6. IV collision avoidance
The transforms that are defined in this standard depends crucially on the uniqueness of
the IV values within the scope of any encryption key: using the same IV value and the
same encryption key to encrypt two different records results in data leakage. Each VBdevice shall therefore employ the following strategy to reduce the likelihood of IVcollisions:
a) The key transform algorithm as specified in Section 6.1 shall be used to prevent
IV collisions when the same key is used with devices from different
vendors/technologies or in different contexts.
b) Within each context, the IVs for different records shall be generated in sequences:
 The first IV in every sequence shall either be derived from a
cryptographically secure pseudorandom number generator, copied from a
globally unique value, or copied from an externally supplied nonce.
 All other IVs in a sequence shall be derived using a systematic method to
ensure that no two IVs in a sequence assume the same value.
These options are described in Section 6.2.
6.1 Key transform
The purpose of the key transform is to mitigate IV-collisions when the same key is used
in different contexts or by devices from different vendors/technologies. Since different
vendors/technologies do not have control over each other's IV format, there is an
unacceptably high risk that two IVs could have the same value. Hence, the key transform
method ensures that the actual encryption keys that are used in the different contexts (or
by the different vendors/technologies) will not be the same. Thus, the key transform
ensures that IV-collisions between different contexts or different vendors/technologies no
longer impact security because the VB-devices are using different keys for encryption.
6.1.1 Key transform using NIST SP 800-90
The key transform algorithm shall produce a 256-bit device key using the following
inputs:
a) The 256-bit user key
b) A 3-byte IEEE OUI that is unique for a particular technology or vendor
c) An optional stream of bytes provided by the VB-device
The key transform algorithm additionally uses the SHA-2 256-bit hashing function
(SHA-256) in the manner outlined by NIST SP 800-90, section 10.4.1 (Derivation
Function Using a Hash Function). The following equation describes the transform:
DeviceKey = SHA-256(0x01 | 0x00000100 | OUI | FormatSpecific | UserKey)
where


SHA-256 is the 256-bit SHA-2 transform described in FIPS SP 180-2
DeviceKey is the 256-bit key used by the VB-device to encrypt and decrypt data






0x01 is the 8-bit hexadecimal representation of the integer 1 (see footnote1)
0x00000100 is the 32-bit hexadecimal representation of the integer 256 (see
footnote2)
OUI is a unique 3-byte integer that identifies this technology family3
UserKey is the 256-bit key provided by the user of the VB-device
FormatSpecific is an optional stream of additional data. Its length shall not
exceed 15 bytes.
| is the concatenation operator that joins two strings in big-endian order. All bytes
within this transform are in big-endian order, in which the first (leftmost) bytes
contain the most significant bits of an integer.
Below we refer to the concatenation of the OUI field and the FormatSpecific field as
the context of the device key.
The 15-byte string values “auxiliary nonce” and “globally unique” are reserved
for the FormatSpecific field. In hexadecimal notations, these strings are respectively:
and
(61 75 78 69 6c 69 61 72 79 20 6e 6f 6e 63 65)16
(67 6c 6f 62 61 6c 6c 79 20 75 6e 69 71 75 65)16
The value “auxiliary nonce” shall be used if and only if the IV value is derived from
a nonce that is supplied externally, as described in Section 6.2.1. (For example when the
VB device receives a nonce from the host in conjunction with the UserKey.) The value
“globally unique” shall be used if and only if the IV value is derived from a globally
unique value, as described in Section 6.2.2.
The IEEE OUI selected for the key transform algorithm shall be unique for a given
vendor or technology. The OUI may either identify a particular vendor, or may identify a
technology shared among several vendors (for example, the LTO consortium). It is the
responsibility of the implementer to register a unique OUI with IEEE, if one does not
already exist for a given vendor or technology. A VB-device should not reuse an OUI
that another, independent vendor already uses.
6.2 IV Sequences
The IVs for different records within each context shall be generated in sequences, where
each sequence contains one or more IVs. The first IV in a sequence shall be computed
using one of the following three methods:
1
'1' corresponds to the value counter, as specified in SP 800-90. Since the output of the SHA-256 hash
function matches the key size, it is not necessary to use any other counter values.
2
'256' corresponds to the size of the output, which is 256 bits. SP 800-90 refers to this quantity as
'no_of_bits_to_return'
3
IEEE maintains a registry of 3-byte OUI values at
<http://standards.ieee.org/regauth/oui/index.shtml>
6.2.1. IVs from externally supplied nonces
The VB device may receive a nonce value from an external source (such as a tape drive
receiving a nonce from the host in conjunction with the UserKey). In this case the first
IV in a sequence shall be copied verbatim from the externally supplied nonce, and each
additional IV in the sequence shall be computed from its predecessor using a simple
increment. That is, the IV is interpreted as an integer (of bit-length equal to the IV length)
and each IV in the sequence shall be one grated than the IV before it.
The VB-device shall ensure that no supplied nonce is ever used in more than one IV
sequence, and the supplied of the external nonce should ensure that the difference
between different nonces (when interpreted as an integers) is larger than the length of the
longest possible IV sequence.
When using this method, the FormatSpecific field of the key transform will be set to
the reserved value “auxiliary nonce” as described in Section 6.1.
6.2.2. IVs from globally unique values
If the VB device has access to numbers that are known to be universally unique for all
VB-media within the current context then it may use them for generating the first IV in a
sequence. (For example, the serial number of a tape cartridge may be used in this manner
in some cases.) When using this method, the IV length shall be grater than the length of
all the unique numbers combined. The first IV in the sequence shall be computed by
concatenating all the universally unique numbers, padded by zero bits to the full length of
the IV. Specifically, the unique numbers shall be the most-significant bits of the resulting
IV, and the zero bits shall be the least significant bits.
Each additional IV in the sequence shall be computed from its predecessor using a simple
increment. That is, the IV is interpreted as an integer (of bit-length equal to the IV length)
and each IV in the sequence shall be one grated than the IV before it.
When using this method, the FormatSpecific field of the key transform will be set to
the reserved value “globally unique” as described in Section 6.1.
6.2.2. IV generation using a cryptographically secure PRNG
If a VB-device does not receive external nonce from its host and does not have a globally
unique values from which to generate the IVs, it must be capable of generating a
cryptographically secure pseudo-random number (PRN) as a nonce that the VB-device
uses to generate each IV. The first IV in a sequence shall be derived from a
cryptographically secure pseudo-random number generator (PRNG) as follows:
 If the IV is 96-bit long then the first IV shall be derived from a 96-bit output of
the PRNG via a function that is nearly one-to-one. Specifically, no possible value
for the IV shall be obtained from more than eight different values that are
provided by the PRNG.

If an implementation uses the GCM algorithm and uses an IV with more than 96
bits, then each IV shall contain at least one 128-bit block that is completely
derived from a PRNG.
The other IVs in the sequence shall be generated in a systematic way to ensure that no
two IVs in the same sequence have the same value. Some examples of systematic ways
for generating a sequence include:
a) Addition by 1, modulo 2n where n is the bit-size of the IV
b) Addition by any other fixed odd number modulo 2n
c) A linear-feedback shift register (LFSR) corresponding to a primitive binary
polynomial.