Gisle Sælensminde wrote:
One such weak link in earlier versions of loop-aes (and as far as I know, still in cryptoloop) was the way each block were encrypted, that allowed an attacker to see the the location of the first change in each disk block when it changed.
This may be interpreted as that you could read the plaintext due to this, which it would not let you. It would only let you see that only (say) the last x bytes changed, since only the bytes after that point changed on the disk block. Now the bytes before that point change too. This cannot be used to recover plaintext, but it can give a better granularity than the disk block for seeing what have changed where on the disk. It was nevertheless correct to change it, since it give more information about the underlaying data than desired.
Just to avoid any misunderstandings. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/