[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [dm-devel] [PATCH] dm-crypt: disable block encryption with arc4

On Tue, 26 Jan 2010, Sebastian Andrzej Siewior wrote:

> * Mikulas Patocka | 2010-01-26 07:27:18 [-0500]:
> >> yes, I think it is better.
> >> (...and I just forgot to add that test to dm-crypt after that suggestion.)
> >> 
> >> Milan
> >
> >Hmm, there is salsa20 that has block size 1, larger initialization 
> >vectors, and can be used to encrypt disks (although salsa20 doesn't 
> >currently work with dm-crypt, because it doesn't accept "ecb(), cbc(), 
> >etc." chaining modes --- but if you remove the chaining mode manually, it 
> >works).
> >
> >You should rather add a flag CRYPTO_ALG_CHANGES_STATE to determine that a 
> >cipher can't be used to encrypt disks.
> Just because it will work does not make it a good idea.
> SALSA20 is a stream cipher not a block cipher.
> Block ciphers are used to encrypt data.
> Stream ciphers are used to create one time pads, a set of encryption
> keys, ...
> There are block modes like CTR which can turn a block cipher into a
> stream cipher. Those should not be used for disk encryption as well.

Salsa20 is unsuitable for disk encryption in most cases. It would be 
suitable if we knew that the attacker can obtain the image of encrypted 
device at most once --- it is OK to protect against laptop theft (it 
happens just once), but it is not OK to protect against support technician 
spying on your data (he can read them multiple times, if you have multiple 
support requests).

Anyway, what I wanted to say, is that block_size <= 1 test is no less 
hacky than !strcmp(cipher, "arc4") test.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]