From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mbroz@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
	by mail.saout.de (Postfix) with ESMTP
	for <dm-crypt@saout.de>; Sun, 25 Jul 2010 14:25:36 +0200 (CEST)
Received: from int-mx03.intmail.prod.int.phx2.redhat.com
	(int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.16])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o6PCPY2C016075
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <dm-crypt@saout.de>; Sun, 25 Jul 2010 08:25:35 -0400
Received: from [10.36.9.42] (vpn2-9-42.ams2.redhat.com [10.36.9.42])
	by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id o6PCPWrD022732
	for <dm-crypt@saout.de>; Sun, 25 Jul 2010 08:25:34 -0400
Message-ID: <4C4C2D3C.40306@redhat.com>
Date: Sun, 25 Jul 2010 14:25:32 +0200
From: Milan Broz <mbroz@redhat.com>
MIME-Version: 1.0
References: <AANLkTilnJU3L9ejwDVNTPGt14IAA3MqCRXZjFRY6uNpv@mail.gmail.com>
	<20100725103458.GA26486@tansi.org>
In-Reply-To: <20100725103458.GA26486@tansi.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] Efficacy of xts over 1TB
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de


On 07/25/2010 12:34 PM, Arno Wagner wrote:
> This would be a reason to stay away from XTS, something may have
> been subtly messed up.
> 
> As a side note, the XTS spec seems to be behind a IEEE paywall, which 
> would be another reason not to use it, public standards need to be
> accessible for free.

You should then suggest not use hardisks and storage technologies too
because most of standards are not accesible for free:-)
</joke>

Seriously, XTS-AES is FIPS140-2 approved and I see no problem to use it.
Also read
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/follow-up_XTS_comments-Ball.pdf

Yes, final version is not available but draft specification is still there
(this is IEEE business, not hiding algorithm definition IMHO).

Just please note one thing, which is dm-crypt special here:

default "plain IV" is 32 bit only, so if anyone uses it on >2TB partition
some sectors shares IV (IV generator restarts, opening it to to watermarking
and similar attacks).

Please _always_ use plain64 (*aes-xts-plain64*) if you want use it for large
devices. (plain64 produces the same IV for <2TB.
Available since 2.6.33, Truecrypt 7 already does that, thanks:-)

Milan