Re: Security implications of large CGD?

[Jimmy Johansson <jimmy%Update.UU.SE@localhost>]

On Tue, Apr 30, 2013 at 02:09:40PM +0000, Taylor R Campbell wrote:
>     Date: Sun, 28 Apr 2013 14:48:05 +0200
>     From: Jimmy Johansson <jimmy%Update.UU.SE@localhost>
> 
>    I'm about to create a CGD volume larger than 1 TB.
> 
>    I seem to remember reading something about OpenBSD and their full disk
>    encryption several years ago and that you should not create a
>    volume larger than 1 TB with their scheme. If I remember correctly it
>    was due to implementation limitations, but then again I don't trust my
>    memory any more.
> 
>    Or are there any problems overall with a volume larger than 1 TB
>    encrypted with aes-cbc and 256 b key that a layperson like me can't
>    see? I mean I'm neither a cryptographer nor a mathematician...
> 
> Cryptographers recommend[*] avoiding using a 128-bit block cipher with
> a single key to encrypt more than 2^32 blocks = 2^40 bytes = 1 TB.
> This is to render negligible an attacker's probability of success at
> using the birthday paradox to distinguish your ciphertext, which will
> have no collisions, from random data, which is expected to have a
> collision after 2^64 blocks.
> 
> To avoid this, you could break up your disk into parts encrypted with
> different keys and combine the parts using ccd or raid.
> 
> (OpenBSD has it much worse off, because their disk encryption supports
> only the 64-bit block cipher Blowfish.  I wonder whether cgd(4) ought
> to reject attempts to configure >1 TB (and much smaller for Blowfish
> and 3DES), until perhaps we add support for a wider-block cipher.)
> 
> [*] E.g., <http://www.ietf.org/rfc/rfc4434.txt>.

Thanks for the answer. Will keep this in mind when setting things up.

Regards,

Jimmy
-- 
If you don't shoot the bearers of bad news, people will keep bringing it to you.