--- On Mon, 12/1/09, Jari Ruusu <jariruusu@xxxxxxxxxxxxxxxxxxxxx> wrote: > Identical encryption keys + identical plaintext data + same > offset from > beginning of a disk partition leads to identical > ciphertexts. Identical > ciphertexts leak information about plaintext. So the information leaked would be: (a) the fact that the encrypted data in question actually is ciphertext, and is not random data, (b) how much identical data there is encrypted on both devices. That doesn't help the attacker much (at all?) in attempting to break the encryption though, but it does negate plausible deniability? Or is there a (c) that I am missing? > 16 bytes of known plaintext starting at any (except first) > 16 byte boundary > on a disk sector allows adversary to try brute force attack > for one AES key. And, if successful, an attacker only gets a single line of the multiline key, yielding a "venetian blind" view of the data. Unless they repeat the attack on other known plaintext sectors to get more lines of the multiline key. Is that a correct understanding? How many bytes is each single slice on the disk that is encrypted with one line of the key? (Is is 512?). > But 128/192/256 bits of key space is too much to brute > force. Would "brute forcing" be the correct terminology here? If the plaintext and ciphertext are known, then the key for that sector can be deduced? I thought brute forcing meant simply trying keys on the ciphertext (without knowing the plaintext) until the ciphertext decrypted. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/