From: Mikulas Patocka Subject: Re: [PATCH] dm-crypt: disable block encryption with arc4 Date: Tue, 26 Jan 2010 12:11:52 -0500 (EST) Message-ID: References: <4B5DE54F.7050206@redhat.com> <20100126092234.GA3304@Chamillionaire.breakpoint.cc> <4B5EC897.5050102@redhat.com> <20100126133413.GA5511@Chamillionaire.breakpoint.cc> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Milan Broz , dm-devel@redhat.com, Alasdair G Kergon , linux-crypto@vger.kernel.org To: Sebastian Andrzej Siewior Return-path: Received: from mx1.redhat.com ([209.132.183.28]:37972 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751367Ab0AZRMQ (ORCPT ); Tue, 26 Jan 2010 12:12:16 -0500 In-Reply-To: <20100126133413.GA5511@Chamillionaire.breakpoint.cc> Sender: linux-crypto-owner@vger.kernel.org List-ID: On Tue, 26 Jan 2010, Sebastian Andrzej Siewior wrote: > * Mikulas Patocka | 2010-01-26 07:27:18 [-0500]: > > >> yes, I think it is better. > >> (...and I just forgot to add that test to dm-crypt after that suggestion.) > >> > >> Milan > > > >Hmm, there is salsa20 that has block size 1, larger initialization > >vectors, and can be used to encrypt disks (although salsa20 doesn't > >currently work with dm-crypt, because it doesn't accept "ecb(), cbc(), > >etc." chaining modes --- but if you remove the chaining mode manually, it > >works). > > > >You should rather add a flag CRYPTO_ALG_CHANGES_STATE to determine that a > >cipher can't be used to encrypt disks. > > Just because it will work does not make it a good idea. > > SALSA20 is a stream cipher not a block cipher. > Block ciphers are used to encrypt data. > Stream ciphers are used to create one time pads, a set of encryption > keys, ... > There are block modes like CTR which can turn a block cipher into a > stream cipher. Those should not be used for disk encryption as well. Salsa20 is unsuitable for disk encryption in most cases. It would be suitable if we knew that the attacker can obtain the image of encrypted device at most once --- it is OK to protect against laptop theft (it happens just once), but it is not OK to protect against support technician spying on your data (he can read them multiple times, if you have multiple support requests). Anyway, what I wanted to say, is that block_size <= 1 test is no less hacky than !strcmp(cipher, "arc4") test. Mikulas