Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 25 Jul 2012 00:39:23 +0100
From:      RW <rwmaillists@googlemail.com>
To:        freebsd-geom@freebsd.org
Subject:   Re: XTS v's CBC
Message-ID:  <20120725003923.6956a238@gumby.homeunix.com>
In-Reply-To: <20120724112823.GD1384@garage.freebsd.pl>
References:  <20120722230539.43054c22@gumby.homeunix.com> <500E772F.6000709@cyberleo.net> <20120724112823.GD1384@garage.freebsd.pl>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 24 Jul 2012 13:28:23 +0200
Pawel Jakub Dawidek wrote:

> On Tue, Jul 24, 2012 at 05:21:35AM -0500, CyberLeo Kitsana wrote:
> > On 07/22/2012 05:05 PM, RW wrote:
> > > 
> > > Is there any good reason for preferring XTS over CBC in geli? I
> > > just did some tests on a new disk and CBC seems to be about 30%
> > > faster.
> > 
> > This depends on how the initialization vectors are generated for
> > CBC. If guessable IVs are used, such as with plain sector/block
> > numbers, a cryptographic watermark attack is possible.
> > 
> > The attack is not possible if ESSIV (encrypted salt-sector IV) is
> > used in CBC mode, since the IVs cannot be guessed without the key.
> > 
> > The design of XTS mode thwarts the watermark attack, and allows the
> > cipher to be easily parallelized, but requires twice the keying
> > material due to its use of separate keys for encryption and
> > whitening.
> > 
> > The geli manpage does not say which algorithm is used to generate
> > IVs for CBC mode.
> 
>... The CBC mode used by geli is very similar to the mode ESSIV.
> 

I was aware of all of the above, I was wondering if there is anything
that justified the switch to AES-XTS as default given the drop in
performance.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120725003923.6956a238>