On Tue, 24 Jul 2012 13:28:23 +0200 Pawel Jakub Dawidek wrote: > On Tue, Jul 24, 2012 at 05:21:35AM -0500, CyberLeo Kitsana wrote: > > On 07/22/2012 05:05 PM, RW wrote: > > > > > > Is there any good reason for preferring XTS over CBC in geli? I > > > just did some tests on a new disk and CBC seems to be about 30% > > > faster. > > > > This depends on how the initialization vectors are generated for > > CBC. If guessable IVs are used, such as with plain sector/block > > numbers, a cryptographic watermark attack is possible. > > > > The attack is not possible if ESSIV (encrypted salt-sector IV) is > > used in CBC mode, since the IVs cannot be guessed without the key. > > > > The design of XTS mode thwarts the watermark attack, and allows the > > cipher to be easily parallelized, but requires twice the keying > > material due to its use of separate keys for encryption and > > whitening. > > > > The geli manpage does not say which algorithm is used to generate > > IVs for CBC mode. > >... The CBC mode used by geli is very similar to the mode ESSIV. >
I was aware of all of the above, I was wondering if there is anything that justified the switch to AES-XTS as default given the drop in performance. _______________________________________________ freebsd-geom@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-geom To unsubscribe, send any mail to "freebsd-geom-unsubscr...@freebsd.org"
