[Cryptography] [Crypto-practicum] Justify the sequence of operations in CTR mode.
Roland C. Dowdeswell
elric at imrryr.org
Tue Feb 23 13:32:17 EST 2016
On Sun, Feb 21, 2016 at 01:32:40PM -0500, Theodore Ts'o wrote:
>
> > Technology does advance, though. When you were talking about
> > spinning rust, it was essential that any metadata associated with a
> > block be physically part of the block - putting something like an IV
> > off elsewhere in a metadata area would destroyed performance. With
> > SSD's, the cost of an extra read is much less, and you might be able
> > to get away with separated metadata. On the other hand, you have to
> > write in large pages, so updating that information is expensive. So
> > a mode that could rely on a *fixed* set of IV's might be a big win.
>
> The biggest problem with separated metadata is the atomic update
> problem. What if you've updated the disk block, but not the
> authentication/integrity metadata? Or vice versa?
Right, this is what I was getting at in my prior e-mail. And
there's also the cost of RMW cycles if you cause writes to be on
non-sector aligned boundaries which have a dramatic negative impact
on performance.
If you want to have authenticity of the data, then the best place
to do it assuming current hardware and software limitations is in
the file system layer not the block device layer. Once you are at
the fs layer, you can make all sorts of simplifications that solve
these atomicity and RMW cycle issues.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
More information about the cryptography
mailing list