XTS-AES implementation in .NET
I’ve been meaning to write about this for some time, but laziness, procrastination and work have managed to get in the way.
DISCLAIMER: I am not a cryptographer, cryptography is something that interests me and the library is a proof of concept; you use it at your own risk.
I recently (i.e. a year ago!) wrote an implementation of the XTS algorithm in .NET (C#). I had asked a question on stackoverflow, but didn’t get much of a response. The only other implementations I found were in C or C++.
I eventually implemented it myself by looking at the LibTomCrypt library as well as the actual IEEE standard document. The implementation supports AES-128 and AES-256 and is licensed under the BSD license, so do with it what you will!.
XTS’s main purpose is to enable encryption on block level devices (e.g. hard drives) while allowing random read / write access to the data. The key here is that each block can be encrypted / decrypted without touching the other blocks. Standard modes (like CBC) chain the blocks together, so to decrypt block 1000, you have to decrypt the previous 999. Encrypting each block separately using a mode like ECB is not secure as two blocks with the same content will encrypt to the same cypher text.
XTS gets around this problem by chaining two encryption steps together with a tweak step in the middle. The key input that is quite different from other cipher block modes in that XTS uses the sector number as part of the tweak step. This works quite well, as it is easy to calculate the sector number. Most available disk encryption software uses XTS mode.
The library uses the built in .NET AES implementation internally, and coordinates the two AES encryption transforms along with the actual tweak.
You can see my implementation in my bitbucket repository, and the LibTomCrypt one in their github repository. The entire algorithm is basically implemented in the single XtsCryptoTransform class. It is actually simpler than the LibTom one due to the nature of the .NET ICryptoTransform interface being the same for encryption / decryption. It can also be extended quite easily to use other encryption algorithms, as it depends on the ICryptoTransform interface only.
The library has unit tests that test it against the test vectors in Annex B in the IEEE standards document (which it obviously matches!)