Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
FIPS 140-2 IG A.9 AES-XTS key handling. #7120
This is an implementation of the extra check required by FIPS 140-2 IG A.9. The two uses for AES-XTS are mandated to be different. If they are the same, there is a vulnerability published by Rogaway in September 2004 in the paper: Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC.
The main negative side effect is that old encrypted data that used the same key twice will be unable to be decrypted. Thus, this change should be conditional on a FIPS mode of some kind (which is currently undefined). One of the AES-XTS test cases uses the same key twice, this test has been modified so an error is expected. Ideally, this would also be dependent on a FIPS mode -- possibly by duplicating the test case and flagging one as FIPS and the other as not.
The WIP tag depends on a resolution of the FIPS mode question.