transform algorithm shall be unique for a given vendor or technology. The OUI may either identify a particular vendor, or may identify a technology shared among several vendors (for example, the LTO consortium). It is the responsibility of the implementer to register a unique OUI with IEEE, if one does not already exist for a given vendor or technology. A VB-device should not reuse an OUI that another, independent vendor already uses. 6.2 IV Sequences The IVs for different records within each context shall be generated in sequences, where each sequence contains one or more IVs. The first IV in a sequence shall be computed using one of the following three methods: 1 '1' corresponds to the value counter, as specified in SP 800-90. Since the output of the SHA-256 hash function matches the key size, it is not necessary to use any other counter values. 2 '256' corresponds to the size of the output, which is 256 bits. SP 800-90 refers to this quantity as 'no_of_bits_to_return' 3 IEEE maintains a registry of 3-byte OUI values at <http://standards.ieee.org/regauth/oui/index.shtml> 6.2.1. IVs from externally supplied nonces The VB device may receive a nonce value from an external source (such as a tape drive receiving a nonce from the host in conjunction with the UserKey). In this case the first IV in a sequence shall be copied verbatim from the externally supplied nonce, and each additional IV in the sequence shall be computed from its predecessor using a simple increment. That is, the IV is interpreted as an integer (of bit-length equal to the IV length) and each IV in the sequence shall be one grated than the IV before it. The VB-device shall ensure that no supplied nonce is ever used in more than one IV sequence, and the supplied of the external nonce should ensure that the difference between different nonces (when interpreted as an integers) is larger than the length of the longest possible IV sequence. When using this method, the FormatSpecific field of the key transform will be set to the reserved value “auxiliary nonce” as described in Section 6.1. 6.2.2. IVs from globally unique values If the VB device has access to numbers that are known to be universally unique for all VB-media within the current context then it may use them for generating the first IV in a sequence. (For example, the serial number of a tape cartridge may be used in this manner in some cases.) When using this method, the IV length shall be grater than the length of all the unique numbers combined. The first IV in the sequence shall be computed by concatenating all the universally unique numbers, padded by zero bits to the full length of the IV. Specifically, the unique numbers shall be the most-significant bits of the resulting IV, and the zero bits shall be the least significant bits. Each additional IV in the sequence shall be computed from its predecessor using a simple increment. That is, the IV is interpreted as an integer (of bit-length equal to the IV length) and each IV in the sequence shall be one grated than the IV before it. When using this method, the FormatSpecific field of the key transform will be set to the reserved value “globally unique” as described in Section 6.1. 6.2.2. IV generation using a cryptographically secure PRNG If a VB-device does not receive external nonce from its host and does not have a globally unique values from which to generate the IVs, it must be capable of generating a cryptographically secure pseudo-random number (PRN) as a nonce that the VB-device uses to generate each IV. The first IV in a sequence shall be derived from a cryptographically secure pseudo-random number generator (PRNG) as follows: If the IV is 96-bit long then the first IV shall be derived from a 96-bit output of the PRNG via a function that is nearly one-to-one. Specifically, no possible value for the IV shall be obtained from more than eight different values that are provided by the PRNG. If an implementation uses the GCM algorithm and uses an IV with more than 96 bits, then each IV shall contain at least one 128-bit block that is completely derived from a PRNG. The other IVs in the sequence shall be generated in a systematic way to ensure that no two IVs in the same sequence have the same value. Some examples of systematic ways for generating a sequence include: a) Addition by 1, modulo 2n where n is the bit-size of the IV b) Addition by any other fixed odd number modulo 2n c) A linear-feedback shift register (LFSR) corresponding to a primitive binary polynomial.