Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1816225ybi; Sun, 16 Jun 2019 14:09:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqwh4bO5Iv1nRNbHOJoSh3JtaAA9mB57OzbFwbudfTdu2cCKGbi/vHTOHdcmGUUTynMxREvm X-Received: by 2002:a17:902:2847:: with SMTP id e65mr97852724plb.319.1560719369152; Sun, 16 Jun 2019 14:09:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560719369; cv=none; d=google.com; s=arc-20160816; b=q6YY4dnNd9nUarWZSwBl9r9+QSCkJ97OChDnml4gwjjlRjj2xl0LVypGZO4iFR0rAD l40Lt4G/mz50pOYHvC57KDzZmgOWe575/o7jE1IFj1qudtDDQsQFftqRA7RIkZ1+h7g3 1LsIxzg/6E/U+8Q2w/XGEm2zMn1KZ3qYvoo4iDvSOST5ZvjBgypDqEnEss1hy5b7glhQ KBMJ6r00OYNzkfRFKNK23nN88WwHDw/3z1DiNrfeN5FzCKB1dRuxXkM55xg0N6uWEs/y 3uv7zFRWNg4RMwMeLNhwdZzA6JYiC2VF8WnKzq65qJT+MboBfY+WHcuSTYN73D/vF5H1 pz3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=OXFyYB61mrKefppYCTI9WFc59d0JwdyUsEjrODt6Te4=; b=gA3VxqocjMUa6jbnHpPH2FVy0QT5Bjdxt+PON4jZilPJtSCjnqM1g3IVVy8rW1ocjh WfY0QdpoKrU/OJka7K24QhtqjkZTUmLYiYjrkcTm4IGWqrSMw9MqS10Z5dn7OP3mXjnH mZaicnVpsRAuJcwCiPxjgCmz3NI8Fzr+1K8NKMmO8Y1h1J+QZvvIh+1groxmFShS8ue9 y3SR+t6fQxpo4K/6SzaoDQDbgUOlSTebsu25sRcuwRQeuxACL+9UxwJaoZV7/kvL2krj bl6uGtOgzgDNSVlFNKGZG3lrWJnn0Nrk5xVRVzlRo+xSlmeyJ4Gse1d4KCG5rRwyo2lP dz6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xltwFOLy; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j8si8107450plt.303.2019.06.16.14.09.08; Sun, 16 Jun 2019 14:09:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xltwFOLy; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726054AbfFPVJG (ORCPT + 99 others); Sun, 16 Jun 2019 17:09:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:43550 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725920AbfFPVJG (ORCPT ); Sun, 16 Jun 2019 17:09:06 -0400 Received: from sol.localdomain (c-24-5-143-220.hsd1.ca.comcast.net [24.5.143.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 731C32084D; Sun, 16 Jun 2019 21:09:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560719345; bh=GTQ0Rb1obiOnV/loBYnTUldGJZLtLtyNtKdBjRCT2WY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=xltwFOLyMNBwP569RW8nfVX87xkROwc6ffnB9dNtW6AFnDAh80Y+EQBzV8dsCi+dN BWL8tW67Wvqq2wBSh0tyfQiVhUmCjZdGOm/UTpDPk+s1w5FARQOBC1b0yayfi2Rxsg 4PoqnST+b0yaxcSjh37V+939+TrtkzXSfV80lntg= Date: Sun, 16 Jun 2019 14:09:03 -0700 From: Eric Biggers To: Ard Biesheuvel Cc: Milan Broz , Mike Snitzer , device-mapper development , "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" , Herbert Xu , linux-fscrypt@vger.kernel.org Subject: Re: [dm-devel] [RFC PATCH 0/3] crypto: switch to shash for ESSIV generation Message-ID: <20190616210903.GF923@sol.localdomain> References: <20190614083404.20514-1-ard.biesheuvel@linaro.org> <9cd635ec-970b-bd1b-59f4-1a07395e69a0@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.1 (2019-06-15) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org [+Cc linux-fscrypt] On Sun, Jun 16, 2019 at 09:13:01PM +0200, Ard Biesheuvel wrote: > > > > - ESSIV is useful only for CBC mode. I wish we move to some better mode > > in the future instead of cementing CBC use... But if it helps people > > to actually use unpredictable IV for CBC, it is the right approach. > > (yes, I know XTS has own problems as well... but IMO that should be the default > > for sector/fs-block encryption these days :) > > > > I agree that XTS should be preferred. But for some reason, the > kernel's XTS implementation does not support ciphertext stealing (as > opposed to, e.g., OpenSSL), and so CBC ended up being used for > encrypting the filenames in fscrypt. > Actually, for fscrypt CTS-CBC was also chosen because all filenames in each directory use the same IV, in order to efficiently support all the possible filesystem operations and to support filenames up to NAME_MAX. So there was a desire for there to be some propagation across ciphertext blocks rather than use XTS which would effectively be ECB in this case. Neither solution is great though, since CBC-CTS still has the common prefix problem. Long-term we're planning to switch to an AES-based wide block mode such as AES-HEH or AES-HCTR for filenames encryption. This is already solved for Adiantum users since Adiantum is a wide-block mode, but there should be a pure AES solution too to go along with AES contents encryption. - Eric