XTS v's CBC
Pawel Jakub Dawidek
pjd at FreeBSD.org
Tue Jul 24 11:30:49 UTC 2012
On Tue, Jul 24, 2012 at 05:21:35AM -0500, CyberLeo Kitsana wrote:
> On 07/22/2012 05:05 PM, RW wrote:
> >
> > Is there any good reason for preferring XTS over CBC in geli? I just did
> > some tests on a new disk and CBC seems to be about 30% faster.
>
> This depends on how the initialization vectors are generated for CBC. If
> guessable IVs are used, such as with plain sector/block numbers, a
> cryptographic watermark attack is possible.
>
> The attack is not possible if ESSIV (encrypted salt-sector IV) is used
> in CBC mode, since the IVs cannot be guessed without the key.
>
> The design of XTS mode thwarts the watermark attack, and allows the
> cipher to be easily parallelized, but requires twice the keying material
> due to its use of separate keys for encryption and whitening.
>
> The geli manpage does not say which algorithm is used to generate IVs
> for CBC mode.
It does in the ENCRYPTION MODES section:
geli supports two encryption modes: XTS, which was standardized as IEE
P1619 and CBC with unpredictable IV. The CBC mode used by geli is very
similar to the mode ESSIV.
--
Pawel Jakub Dawidek http://www.wheelsystems.com
FreeBSD committer http://www.FreeBSD.org
Am I Evil? Yes, I Am! http://tupytaj.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20120724/971b8d6d/attachment.pgp
More information about the freebsd-geom
mailing list