Arno Wagner <arno@xxxxxxxxxxx> wrote: > first XTS mode is not the default anywhere in cryptsetup, so > why would you want to use it? Is there any specific problem It's standardized by NIST :) > with CBC-ESSIV that you wish do address? CBC-ESSIV is specifically designed to tweak CBC to withstand watermark attacks, but does not address other kinds of attacks CBC is vulnerable to, like leakage, malleability, etc. XTS is not vulnerable to them. Thus, depending on your personal security needs there may be scenarios where you don't want to use CBC-ESSIV. Or you just prefer to use standardized mechanisms :) > The one limitation I find in the NIST document is "2^20 AES blocks" > which would be 128 bit blocks * 2^20 = 16MB per data unit maximum. The other one you can find in D.4.3: strong security is proven as long as the same key is not used to encrypt >>1TB data. Btw... just because there was a discussion regarding plain vs. plain64 in this thread: Of course the above also holds for plain64. - I guess this is what Milan meant when he did explicitely state not talk about encryption mode security while explaining plain64. And btw.2... Jonas forwarded Micahs mail to this list as well: Message-ID: <20080902122833.GF29731@xxxxxxxxxxxxxxx> This is basically why Clemens created http://code.google.com/p/cryptsetup/issues/detail?id=13 based on: Message-ID: <2f83750a0904160037n4a260b96g266b9d735a745556@xxxxxxxxxxxxxx> Subject: Re: Plans to avoid weaknesses in big volumes? (was: Re: SMP-aware kcryptd?) regards Mario -- Computer Science is no more about computers than astronomy is about telescopes. -- E. W. Dijkstra _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
