Jens Lechtenboerger wrote:
Hi there,
I'm about to encrypt my disk with loop-aes, and I'm wondering
whether this is a clever move:
1. The introduction (in German) at
http://wiki.chaostreff.ch/index.php/Festplattenverschl%C3%BCsselung
recommends not to use AES but to prefer Twofish.
In addition, GnuPG uses CAST5 as default for symmetric
encryption.
What is the state-of-the-art here?
AES has no known weaknesses, is quite fast, and is the most analyzed of
those algorithms, so
most cryprographers would recommend AES. Twofish was one of the five
final algorithms in
the AES competition, and is quite well analyzed as well, but less than
AES (or Rijndael, as it was
known as during the competition). Twofish has gained some popularity in
the open source circles,
and can as well be used instead of AES, but there is no reason to
recomend it over AES/Rijndael.
CAST5 was also a candidate for AES, but did not make it to the final,
and is thus less well analyzed
than the other. That is not saying that it is broken in any way, but I
would prefere AES or Twofish.
2. The text at http://mareichelt.de/pub/texts.cryptoloop.php
warns against mainline cryptoloop:
"Both cryptoloop and dm-crypt in kernels prior to 2.6.10 are
vulnerable, and even recent dm-crypt still suffers from a weak
crypto implementation."
What is weak here?
A weak IV scheme made it possible for an attacker with access to the raw
storage to see
which bytes of a block that was the first modified, but not see what the
change was. Newer loop-aes
implementations has fixed this problem.
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
