[145006] in cryptography@c2.net mail archive
Re: Truncating SHA2 hashes vs shortening a MAC for ZFS Crypto
daemon@ATHENA.MIT.EDU (Alexander Klimov)
Mon Nov 2 16:30:01 2009
Date: Mon, 2 Nov 2009 09:45:14 +0200 (IST)
From: Alexander Klimov <alserkli@inbox.ru>
To: Darren J Moffat <Darren.Moffat@Sun.COM>
cc: cryptography@metzdowd.com, zfs-crypto-discuss@opensolaris.org
In-Reply-To: <4AEB229B.3080101@Sun.COM>
On Fri, 30 Oct 2009, Darren J Moffat wrote:
> The SHA256 checksums are used even for blocks in the pool that aren't
> encrypted and are used for detecting and repairing (resilvering) block
> corruption. Each filesystem in the pool has its own wrapping key and
> data encryption keys.
>
> Due to some unchangeable constraints I have only 384 bits of space to
> fit in all of: IV, MAC (CCM or GCM Auth Tag), and the SHA256 checksum,
> which best case would need about 480 bits.
>
> Currently I have Option 1 below but I the truncation of SHA256 down to
> 128 bits makes me question if this is safe. Remember the SHA256 is of
> the ciphertext and is used for resilvering.
If you use hash only to protect against non-malicious corruptions,
when why you use SHA-2? Would not MD5 or even CRC be enough?
--
Regards,
ASK
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
