IEEE 1619.1:2018 pdf free download – IEEE Standard for Authenticated Encryption with Length Expansionfor Storage Devices
4.2.5 Storage medium
The storage medium is any device or material capable of non-volatile storage of encrypted records andmetadata.
The controller may configure the cryptographic unit to write a particular plaintext record to the storagemedium either with encryption or without encryption. The cryptographic unit may mix both encrypted recordsand plaintext records on the storage medium.The cryptographic unit may write additional information withoutencryption to the storage medium, assuming that such information does not reveal cryptographic keys orplaintext that was intended to be encrypted. The cryptographic unit shall not write information to the storagemedium that compromises the cryptographic confidentiality or integrity of any encrypted information on thestorage medium.
4.3 Plaintext record formatter
The plaintext record formatter is a routine that converts host records into plaintext records that pass intothe encryption routine. In the simplest case, this routine could simply pass host records directly through asplaintext records.In more complicated systems, this routine could perform compression, padding, or otherreversible transforms.
The cryptographic unit receives host records from the host as a basic unit of data for encryption. Whenperforming encryption, the cryptographic unit shall use the plaintext record formatter to format the hostrecords into plaintext records.
To reduce buffering requirements and latency, the cryptographic unit may define a maximum size for theplaintext records that is smaller than the maximum host record size allowed by the cryptographic unit. Theplaintext record formatter may split the host record into multiple plaintext records with optional padding orreformatting.
The cryptographic unit may apply padding or perform reversible transforms (such as compression) to the datawithin the host records to form the plaintext records.
lf a host record is formed from two or more plaintext records,then the cryptographic unit shall includesufficient information within the additional authenticated data (AAD), IV, or plaintext record to allow theplaintext record de-formatter (see 4.4) to unambiguously reconstruct each of the original host records or detectmalicious tampering.To help fulfill this requirement, the cryptographic unit should use ordering verification todetect tampering or reordering of the encrypted records (see 4.6.3).
Documentation shall describe how the plaintext record formatter generates plaintext records from host records.
During decryption, the cryptographic unit shall always validate the MAC. The cryptographic unit shouldvalidate the MAC before sending any plaintext to the host. Best practices recommend validating the MACbefore returning plaintext (see B.4 for a discussion on the security concerns of returning plaintext beforevalidating the MAC). Documentation shall disclose whether the cryptographic unit validates the MAC beforercturning any plaintext.
lf the cryptographic unit validates the MAC before returning plaintext, then it shall not return plaintext tothe host if the MAC validation fails. If the MAC validation fails, then the cryptographic unit shall return thespecial signal FAIL to the host andor controller.
lf the cryptographic unit returns plaintext to the host before validating the MAC, then the cryptographic unitshall subsequently validate the MAC.If this MAC validation fails, then the cryptographic unit shall return thespecial signal FAlIL to the host andor controller. If this MAC validation passes, then the cryptographic unitshall return the special signal PASS to the host and’or controller.
lf the cryptographic unit is capable of returning plaintext before validating the MAC, then the host should notact on any plaintext from the cryptographic unit until receiving a complete host record and the special signalPASS.