From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from tansi.org (ns.km10532-04.keymachine.de [87.118.102.195]) by mail.saout.de (Postfix) with ESMTP for ; Sun, 25 Jul 2010 17:28:57 +0200 (CEST) Received: from gatewagner.dyndns.org (84-74-164-239.dclient.hispeed.ch [84.74.164.239]) by tansi.org (Postfix) with ESMTPA id 44A2512182AA for ; Sun, 25 Jul 2010 17:28:57 +0200 (CEST) Date: Sun, 25 Jul 2010 17:28:55 +0200 From: Arno Wagner Message-ID: <20100725152855.GA30894@tansi.org> References: <20100725103458.GA26486@tansi.org> <4C4C2D3C.40306@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4C4C2D3C.40306@redhat.com> Subject: Re: [dm-crypt] Efficacy of xts over 1TB List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On Sun, Jul 25, 2010 at 02:25:32PM +0200, Milan Broz wrote: > > On 07/25/2010 12:34 PM, Arno Wagner wrote: > > This would be a reason to stay away from XTS, something may have > > been subtly messed up. > > > > As a side note, the XTS spec seems to be behind a IEEE paywall, which > > would be another reason not to use it, public standards need to be > > accessible for free. > > You should then suggest not use hardisks and storage technologies too > because most of standards are not accesible for free:-) > The drafts are free ;-) > Seriously, XTS-AES is FIPS140-2 approved and I see no problem to use it. Well, I basically do not see the algorithm. Maybe searching for 15 Minutes was not enough, but when something is hidden in Crypto, I always become very suspicuous. > Also read > http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/follow-up_XTS_comments-Ball.pdf > > Yes, final version is not available but draft specification is still there > (this is IEEE business, not hiding algorithm definition IMHO). Have a link to it? Seriously, I suspect XTS is fine, but not finding the description and detailed security analysis online bothers me more than a bit. > Just please note one thing, which is dm-crypt special here: > > default "plain IV" is 32 bit only, so if anyone uses it on >2TB partition > some sectors shares IV (IV generator restarts, opening it to to watermarking > and similar attacks). That was the thing with dm-crypt, yes. > Please _always_ use plain64 (*aes-xts-plain64*) if you want use it for large > devices. (plain64 produces the same IV for <2TB. > Available since 2.6.33, Truecrypt 7 already does that, thanks:-) Ok. Will put that in the FAQ in a few days. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier