[dm-crypt] Efficacy of xts over 1TB

Mario 'BitKoenig' Holbe Mario.Holbe at TU-Ilmenau.DE
Mon Jul 26 11:04:22 CEST 2010


Arno Wagner <arno at wagner.name> wrote:
> first XTS mode is not the default anywhere in cryptsetup, so 
> why would you want to use it? Is there any specific problem 

It's standardized by NIST :)

> with CBC-ESSIV that you wish do address?

CBC-ESSIV is specifically designed to tweak CBC to withstand watermark
attacks, but does not address other kinds of attacks CBC is vulnerable
to, like leakage, malleability, etc. XTS is not vulnerable to them.

Thus, depending on your personal security needs there may be scenarios
where you don't want to use CBC-ESSIV. Or you just prefer to use
standardized mechanisms :)

> The one limitation I find in the NIST document is "2^20 AES blocks" 
> which would be 128 bit blocks * 2^20 = 16MB per data unit maximum. 

The other one you can find in D.4.3: strong security is proven as long
as the same key is not used to encrypt >>1TB data.

Btw... just because there was a discussion regarding plain vs. plain64
in this thread: Of course the above also holds for plain64. - I guess
this is what Milan meant when he did explicitely state not talk about
encryption mode security while explaining plain64.

And btw.2... Jonas forwarded Micahs mail to this list as well:
Message-ID: <20080902122833.GF29731 at resivo.wgnet.de>
This is basically why Clemens created
http://code.google.com/p/cryptsetup/issues/detail?id=13
based on:
Message-ID: <2f83750a0904160037n4a260b96g266b9d735a745556 at mail.gmail.com>
Subject: Re: Plans to avoid weaknesses in big volumes? (was: Re: SMP-aware kcryptd?)


regards
   Mario
-- 
Computer Science is no more about computers than astronomy is about
telescopes.                                       -- E. W. Dijkstra



More information about the dm-crypt mailing list