It just occurred to me today another way Orthrus could be implemented.
Instead of using a RAID-0 style, where each block is written to only one card, you could do this:
For each incoming block, generate a block of random data (the SAMS70 has a true random number generator to facilitate that). Write the block of random data to one card (chosen at random) and then XOR that block with the incoming data block and write that to the other card.
To read, read the two blocks from each card and XOR them together.
There are a few big drawbacks with this approach:
- Instead of doing a single card I/O operation per block, you now must perform one to each card. Since we have only one hardware channel, we can't interleave them, so this likely means cutting the performance in half.
- It depends for security on the quality of the TRNG in the SAMS70 chip. The only word we have on that quality at the moment is Atmel/Microchip's marketing claims.
- Instead of a volume twice the size of the smaller card, the volume is the same size as the smaller card. This isn't that big a deal, though, because you can get truly massive µSD cards nowadays.
- There is no easy way to "nuke" a volume the way that overwriting the key block on an Orthrus card does today. You would instead have to overwrite one of the cards entirely.
Given that set of drawbacks, I think I'll stick with AES-XEX and the current key derivation scheme.