Re: [dm-crypt] Efficacy of xts over 1TB

From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Efficacy of xts over 1TB
Date: Sun, 25 Jul 2010 12:34:58 +0200	[thread overview]
Message-ID: <20100725103458.GA26486@tansi.org> (raw)
In-Reply-To: <AANLkTilnJU3L9ejwDVNTPGt14IAA3MqCRXZjFRY6uNpv@mail.gmail.com>

Hi David,

first XTS mode is not the default anywhere in cryptsetup, so 
why would you want to use it? Is there any specific problem 
with CBC-ESSIV that you wish do address?

On the other hand, TrueCrupt (not related to this project)
does use XTS mode as default.

The one limitation I find in the NIST document is "2^20 AES blocks" 
which would be 128 bit blocks * 2^20 = 16MB per data unit maximum. 
Data Units in the case of disk encryption would be 512 bytes 
typically.

Looking at what seems to have gone on here, there is indication
that incompetent cipher(mode) design did happen, as the two
keys for XTS seem to be unecessary and adding complexity without
gain. Also the security goals of XTS seem to be not specified clearly: 
  http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/XTS_comments-Liskov_Minematsu.pdf
  http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/collected_XTS_comments.pdf 
This would be a reason to stay away from XTS, something may have
been subtly messed up.

As a side note, the XTS spec seems to be behind a IEEE paywall, which 
would be another reason not to use it, public standards need to be
accessible for free.

Arno

On Thu, Jul 22, 2010 at 04:57:43PM +0200, David Santamar??a Rogado wrote:
> Hello,
> 
> Jonas Meurer from Debian Cryptsetup Team has send me this e-mail
> address (dm-crypt@saout.de) as this is the best place for my question:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494584#15, says about
> a XTS detriment on security on large filesystems.
> 
> But in the wikipedia's discussion:
> http://en.wikipedia.org/wiki/Talk:Disk_encryption_theory#Issues_with_XTS
> 
> "Issues with XTS
> 
> There is also an issue about the size of the filesystem encrypted with
> the support of XTS. This is discussed here:
> http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/2008-September/002265.html
> ???Preceding unsigned comment added by 62.2.182.207 (talk) 19:40, 1
> April 2010 (UTC)
> 
> This is a misconception, since it does not apply to large filesystems
> (containing many data units/sectors, which are encrypted totally
> indepently), but to very large single data units, i.e.: The size of
> any single data unit should not exceed 270 bytes. The data unit size
> for a typical filesystem is between 512 and 64536 bytes only
> (29/216).93.205.111.251 (talk) 15:37, 2 April 2010 (UTC)"
> 
> 
> So, XTS has collision troubles with >500 GB or >1TB of data, or, it's a
> misconception and there isn't any issue about this on large
> filesystems.
> 
> Thanks in advice.
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 