[pkg-cryptsetup-devel] Bug#494584: efficacy of xts over 1TB

Micah Anderson micah at riseup.net
Tue Sep 2 03:13:05 UTC 2008

According to the IETF NIST submission[0] for the tweakable block
cipher xts (and I paraphrase here, as the document prohibits direct
quotation): the proof yields strong security guarantees as long as the
same key is not used to encrypt much more than 1 terabyte of data. Up
until this point, no attack can succeed with probability better than
approximately one in eight quadrillion. However this security
guarantee deteriorates as more data is encrypted with the same
key. With a petabyte the attack success probability rate decreases to
*at most* eight in a trillion, with an exabyte, the success
probability is reduced to *at most* eight in a million.

Essentially this means that using XTS, with one key for more than a
few hundred terabytes of data opens up the possibility of attacks (and
is not mitigated by using a larger AES key size, so using a 256-bit
key doesn't change this). 

The paper notes that the decision on the maximum amount to data to be
encrypted with a single key using XTS should consider the above
together with the practical implication of the attack (which is the
ability of the adversary to modiy plaintext of a specific block, where
the position of this block may not be under the advisary's control).

As people do seem to be interested in XTS, I think it may be worth
considering performing a simple size of data partition to be encrypted
check to see if it is over 1TB and if so, present a warning about this
potential problem so that the user can make an informed decision
instead of being surprised later. If its not possible to do such a
test, or its possible for the user to increase the size of their
underlying encrypted volume, then perhaps the warning should be
included by default.


0. http://grouper.ieee.org/groups/1619tmp/1619-2007-NIST-Submission.pdf
(oddly, this is only available until September 3rd, I have a copy if
anyone needs it)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20080901/bf2586ac/attachment.pgp 

More information about the pkg-cryptsetup-devel mailing list