Subject: Re: The IV Problem of dm-crypt : is it secure nevertheless?
Newsgroups: gmane.linux.kernel.device-mapper.dm-crypt
Date: 2004-09-12 21:13:16 GMT (3 years, 34 weeks, 3 days, 11 hours and 44 minutes ago)
On Sun, 2004-09-12 at 14:21, Alexander Mahr wrote: > 2. How is the development going? Will there be a solution to the IV > problem soon? > I.E why doesn't one compute the IV for a new block with a hash of the > previos IV and the > last encrypted block? Last time discussed privately with Christophe Saout, I came with a simple working solution, which circumvents any problems associated with locking of a hash/HMAC context: SALT=Hash(KEY) IV=E(SALT,sectornumber) Hash() can be SHA1/RIPEMD, whatever. E is the encryption algorithm used. The nice thing is, one does not have to cope with hash context copying stuff, since the salt can efficiently been computed in the setup phase, further any assembler optimization of E can be used in the IV computation too, while Hash can be slow. This scheme can easily been implemented and seems, at the first glance, secure, but I hesitated to advertise it, since I wanted to do further investigations about the mathematical properties involved. The performance impact of this scheme is 6%. Personally I'm annoyed by the clumsy monolithic design of the Linux kernel, that I will not take care of this issue, unless nobody else fixes it till the end of the year. -- Fruhwirth Clemens <clemens@...> http://clemens.endorphin.org