[dm-crypt] Switch to XTS mode for LUKS in cryptsetup in 1.6.0 (Was Re: [ANNOUNCE] cryptsetup 1.6.0-rc1)

Arno Wagner arno at wagner.name
Fri Jan 4 23:05:26 CET 2013


On Fri, Jan 04, 2013 at 09:56:27PM +0100, Milan Broz wrote:
> On 01/04/2013 09:20 PM, Heinz Diehl wrote:
> > On 04.01.2013, Arno Wagner wrote: 
> > 
> >> I think the current state is that in absolute terms AES256 is at 
> >> least as secure than AES128, but maybe not more so. 
> > 
> > What's behind the "maybe", actually? Are there any serious attacks
> > that can be carried out practically which reduces AES-256 to the
> > strength of AES-128? Or are those weaknesses only of theoretical
> > nature?
> 
> I think it is about related key attacks

Yes. 

> I will better
> not try to interpret the papers. There is a nice summary:
> 
> http://www.schneier.com/blog/archives/2009/07/another_new_aes.html

Hmm, reading this again, and the discussion comments by 
Schneier, maybe we should use AES128 as default. 
AES256 might indeed be somewhat weaker than AES128. 

Not that either can be broken at this time. 

One idea: With AES256+XTS, the keyslot-area is larger.
If somebody wants to re-encrypt AES256+CBC in place,
they would need to use AES128+XTS anyways. Correct?

That would be a second reason to use AES128.

Well, things are never simple when security is concerned...

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell


More information about the dm-crypt mailing list