[dm-crypt] Efficacy of xts over 1TB

Christoph Anton Mitterer christoph.anton.mitterer at physik.uni-muenchen.de
Mon Jul 26 00:37:44 CEST 2010

On Sun, 2010-07-25 at 15:52 +0200, Milan Broz wrote:
> not talking about encryption mode security, just about plain IV:
> plain 64 is just 64bit unsigned (512b sector number with optional initial
> offset), sector are also 64bit, so limit is the same like maximum block
> device in Linux currently.
Well but as far as I understand, this means that the same IV could be
used in multiple sectors (after the 32bit), right?
And wouldn't this have a negative impact on the security?

> > 2) Is plain64 solwer than the the normal plain? If not,... and even
> > if,.. wouldn't it be better to let "plain" be what currently "plain64"
> > is and to add a e.g. "plain32" or so, which people can use if the really
> > know what they're doing?
> It is not slower (plain uses 64bit too but with masking 32bits out,
> I guess this is some cryptoloop legacy)
> plain64 discussion was already in this list - we cannot change plain because
> of backward compatibility (Imagine old 4TB LUKS device ("plain" iv mode in header)
> - after this change everything above 2TB is garbage.)
I see... what about this idea:
In newer releases of cryptsetup, give a warning whenever people use
"plain" suggesting them to use "plain64"?!

> I prefer keep small open problem here (only few such systems in fact) to
> destroying users data for sure.
Uhm,.. what do you mean?

> (I can add warning/hint to cryptsetup binary if using large device.)
Ah ^^...
Wouldn't it be better to always warn, even on devices smaller than the
limit for plain? I mean luks devices are easily resizeable so people
could run into that problem later.

> Default modes in cryptsetup now use essiv:sha256 (no problem here).
> Mainly for backward compatibility (best compatible/safe mode,
> e.g. RHEL/CentOS5 do not have XTS yet), otherwise I personally prefer XTS mode:-)
Are you going to change this someday? I mean to xts?

> You have to set -c cipher-mode-plain manually, I expect you know what
> are you doing then.
Well,... I've also thought I knew what I did,.. but apparently not ;)

Nevertheless,... it all comes down to:
1) Devices smaller than 2TB are also secure with "plain"....
2) larger devices have to use plain64 in order to avoid the same IV
begin used after the boundary
3) No other currently known weakness in XTS and/or it's IV generation
4) XTS is the most secure mode at the moment?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3387 bytes
Desc: not available
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20100726/907aa54c/attachment.bin>

More information about the dm-crypt mailing list