[144898] in cryptography@c2.net mail archive
Re: FileVault on other than home directories on MacOS?
daemon@ATHENA.MIT.EDU (Darren J Moffat)
Mon Sep 28 19:38:28 2009
Date: Fri, 25 Sep 2009 10:13:33 +0100
From: Darren J Moffat <Darren.Moffat@Sun.COM>
In-reply-to: <E59DF15D-33FF-416B-8C0E-545C4AB0FFC6@mac.com>
To: james hughes <hughejp@mac.com>
Cc: =?UTF-8?B?SXZhbiBLcnN0acSH?= <krstic@solarsail.hcs.harvard.edu>,
Steven Bellovin <smb@cs.columbia.edu>, cryptography@metzdowd.com
james hughes wrote:
>> TrueCrypt on the other hand uses AES in XTS mode so you get
>> confidentiality and integrity.
>
> Technically, you do not get integrity. With XTS (P1619, narrow block
> tweaked cipher) you are not notified of data integrity failures, but
> these data integrity failures have a much reduced usability than CBC.
> With XTS:
[snip]
> If you change this to ZFS Crypto
> http://opensolaris.org/os/project/zfs-crypto/
> You get complete integrity detection with the only remaining
> vulnerability that
For those not familiar this is because Jim and I choose to use CCM/GCM
with AES. ZFS is already using a copy-on-write validated merkle tree.
The 16 byte tag/MAC from CCM/GCM is stored in the block pointer above
forming a merkle tree. Each encrypted block in ZFS has its own IV. ZFS
"disk" blocks are variable size from 512 bytes to (currently) 128k.
> 1) you can return the entire disk to a previous state.
>
> While I may have put you all asleep, the basic premise holds... XTS is
> better than unauthenticated CBC.
Which is really what I was trying to say and over stated that XTS
provides integrity. When really what it does is as you said, provides a
better protection for certain classes of ciphertext modification than
just using CBC.
--
Darren J Moffat
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
