Hi, sorry for long delay, I was most of the time offline. On 19/08/18 19:27, Christoph Anton Mitterer wrote: >>>> It is "safe" but I would better use random IV >>>> (so every write will regenerate IV). >>> >>> Okay what does that mean now? Should/can one use [aes|serpent]-xts- >>> random? What nonce sizes would that use? >> >> nonce = IV = size of cipher block here (16 bytes) > > Ah it's in /proc/crypto as well :-) > > Looking at this: > - All SERPENT+XTS or AES+XTS modes have 128 bit IV. > - Some GCM have the 96 bit IVs... but some have even only 64 bit > (__gcm-aes-aesni, rfc4106(gcm(aes)) and __gcm-aes-aesni). > > - ChaCha20 seems to have all 128 bit IV... but is this correct? I've > modpobed chacha20poly1305 ... but at least ther's no reference to > poly1305 in /proc/crypto No, we use RFC7539 wrapper for Chacha20-poly1305 and here the nonce is only 96bit. So the same probability of collision as in GCM, just a nonce collision does not cause such fatal failure as in GCM. > Okay now I'm still confused about what one can safely use and what not > :-( I will probably oversimplify it, but until we have time to really write documentation examples (and explain it in detail), these are my advices: - authenticated encryption remains as experimental feature - never use GCM mode - Avoid Chacha20-poly1305 as well (because of 96bit nonce) - For authenticated modes use random IV only. - For NON-authenticated modes, never use random IV. - Do not use slow hashes (sha3) or too long hashes (sha512) in HMAC-based authentication tags (it is overkill and performance will suffer extremely). SHA256 should be enough. So for (this oversimplified) LUKS2 authenticated encryption there are only two options: 1) Combine existing length-preserving block mode with additional HAMC-based authentication tag and random IV, for example (luksFormat parameters) "--cipher aes-xts-random --integrity hmac-sha256" 2) Use new native AEAD algorithms with 128bit nonces (in kernel 4.18 and later) (aegis128,aegis256,aegis128l,morus640,morus1280), for example "--cipher aegis128-random --key-size 128 --integrity aead" or "--cipher aegis256-random --key-size 256 --integrity aead" or "--cipher morus640-random --key-size 128 --integrity aead" ... (The key-size option should not be needed but there is apparently some bug and it tries to use only default 256 bits - will fix this later in version 2.1) Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
