NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Security implications of large CGD?

Taylor R Campbell <> writes:

> Cryptographers recommend[*] avoiding using a 128-bit block cipher with
> a single key to encrypt more than 2^32 blocks = 2^40 bytes = 1 TB.
> This is to render negligible an attacker's probability of success at
> using the birthday paradox to distinguish your ciphertext, which will
> have no collisions, from random data, which is expected to have a
> collision after 2^64 blocks.
> To avoid this, you could break up your disk into parts encrypted with
> different keys and combine the parts using ccd or raid.

Fair enough, but is it really rational to be concerned about statistical
tests being able to distinguish a 2T disk with a cgd on it from one that
you wrote random numbers to?  Are the other ways of figuring that out
really infeasible?  (How do you hide the cgdconfig file from the

I can certainly see not getting arbitrarily large, but I wonder if there
is something truly magic about 1T vs 2T, as opposed to a 1 in 2^32 odds
of noticing vs 1 in 2^31.

Attachment: pgpYmTdo9gR8N.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index