On Wed, Feb 06, 2013 at 01:52:40PM +0100, Milan Broz wrote: > On 02/06/2013 11:32 AM, Arno Wagner wrote: > > > On Wed, Feb 06, 2013 at 11:06:11AM +0100, Stavros Kousidis wrote: > >> One essential issue that concerns full disk encryption on SSDs, that I > >> have not seen in a mail discussion here so far (might be there and I > >> simply missed it), is the distribution of an uncontrollable amount of > >> copies of SSD-page contents (~4096 Bytes) where only a limited number of > >> blocks (~16 Bytes) have changed. This is initiated by local changes in > >> userspace data and technically due to the complex nature of the flash > >> translation layer (mainly wear leveling techniques), the narrow-block > >> encryption modes (here: XTS) and sector-wise constant IVs. In > >> Cipher-block chaining mode the position where a bit-flip happened is > >> visible in principle. > > > > I am aware of that issue. However, XTS mode should lead to a full sector > > (512 Bytes) chage even if only one bit is changed. That is the whole > > point of modes like XTS, EME, etc. > > I am afraid this is not true for XTS. blocks inside XTS can be processed > in parallel (so they cannot depend on each other) so the effect can be Hmm. You are right, my mistake. I sort-of assumed XTS was not weaker than CBC for this particular attack without really checking. One look at the definition makes it very obvious though. > exactly opposite - first bit change in (the same) sector using e.g. CBC > will change the whole ciphertext sector, while with XTS only first > encryption block (16 bytes) is changed. > I tried to show it here http://mbroz.fedorapeople.org/talks/DevConf2012/img6.jpg > > But despite that, XTS is usually better. I agree. And attacks were attackers have repeated access to the ciphertext, but not the plaintext are quite rare anyways. And even then, usually nothing aignificant is gained. > But it would be nice to have > some not patent encumbered wide mode (no code changes needed, just someone > have to invent it and add to crypto API :-) Indeed. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt