> From: Tomas Vondra [mailto:tomas.von...@2ndquadrant.com] > On 05/25/2018 01:41 PM, Moon, Insung wrote: > > BTW, I want to support CBC mode encryption[3]. However, I'm not sure > > how to use the IV in CBC mode for this proposal. I'd like to hear > > opinions by security engineer. > > > > I'm not a cryptographer either, but this is exactly where you need a > prior discussion about the threat models - there are a couple of > chaining modes, each with different weaknesses. Our products uses XTS, which recent FDE software like BitLocker and TrueCrypt uses instead of CBC.
https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS "According to SP 800-38E, "In the absence of authentication or access control, XTS-AES provides more protection than the other approved confidentiality-only modes against unauthorized manipulation of the encrypted data."" > FWIW it may also matter if data_checksums are enabled, because that may > prevent malleability attacks affecting of the modes. Assuming active > attacker (with the ability to modify the data files) is part of the > threat model, of course. Encrypt the page after embedding its checksum value. If a malicious attacker modifies a page on disk, then the decrypted page would be corrupt anyway, which can be detected by checksum. Regards Takayuki Tsunakawa
