[dm-crypt] Using plain64/plain IV (initialisation vector) in dm-crypt
Mario 'BitKoenig' Holbe
Mario.Holbe at TU-Ilmenau.DE
Tue Jul 27 21:35:41 CEST 2010
On Tue, Jul 27, 2010 at 08:58:52PM +0200, Christoph Anton Mitterer wrote:
> On Tue, 2010-07-27 at 17:45 +0200, Mario 'BitKoenig' Holbe wrote:
> > This depends on your attack model and whether you believe in forensic
> I usually always expect the worst case,... i.e. that my attackers can
> make snapshots... ;) *paranoid*
Mh, that's highly inefficient on the one hand and not the worst case on
the other :)
W.r.t. efficiency: I have a nice little Ideapad w/ VIA Nano (i.e.
PadLock): running XTS on that thing is horribly slow (at least on Linux,
at least at the moment) because the PadLock does not natively support
XTS and the Linux XTS implementation is not very accelerator friendly
atm. But it does support CBC and the speed is only marginally lower for
256 than for 128bit keysize. Thus, I can choose slow XTS or I can do
256bit CBC-ESSIV on it near disk speed.
Guess what - as long as I consider the snapshot threat small enough, of
course I will go with CBC-ESSIV.
I also have a Workstation w/ Core2Quad. Here, XTS is as fast as
CBC-ESSIV and 256 is significantly slower than 128bit keys.
Guess what - I take the additional security XTS provides and go with
W.r.t. worst case: Some people would consider an attacker who cuts your
fingers piece by piece until you tell him your key a little bit worse
than one who is able to do snapshots.
Die Natur ist das einzige Buch, das auf allen Blaettern grossen Gehalt
-- Johann Wolfgang von Goethe
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 482 bytes
Desc: Digital signature
More information about the dm-crypt