On 02/06/2013 11:32 AM, Arno Wagner wrote: > On Wed, Feb 06, 2013 at 11:06:11AM +0100, Stavros Kousidis wrote: >> One essential issue that concerns full disk encryption on SSDs, that I >> have not seen in a mail discussion here so far (might be there and I >> simply missed it), is the distribution of an uncontrollable amount of >> copies of SSD-page contents (~4096 Bytes) where only a limited number of >> blocks (~16 Bytes) have changed. This is initiated by local changes in >> userspace data and technically due to the complex nature of the flash >> translation layer (mainly wear leveling techniques), the narrow-block >> encryption modes (here: XTS) and sector-wise constant IVs. In >> Cipher-block chaining mode the position where a bit-flip happened is >> visible in principle. > > I am aware of that issue. However, XTS mode should lead to a full sector > (512 Bytes) chage even if only one bit is changed. That is the whole > point of modes like XTS, EME, etc. I am afraid this is not true for XTS. blocks inside XTS can be processed in parallel (so they cannot depend on each other) so the effect can be exactly opposite - first bit change in (the same) sector using e.g. CBC will change the whole ciphertext sector, while with XTS only first encryption block (16 bytes) is changed. I tried to show it here http://mbroz.fedorapeople.org/talks/DevConf2012/img6.jpg But despite that, XTS is usually better. But it would be nice to have some not patent encumbered wide mode (no code changes needed, just someone have to invent it and add to crypto API :-) Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
