Date: Wed, 25 Jul 2012 00:39:23 +0100 From: RW <rwmaillists@googlemail.com> To: freebsd-geom@freebsd.org Subject: Re: XTS v's CBC Message-ID: <20120725003923.6956a238@gumby.homeunix.com> In-Reply-To: <20120724112823.GD1384@garage.freebsd.pl> References: <20120722230539.43054c22@gumby.homeunix.com> <500E772F.6000709@cyberleo.net> <20120724112823.GD1384@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 24 Jul 2012 13:28:23 +0200 Pawel Jakub Dawidek wrote: > On Tue, Jul 24, 2012 at 05:21:35AM -0500, CyberLeo Kitsana wrote: > > On 07/22/2012 05:05 PM, RW wrote: > > > > > > Is there any good reason for preferring XTS over CBC in geli? I > > > just did some tests on a new disk and CBC seems to be about 30% > > > faster. > > > > This depends on how the initialization vectors are generated for > > CBC. If guessable IVs are used, such as with plain sector/block > > numbers, a cryptographic watermark attack is possible. > > > > The attack is not possible if ESSIV (encrypted salt-sector IV) is > > used in CBC mode, since the IVs cannot be guessed without the key. > > > > The design of XTS mode thwarts the watermark attack, and allows the > > cipher to be easily parallelized, but requires twice the keying > > material due to its use of separate keys for encryption and > > whitening. > > > > The geli manpage does not say which algorithm is used to generate > > IVs for CBC mode. > >... The CBC mode used by geli is very similar to the mode ESSIV. > I was aware of all of the above, I was wondering if there is anything that justified the switch to AES-XTS as default given the drop in performance.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120725003923.6956a238>