[dm-crypt] Efficacy of xts over 1TB

Mario 'BitKoenig' Holbe Mario.Holbe at TU-Ilmenau.DE
Mon Jul 26 11:42:40 CEST 2010

Christoph Anton Mitterer <christoph.anton.mitterer at physik.uni-muenchen.de> wrote:
> http://en.wikipedia.org/wiki/XTS_mode#Issues_with_XTS
> Anybody with some deeper knowledge about it?

No deeper knowledge, but the authors of XTS refer to the separation of
keys on the purpose they are used for as good security design practice,
as the NIST Key Management Guidelines do as well.

It may or may not provide additional security. This basically depends on
what you compare it to.
For example: if you would specify a derivation of XTS where one key is
used for both AESEnc operations or where one key is derived from the
other using PBKDF2 (or both from a 3rd), you actually would need to
prove that there is no bad interference between the two AESEnc
operations and PBKDF2. If the math behind it would be "bad", it could
produce collisions, or shortening, for example. I don't know if
somebody ever did this, but if you choose two independent keys, you just
circumvent to do do the math.
Thus, I think the more important part is: it does not harm security :)

Btw.: please don't confuse the example above with Clemens proposal in
Message-ID: <2f83750a0904160037n4a260b96g266b9d735a745556 at mail.gmail.com>
This is different because the keys derived from each other are used
mostly independent there (except for block moves).

> As Luke Leighton said once on samba-ntdom, "now, what was that about
> rebooting?   that was so long ago, i had to look it up with man -k."

More information about the dm-crypt mailing list