james hughes wrote:
TrueCrypt on the other hand uses AES in XTS mode so you get confidentiality and integrity.

Technically, you do not get integrity. With XTS (P1619, narrow block tweaked cipher) you are not notified of data integrity failures, but these data integrity failures have a much reduced usability than CBC. With XTS:


If you change this to ZFS Crypto
You get complete integrity detection with the only remaining vulnerability that

For those not familiar this is because Jim and I choose to use CCM/GCM with AES. ZFS is already using a copy-on-write validated merkle tree. The 16 byte tag/MAC from CCM/GCM is stored in the block pointer above forming a merkle tree. Each encrypted block in ZFS has its own IV. ZFS "disk" blocks are variable size from 512 bytes to (currently) 128k.

1) you can return the entire disk to a previous state.

While I may have put you all asleep, the basic premise holds... XTS is better than unauthenticated CBC.

Which is really what I was trying to say and over stated that XTS provides integrity. When really what it does is as you said, provides a better protection for certain classes of ciphertext modification than just using CBC.

Darren J Moffat

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to