> That leaves the question of what the default behaviour should be. If
> we have to switch to 512Byte in the long run anyway, there is little
> point in postponing the pain. Make it the default, and old behaviour
> depends on the flag.
In my opinion it doesn't make much difference. crypto-loop
has broken beyond belief[1] IV anyways, so they will
eventually need to change it. Or just use CBC, which is simpler
and compatible and has nearly equivalent security to the easily
predictable IV :-) And when they change it they can as well set the flag.
Also I think Clemens is exaggerating the problem too.
The old 2.2 behaviour of using absolute IVs caused quite
some problems, but the relative IVs used in 2.4 are
not that bad because it is near always used with 4K
blocks (there are exceptions to this, but they're quite
rare assuming your file systems are all big enough
and you don't use a S390)
-Andi
[1] the problem is that it is too predictable. consider block 0,
which is usually filled with zeros. It also has IV==0. This means
it it 100% equivalent to CBC and worse even has known plain text.
Same problem applies to other blocks - the layout of most
installations generated by standard installers is quite predictible.
Fixing it is simple, but requires a new secret per file system.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Jun 23 2003 - 22:00:32 EST