Taylor R Campbell <campbell+netbsd-users%mumble.net@localhost> writes: > Cryptographers recommend[*] avoiding using a 128-bit block cipher with > a single key to encrypt more than 2^32 blocks = 2^40 bytes = 1 TB. > This is to render negligible an attacker's probability of success at > using the birthday paradox to distinguish your ciphertext, which will > have no collisions, from random data, which is expected to have a > collision after 2^64 blocks. > > To avoid this, you could break up your disk into parts encrypted with > different keys and combine the parts using ccd or raid. Fair enough, but is it really rational to be concerned about statistical tests being able to distinguish a 2T disk with a cgd on it from one that you wrote random numbers to? Are the other ways of figuring that out really infeasible? (How do you hide the cgdconfig file from the adversary?) I can certainly see not getting arbitrarily large, but I wonder if there is something truly magic about 1T vs 2T, as opposed to a 1 in 2^32 odds of noticing vs 1 in 2^31.
Description: PGP signature