james hughes wrote:
TrueCrypt on the other hand uses AES in XTS mode so you get
confidentiality and integrity.
Technically, you do not get integrity. With XTS (P1619, narrow block
tweaked cipher) you are not notified of data integrity failures, but
these data integrity failures have a much reduced usability than CBC.
With XTS:
[snip]
If you change this to ZFS Crypto
http://opensolaris.org/os/project/zfs-crypto/
You get complete integrity detection with the only remaining
vulnerability that
For those not familiar this is because Jim and I choose to use CCM/GCM
with AES. ZFS is already using a copy-on-write validated merkle tree.
The 16 byte tag/MAC from CCM/GCM is stored in the block pointer above
forming a merkle tree. Each encrypted block in ZFS has its own IV. ZFS
"disk" blocks are variable size from 512 bytes to (currently) 128k.
1) you can return the entire disk to a previous state.
While I may have put you all asleep, the basic premise holds... XTS is
better than unauthenticated CBC.
Which is really what I was trying to say and over stated that XTS
provides integrity. When really what it does is as you said, provides a
better protection for certain classes of ciphertext modification than
just using CBC.
--
Darren J Moffat
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [email protected]
