[Cryptography] [Crypto-practicum] Justify the sequence of operations in CTR mode.
Ray Dillinger
bear at sonic.net
Sat Feb 20 21:32:14 EST 2016
You know, after considering stuff, I think I have a conclusion
about whole-disk security. And it's brutally simple. 256
bits is not an unreasonable size overhead for a 64kbyte block
cipher. That's an overhead of 1/2048 the size of the data, a
bit less than 0.05%.
So fill (at least) 128 bits with a nonce, 128 bits with a
checksum or whatever metadata, like a logical block length
to know where to stop reading when the plaintext only fills
a partial block, and the other 2047/2048 of the block with
real data, and then encrypt. And you can use plain old
ECB mode if you feel like it.
With the key, you can decrypt just fine and decrypting sorts
out your nonces and checksums/metadata from the real plaintext.
So you don't have to care about incrementing counters or IVs
or modes (though you could still use them if you feel like
it), etc. You have no need to even remember the nonces, and
no possible chosen plaintext can reveal squat.
An opponent can never tell if two blocks match, because
they don't. Ever. When you write a file, even if writing
the exact same data with the same IV using the same mode
and encrypted with the same key, it never looks anything
like it looked before.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160220/cdc7ccc1/attachment.sig>
More information about the cryptography
mailing list