Encryption is often used to protect data at rest, for example, in a memory of, for example, a storage module, a host device, or a server. Encryption techniques, such as block ciphering, break up a large message into small encryption blocks (typically, 128 bits). To ensure two nearly-identical blocks encrypt to different values, each block can be mixed with the encrypted output of the previous block. The first block can use an arbitrary value known as an initialization vector (IV) (or “nonce”). Many encryption techniques use the logical block address (LBA) to which the data is to be written as the seed for the initialization vector. The initialization vector is used in the encryption process as the input of an exclusive-or operation for a first encryption block of data in the process of generating the first cipher block. The encryption process continues with the second encryption block, where the first cipher block is used as the input to the XOR operation instead of the initialization vector. While this technique works well for protecting data at rest on disk-based media, it can create security vulnerabilities when there are multiple copies of the same logical block address on the media.
Overview
Embodiments of the present invention are defined by the claims, and nothing in this section should be taken as a limitation on those claims.
By way of introduction, the below embodiments relate to generating and using an enhanced initialization vector. In one embodiment, data and a record identifier, such as a logical block address to which the data is to be written, are received. An initialization vector for encrypting the data is then generated. The initialization vector is based on the record identifier and a value that changes every time that the record identifier is to be written to. The value can be generated, for example, by a counter that increments every time the record identifier is to be written to or by a random number generator that generates a random number every time the record identifier is to be written to. In some embodiments, the generated initialization vector is also based on a second value, such as, for example, a value that is shared by other storage modules or a value that is unique to the storage module.
Other embodiments are possible, and each of the embodiments can be used alone or together in combination. Accordingly, various embodiments will now be described with reference to the attached drawings.