On 1153881116 seconds since the Beginning of the UNIX epoch
"Steven M. Bellovin" wrote:
>

>> The main difference appears to be better deniability: someone who can
>> convince you to store a specially crafted file on your encrypted disk
>> can then, given just the encrypted disk, prove that the file is stored
>> there.
>> 
>I haven't seen the attack, but given the way CBC works it's not clear that
>the attack would even apply in the context of cgd.

The attack was on the first implementation of encrypted disks for
Linux which had a known IV (plaintext block number) for each block.
You can then create a watermarked file by repeating sequences of
sectors with the right bits twiddled to undo the known IV.  Cgd
doesn't suffer from this as the IV is not known to the attacker.

Maybe we should have a look at LRW.  It's not a NIST approved mode
is it?

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/