From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gmazyland@gmail.com>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 2FTPF0GPEj20 for <dm-crypt@saout.de>;
 Tue, 21 May 2013 19:23:23 +0200 (CEST)
Received: from mail-ee0-f41.google.com (mail-ee0-f41.google.com [74.125.83.41])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mail.saout.de (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Tue, 21 May 2013 19:23:23 +0200 (CEST)
Received: by mail-ee0-f41.google.com with SMTP id d4so594523eek.0
 for <dm-crypt@saout.de>; Tue, 21 May 2013 10:23:23 -0700 (PDT)
Message-ID: <519BAD73.9020605@gmail.com>
Date: Tue, 21 May 2013 19:22:59 +0200
From: Milan Broz <gmazyland@gmail.com>
MIME-Version: 1.0
References: <519AA42D.4000609@ramses-pyramidenbau.de>
 <20130520234122.GA31243@tansi.org> <519AB8C5.7090908@ramses-pyramidenbau.de>
 <20130521021714.GA563@tansi.org> <1369121083.519b213be8fd2@www.inmano.com>
 <519B7D75.1080304@ramses-pyramidenbau.de>
In-Reply-To: <519B7D75.1080304@ramses-pyramidenbau.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] Authenticated Encryption for dm-crypt
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Ralf Ramsauer <ralf@ramses-pyramidenbau.de>
Cc: dm-crypt@saout.de

On 21.5.2013 15:58, Ralf Ramsauer wrote:
> Arno, your objections are legitimate.Though I think that authenticity
> would be a nice feature to dm-crypt.
> And i also think, that it *could* be realisable.

... And you are not the first thinking about this :-)

We even talked about using GCM mode (around 2011) but unfortunately
student interested in some proof-of-concept implementation for dmcrypt
abandoned this project.
(Maybe time for another try...)

Whatever, there are at least three basic concepts:

- one said, this should be done on higher level (where you know
which sectors contains real data - e.g. btrfs)

- second, which prefers separation of integrity and encryption
(see e.g. dm-integrity patches on dm-devel or dm-verity for read-only)
(You can stack integrity above dmcrypt.)

- and the third, using auth mode directly in dm-crypt
Here I would prefer to have some "standardised" on-disk layout for auth
tag. There are several approaches. (Some would work
better with non-rotational media, some are more problematic.)

(If you don't mind losing half of the disk space, you can internaly
use 1+1 sector (wasting second sector just for auth tag) and play
with disk limits/topology and sector size. This would work nicely even
for rotational media.

(Storing more tags in one sector is just slightly more complicated,
but it adds more risk for data corruption if write fails during
powerfail or so.)

I am not sure how much useful is using authenticated encyption
for real applications, but as my former colleague would say - please
send a patch :-)

Milan