Darren J Moffat
Sun, 01 Nov 2009 17:34:16 -0800
The SHA256 checksums are used even for blocks in the pool that aren't encrypted and are used for detecting and repairing (resilvering) block corruption. Each filesystem in the pool has its own wrapping key and data encryption keys.
Due to some unchangeable constraints I have only 384 bits of space to fit in all of: IV, MAC (CCM or GCM Auth Tag), and the SHA256 checksum, which best case would need about 480 bits.
Currently I have Option 1 below but I the truncation of SHA256 down to 128 bits makes me question if this is safe. Remember the SHA256 is of the ciphertext and is used for resilvering.
Option 1
--------
IV 96 bits (the max CCM allows given the other params)
MAC 128 bits
Checksum SHA256 truncated to 128 bits
Other options are:
Option 2
--------
IV 96 bits
MAC 128 bits
Checksum SHA224 truncated to 128 bits
Basically if I have to truncate to 128 bits is it better to do
it against SHA224 or SHA256 ?
Option 3
--------
IV 96 bits
MAC 128 bits
Checksum SHA224 or SHA256 truncated to 160 bits
Obviously better than the 1 and 2 but how much better ?
The reason it isn't used just now is because it is slightly
harder to layout given other constrains in where the data lives.
Option 4
--------
IV 96 bits
MAC 32 bits
Checksum SHA256 at full 256 bits
I'm pretty sure the size of the MAC is far to small.
Option 5
--------
IV 96 bits
MAC 64 bits
Checksum SHA224 at full 224 bits
This feels like the best compromise, but is it ?
Option 6
--------
IV 96 bits
MAC 96 bits
Checksum SHA224 or SHA256 truncated to 192 bits
--
Darren J Moffat
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com