On 07/25/2010 12:34 PM, Arno Wagner wrote: > This would be a reason to stay away from XTS, something may have > been subtly messed up. > > As a side note, the XTS spec seems to be behind a IEEE paywall, which > would be another reason not to use it, public standards need to be > accessible for free. You should then suggest not use hardisks and storage technologies too because most of standards are not accesible for free:-) </joke> Seriously, XTS-AES is FIPS140-2 approved and I see no problem to use it. Also read http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/follow-up_XTS_comments-Ball.pdf Yes, final version is not available but draft specification is still there (this is IEEE business, not hiding algorithm definition IMHO). Just please note one thing, which is dm-crypt special here: default "plain IV" is 32 bit only, so if anyone uses it on >2TB partition some sectors shares IV (IV generator restarts, opening it to to watermarking and similar attacks). Please _always_ use plain64 (*aes-xts-plain64*) if you want use it for large devices. (plain64 produces the same IV for <2TB. Available since 2.6.33, Truecrypt 7 already does that, thanks:-) Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
