[Cryptography] XTS mode IV generation
Darren Moffat
darren at nessieroo.com
Tue Feb 28 07:38:03 EST 2017
I'm looking for information on wither it is safe (not ideal) to use XTS
mode in a Copy On Write filesystem. For ZFS (which is copy on write and
always has a merkle tree of checksums)I used CCM or GCM because there was
space to store the IV and the MAC.
I have a use case where the system is still copy on write but there is no
possibility of storing the IV or a MAC. In some (but not all) cases the
ciphertext of the blocks are still checksumed.
The blocks are not the traditional disk blocks of full disk encryption that
XTS is target for. Each block that would be encrypted by XTS is referenced
by an 128 bit id. What this means is that due to copy on write the same
128 bit id will be used again (always representing the same object and
fragment of the object) while the prior block is still lying on the storage
media. If this 128 bit id was used as the IV for XTS is that weakening the
security of XTS ? Or is it really no different to the risk of being able to
observe the same disk locations over time when XTS is used in the
traditional full disk encryption case?
Darren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170228/1c7b4fc3/attachment.html>
More information about the cryptography
mailing list