Hi David, first XTS mode is not the default anywhere in cryptsetup, so why would you want to use it? Is there any specific problem with CBC-ESSIV that you wish do address? On the other hand, TrueCrupt (not related to this project) does use XTS mode as default. The one limitation I find in the NIST document is "2^20 AES blocks" which would be 128 bit blocks * 2^20 = 16MB per data unit maximum. Data Units in the case of disk encryption would be 512 bytes typically. Looking at what seems to have gone on here, there is indication that incompetent cipher(mode) design did happen, as the two keys for XTS seem to be unecessary and adding complexity without gain. Also the security goals of XTS seem to be not specified clearly: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/XTS_comments-Liskov_Minematsu.pdf http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/collected_XTS_comments.pdf This would be a reason to stay away from XTS, something may have been subtly messed up. As a side note, the XTS spec seems to be behind a IEEE paywall, which would be another reason not to use it, public standards need to be accessible for free. Arno On Thu, Jul 22, 2010 at 04:57:43PM +0200, David Santamar??a Rogado wrote: > Hello, > > Jonas Meurer from Debian Cryptsetup Team has send me this e-mail > address (dm-crypt@xxxxxxxx) as this is the best place for my question: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494584#15, says about > a XTS detriment on security on large filesystems. > > But in the wikipedia's discussion: > http://en.wikipedia.org/wiki/Talk:Disk_encryption_theory#Issues_with_XTS > > "Issues with XTS > > There is also an issue about the size of the filesystem encrypted with > the support of XTS. This is discussed here: > http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/2008-September/002265.html > ???Preceding unsigned comment added by 62.2.182.207 (talk) 19:40, 1 > April 2010 (UTC) > > This is a misconception, since it does not apply to large filesystems > (containing many data units/sectors, which are encrypted totally > indepently), but to very large single data units, i.e.: The size of > any single data unit should not exceed 270 bytes. The data unit size > for a typical filesystem is between 512 and 64536 bytes only > (29/216).93.205.111.251 (talk) 15:37, 2 April 2010 (UTC)" > > > So, XTS has collision troubles with >500 GB or >1TB of data, or, it's a > misconception and there isn't any issue about this on large > filesystems. > > Thanks in advice. > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt