> >> – Encrypted size == initial size > > I don't understand why this is considered as an issue.
Because you cannot add additional information needed for proper operation of some modes such as the IV used in CBC mode or the tag and IV in the authenticated AES-GCM mode. > > AES crypt plugin by IBPhoenix uses CBC and there is no "visible > repeating sequences" on pages. > Yes CBC mode does that but since it is applied using the same IV and the same key multiple times it is open to chosen-plaintext attacks as noted here: https://defuse.ca/cbcmodeiv.htm A more real world example is given here: https://stackoverflow.com/questions/3008139/why-is-using-a-non-random-iv-with-cbc-mode-a-vulnerability An overview why XTS is better in some regards than CBC for _disk encryption_ is given here: https://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/ XTS mode is not an ideal solution (it has problems as noted in the article) but is a better solution than CBC for _disk encryption_ (which in the case of Firebird is what the dbcrypt plugin does, see the first mail in the thread). An even better alternative than XTS mode is some authenticated mode such as GCM (https://en.wikipedia.org/wiki/Galois/Counter_Mode) but currently this is impossible without ODS changes because the encrypted size will be bigger than the initial size of the plaintext due to the added IV and tag. If changes in the ODS are an OK thing then the Firebird project should strive to provide support for authenticated encryption. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
