Re: [PATCHv2] crypto: xts - Add support for Cipher Text Stealing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/08/2019 12:37, Ard Biesheuvel wrote:
>>> True. Which is another historical mistake imo, since XTS is only
>>> specified for AES, but I digress ... :-)
>>>
>> Yes, I was also surprised by the use of XTS with other blockciphers.
>> It sort of violates the don't roll your own crypto paradigm ...
>> (although some might argue that XTS is supposed to be secure if the
>> underlying blockcipher is, regardless of what that cipher actually is)
>>
> 
> That doesn't really matter. What matters is that nobody took a careful
> look whether XTS combined with other ciphers is a good idea before
> throwing it out into the world.

Couldn't resist, but tell that to TrueCrypt authors (if you know them :)

They used XTS for other AES candidates (Serpent, Twofish, also in
chained modes together).

Older versions used LRW mode, doing the same.
Even implementing LRW over Blowfish that has 8-byte block size, so you
need GF(2^64) operations - that is luckily not implemented in Linux kernel
crypto API :-)

VeraCrypt continued the tradition, adding the Camellia and
Kuznyetchik (actually discussed GOST standard) to the XTS mix.

But without sarcasm, I do want to support this for users,
we can map (but not create) such images in cryptsetup, and it is partially
reason I want dm-crypt to be fully configurable...

Milan



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux