Re: CTR and disk sector encryption
- From: "Joseph Ashwood" <ashwood@xxxxxxx>
- Date: Thu, 06 Apr 2006 18:01:49 GMT
<axellec@xxxxxxxxxxxxxxx> wrote in message
news:1144335377.729426.100030@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hmm... yes... so, you really need a random counter actually. Right ?
Actually, for this random counters are a bad idea. 256PB (to reach the
birthday paradox where you'll start quickly losing security) may sound like
a lot, but after you realize that you can start with 500GB, that's only
500,000 full-disk writes. On a single current, single drive system you won't
reach that, but just 4 doublings away it's within reach, whether that
happens because of RAID or independent disk size increases doesn't matter.
Beyond this if you look at the SANs in the world (which are becoming
increasingly common) you'll find it's not that uncommon for a reasonably
small business to have 500+TB, for 1000 full disk writes, large companies
currently start in the 1PB range and go up to a several PB, meaning they
actually are bordering on the point where a single full disk write will
reach the birthday paradox.
Random IVs for CTR mode are not sufficient for disk encryption any longer.
Instead you have to make sure the counter is never duplicated, even under
attack (attacker clones the drive, resets the counter).
Joe
.
- References:
- CTR and disk sector encryption
- From: axellec
- Re: CTR and disk sector encryption
- From: Henrick Hellström
- Re: CTR and disk sector encryption
- From: axellec
- CTR and disk sector encryption
- Prev by Date: Re: The Blum-Blum-Shub generator and a guessable seed
- Next by Date: Re: The Blum-Blum-Shub generator and a guessable seed
- Previous by thread: Re: CTR and disk sector encryption
- Next by thread: Re: CTR and disk sector encryption
- Index(es):
