NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Security implications of large CGD?



Taylor R Campbell <campbell+netbsd-users%mumble.net@localhost> writes:

> Cryptographers recommend[*] avoiding using a 128-bit block cipher with
> a single key to encrypt more than 2^32 blocks = 2^40 bytes = 1 TB.
> This is to render negligible an attacker's probability of success at
> using the birthday paradox to distinguish your ciphertext, which will
> have no collisions, from random data, which is expected to have a
> collision after 2^64 blocks.
>
> To avoid this, you could break up your disk into parts encrypted with
> different keys and combine the parts using ccd or raid.

Fair enough, but is it really rational to be concerned about statistical
tests being able to distinguish a 2T disk with a cgd on it from one that
you wrote random numbers to?  Are the other ways of figuring that out
really infeasible?  (How do you hide the cgdconfig file from the
adversary?)

I can certainly see not getting arbitrarily large, but I wonder if there
is something truly magic about 1T vs 2T, as opposed to a 1 in 2^32 odds
of noticing vs 1 in 2^31.

Attachment: pgpYmTdo9gR8N.pgp
Description: PGP signature



Home | Main Index | Thread Index | Old Index