From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lordmoji@gmail.com>
Received: from localhost (localhost [127.0.0.1])
	by mail.saout.de (Postfix) with ESMTP id C983E91A3
	for <dm-crypt@saout.de>; Tue,  4 Aug 2009 15:55:28 +0200 (CEST)
Received: from mail.saout.de ([127.0.0.1])
	by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id CIeKlAv5WUQZ for <dm-crypt@saout.de>;
	Tue,  4 Aug 2009 15:55:23 +0200 (CEST)
Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26])
	by mail.saout.de (Postfix) with ESMTP
	for <dm-crypt@saout.de>; Tue,  4 Aug 2009 15:55:23 +0200 (CEST)
Received: by qw-out-2122.google.com with SMTP id 9so2224416qwb.55
	for <dm-crypt@saout.de>; Tue, 04 Aug 2009 06:55:22 -0700 (PDT)
Date: Tue, 4 Aug 2009 16:55:09 +0300
From: Moji <lordmoji@gmail.com>
Message-ID: <20090804165509.6fa226ec@gmail.com>
In-Reply-To: <of8zlaf3e13.fsf@stahl.absint.com>
References: <20090803125342.CF87216440B5@mail.absint.com>
	<20090804004626.4a811f96@gmail.com>
	<of8zlaf3e13.fsf@stahl.absint.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Subject: Re: [dm-crypt] 1,5 TB partition: use cbc-essiv or xts-plain?
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On Tue, 04 Aug 2009 15:27:20 +0200
Henrik Theiling <theiling@absint.com> wrote:

> >From the wording of the Wikipedia article, however, it is not =20
> completely clear to me how serious the watermarking attack on CBC is.
> The IV function is known, so can two blocks be easily constructed in
> such a way that their cbc-essiv:sha256 encryption (with whatever main
> algorithm) is identical?  You'd need to know the sector for that plus
> break SHA256, because ESSIV uses the hash of the encryption key plus
> the sector number to generate the IV, right?  If I understood that
> correctly, then I can safely get back to relaxing, enjoying the summer
> and drinking beer instead of thinking about this any longer.

=46rom Clemens Fruhwirth:
"ESSIV
E(Sector|Salt) IV, short ESSIV, derives the IV from key material via encryp=
tion of the sector number with a hashed version of the key material, the sa=
lt. ESSIV does not specify a particular hash algorithm, but the digest size=
 of the hash must be an accepted key size for the block cipher in use. As t=
he IV depends on a none public piece of information, the key, the sequence =
of IV is not known, and the attacks based on this can't be launched."

This covers watermarks, I hope this provides for drinking much beer.

-MJ