1 Overview
1.1 Scope
1.2 Purpose
1.3 Description of clauses and annexes
2 Normative references
3 Keywords, definitions, acronyms, and abbreviations
3.1 Keywords
3.2 Definitions
3.3 Acronyms and abbreviations
3.4 Mathematical conventions
4 General concepts
4.1 Introduction
4.2 Components
4.3 Plaintext record formatter
4.4 Plaintext record de-formatter
4.5 Encryption routine
4.6 Decryption routine
4.7 Cryptographic parameters
5 Cryptographic modes
5.1 Overview
5.2 Counter with cipher block chaining-message authentication
code (CCM)
5.3 Galois/Counter Mode (GCM)
5.4 Cipher block chaining with keyed-hash message authentication
code (CBC-HMAC)
5.5 Xor-encrypt-xor with tweakable block-cipher with
keyed-hash message authentication code (XTS-HMAC)
6 Cryptographic key management and initialization vector
requirements
6.1 Random bit generator
6.2 Cryptographic key entry and export
6.3 Handling the cipher key
6.4 Cryptographic key wrapping on the storage medium
6.5 Initialization vector (IV) requirements
6.6 Creating unique IVs within a self-contained group
Annex A (informative) Bibliography
Annex B (informative) Security concerns
B.1 Threat model
B.2 Maintaining cryptographic key security
B.3 Replay attacks
B.4 Passing plaintext to the host before checking the MAC
B.5 Checking for integrity of a cryptographic key
B.6 Avoiding collisions of initialization vectors
B.7 Examples of IV collision avoidance strategies
B.8 How many records to encrypt with one key?
Annex C (informative) Documentation summary
Annex D (informative) Test vectors
D.1 General
D.2 CCM-128-AES-256 test vectors
D.3 GCM-128-AES-256 test vectors
D.4 CBC-AES-256-HMAC-SHA test vectors (including HMAC-SHA-1,
HMAC-SHA-256, and HMAC-SHA-512)
D.5 XTS-AES-256-HMAC-SHA-512 test vectors