Hello, I forward the following message to dm-crypt@xxxxxxxxx It might be interesting to everyone who uses or is interested in the XTS mode. in case that it the document in question is no longer available from the IEEE homepage, I have a local copy of the excerpt from IEEE Std. 1619-2007. Micah does so too, as he mentiones below. greetings, jonas ----- Forwarded message from Micah Anderson <micah@xxxxxxxxxx> ----- Date: Mon, 1 Sep 2008 23:13:05 -0400 From: Micah Anderson <micah@xxxxxxxxxx> Subject: [pkg-cryptsetup-devel] Bug#494584: efficacy of xts over 1TB To: 494584@xxxxxxxxxxxxxxx Reply-To: Micah Anderson <micah@xxxxxxxxxx>, 494584@xxxxxxxxxxxxxxx According to the IETF NIST submission[0] for the tweakable block cipher xts (and I paraphrase here, as the document prohibits direct quotation): the proof yields strong security guarantees as long as the same key is not used to encrypt much more than 1 terabyte of data. Up until this point, no attack can succeed with probability better than approximately one in eight quadrillion. However this security guarantee deteriorates as more data is encrypted with the same key. With a petabyte the attack success probability rate decreases to *at most* eight in a trillion, with an exabyte, the success probability is reduced to *at most* eight in a million. Essentially this means that using XTS, with one key for more than a few hundred terabytes of data opens up the possibility of attacks (and is not mitigated by using a larger AES key size, so using a 256-bit key doesn't change this). The paper notes that the decision on the maximum amount to data to be encrypted with a single key using XTS should consider the above together with the practical implication of the attack (which is the ability of the adversary to modiy plaintext of a specific block, where the position of this block may not be under the advisary's control). As people do seem to be interested in XTS, I think it may be worth considering performing a simple size of data partition to be encrypted check to see if it is over 1TB and if so, present a warning about this potential problem so that the user can make an informed decision instead of being surprised later. If its not possible to do such a test, or its possible for the user to increase the size of their underlying encrypted volume, then perhaps the warning should be included by default. micah 0. http://grouper.ieee.org/groups/1619tmp/1619-2007-NIST-Submission.pdf (oddly, this is only available until September 3rd, I have a copy if anyone needs it) _______________________________________________ pkg-cryptsetup-devel mailing list pkg-cryptsetup-devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.alioth.debian.org/mailman/listinfo/pkg-cryptsetup-devel ----- End forwarded message -----
Attachment:
signature.asc
Description: Digital signature
