Hi! Moji writes: >... > Also, based on the information I have posted, and assuming that you > will not be using raid to break up the device, I would recommend: > > serpent-cbc-essiv:sha256 > > serpent because it is very strong cipher, even though it has not as > much testing as AES, and cbc-essiv, because I have not seen any > reports of inherent vulnerabilities on larger devices. Thanks for the recommendation and the explaining! >From what I understand, the Wikipedia lists a decryption attack against any form of CBC regardless of the IV method. It always works because of the simple chaining using the previous cypher text: for decrypting any but the first block of a sector, you do not need the IV, but the only thing you need is the previous encrypted block, which you naturally have. So if you can ask for decryption of a single sector on the device, you can decrypt all but the first block of any other sector of the device, too, by simply copying the desired block to the block you can decrypt. However, I think if anyone can decrypt a single sector of my harddisk, they can decrypt any sector anyway, so this seems like no problem to me. >From the wording of the Wikipedia article, however, it is not completely clear to me how serious the watermarking attack on CBC is. The IV function is known, so can two blocks be easily constructed in such a way that their cbc-essiv:sha256 encryption (with whatever main algorithm) is identical? You'd need to know the sector for that plus break SHA256, because ESSIV uses the hash of the encryption key plus the sector number to generate the IV, right? If I understood that correctly, then I can safely get back to relaxing, enjoying the summer and drinking beer instead of thinking about this any longer. **Henrik _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
