[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Security implications of large CGD?
On Tue, Apr 30, 2013 at 02:09:40PM +0000, Taylor R Campbell wrote:
> Date: Sun, 28 Apr 2013 14:48:05 +0200
> From: Jimmy Johansson <jimmy%Update.UU.SE@localhost>
> I'm about to create a CGD volume larger than 1 TB.
> I seem to remember reading something about OpenBSD and their full disk
> encryption several years ago and that you should not create a
> volume larger than 1 TB with their scheme. If I remember correctly it
> was due to implementation limitations, but then again I don't trust my
> memory any more.
> Or are there any problems overall with a volume larger than 1 TB
> encrypted with aes-cbc and 256 b key that a layperson like me can't
> see? I mean I'm neither a cryptographer nor a mathematician...
> Cryptographers recommend[*] avoiding using a 128-bit block cipher with
> a single key to encrypt more than 2^32 blocks = 2^40 bytes = 1 TB.
> This is to render negligible an attacker's probability of success at
> using the birthday paradox to distinguish your ciphertext, which will
> have no collisions, from random data, which is expected to have a
> collision after 2^64 blocks.
> To avoid this, you could break up your disk into parts encrypted with
> different keys and combine the parts using ccd or raid.
> (OpenBSD has it much worse off, because their disk encryption supports
> only the 64-bit block cipher Blowfish. I wonder whether cgd(4) ought
> to reject attempts to configure >1 TB (and much smaller for Blowfish
> and 3DES), until perhaps we add support for a wider-block cipher.)
> [*] E.g., <http://www.ietf.org/rfc/rfc4434.txt>.
Thanks for the answer. Will keep this in mind when setting things up.
If you don't shoot the bearers of bad news, people will keep bringing it to you.
Main Index |
Thread Index |