Ensuring Data Confidentiality with a Secure XTS-AES Design in Flash Translation Layer

Abstract

Nowadays sensitive data are commonly stored on personal mobile devices (e.g., laptops and smartphones) or public cloud storage platforms. Data on these platforms are commonly protected with strong cryptography like full disk encryption (FDE), and XTS-AES is one of the most widely used encryption algorithms in FDE. Unfortunately, realizing XTS-AES above the block device layer on flash-based block devices is problematic: it neglects the unique nature of the underlying flash memory, which is the most widely employed storage in the mobile devices and cloud infrastructure. As the tweak values of the physical flash pages mapping to the same logical block address are same, thus the system will suffer from the chosen-plaintext attacks due to the out-of-place update of the flash memory. In this paper, we first introduce the concrete attacks for the prior XTS-AES implementation due to neglecting the unique nature of the underlying flash memory, and then propose SecureXTS, a secure XTS-AES implementation method in flash translation layer (FTL). SecureXTS takes advantage of physical page number and block erasure number to generate the tweak value, without introducing additional metadata and hardware extensions. We provide a proof-of-concept SecureXTS implementation using OpenNFM. The experimental results show that, compared with conventional XTS-AES implementations, our SecureXTS can provide secure data encryption functions and data confidentiality with negligible performance overhead.