[dm-crypt] Efficacy of xts over 1TB

Mario 'BitKoenig' Holbe Mario.Holbe at TU-Ilmenau.DE
Mon Jul 26 11:17:01 CEST 2010


David Santamaría Rogado <howl.nsp at gmail.com> wrote:
> There is also an issue about the size of the filesystem encrypted with
> the support of XTS. This is discussed here:
> http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/2008-September/002265.html

Yes, Micah refers to D.4.3 in the NIST "Extract from IEEE Std 1619-2007"
here: strong security is proven as long as the same key is not used to
encrypt >>1TB data.

> But in the wikipedia's discussion:
> http://en.wikipedia.org/wiki/Talk:Disk_encryption_theory#Issues_with_XTS

It seems like this guy didn't read D.4.3, but refers to 5.1.

> So, XTS has collision troubles with >500 GB or >1TB of data, or, it's a
> misconception and there isn't any issue about this on large
> filesystems.

It's not exactly collisions, but more like a collision probability, if
you want to keep the term. Effectively, its the sucess probability of an
attack that increases. Depending on the amount of data you like to
encrypt and on your security needs this may or may not be a concern for
you. The attack success probability doesn't instantly jump to 1 if you
encrypt more than 1TB of data, but increases from not better than 2^-53
for 1TB to about 2^-37 for 1PB to about 2^-17 for 1EB.

This may or may not sound less dangerous for you than it really is. Just
consider an incremented exponent means a double-up (though, we're
talking about very small numbers here).

Please also note that depending on your security needs and usage
pattern, the term "a key is used to encrypt 1TB of data" is not
necessarily equivalent to "a key is used to encrypt a 1TB disk". If you,
for example, have a disk where much data is modified often and you
expect your attacker to be able to get snapshots of the encrypted disk
without your knowledge, your "safe" disk size effectively decreases.


regards
   Mario
-- 
The social dynamics of the net are a direct consequence of the fact that
nobody has yet developed a Remote Strangulation Protocol.  -- Larry Wall



More information about the dm-crypt mailing list