Re: Security implications of large CGD?

[Taylor R Campbell <campbell+netbsd-users%mumble.net@localhost>]

    Date: Sun, 28 Apr 2013 14:48:05 +0200
    From: Jimmy Johansson <jimmy%Update.UU.SE@localhost>

   I'm about to create a CGD volume larger than 1 TB.

   I seem to remember reading something about OpenBSD and their full disk
   encryption several years ago and that you should not create a
   volume larger than 1 TB with their scheme. If I remember correctly it
   was due to implementation limitations, but then again I don't trust my
   memory any more.

   Or are there any problems overall with a volume larger than 1 TB
   encrypted with aes-cbc and 256 b key that a layperson like me can't
   see? I mean I'm neither a cryptographer nor a mathematician...

Cryptographers recommend[*] avoiding using a 128-bit block cipher with
a single key to encrypt more than 2^32 blocks = 2^40 bytes = 1 TB.
This is to render negligible an attacker's probability of success at
using the birthday paradox to distinguish your ciphertext, which will
have no collisions, from random data, which is expected to have a
collision after 2^64 blocks.

To avoid this, you could break up your disk into parts encrypted with
different keys and combine the parts using ccd or raid.

(OpenBSD has it much worse off, because their disk encryption supports
only the 64-bit block cipher Blowfish.  I wonder whether cgd(4) ought
to reject attempts to configure >1 TB (and much smaller for Blowfish
and 3DES), until perhaps we add support for a wider-block cipher.)

[*] E.g., <http://www.ietf.org/rfc/rfc4434.txt>.