lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 3 Mar 2020 13:03:28 +0000
From:   "Van Leeuwen, Pascal" <pvanleeuwen@...bus.com>
To:     Milan Broz <gmazyland@...il.com>,
        Andrei Botila <andrei.botila@....nxp.com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>
CC:     "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [RFC] crypto: xts - limit accepted key length

> -----Original Message-----
> From: Milan Broz <gmazyland@...il.com>
> Sent: Tuesday, March 3, 2020 1:36 PM
> To: Van Leeuwen, Pascal <pvanleeuwen@...bus.com>; Andrei Botila <andrei.botila@....nxp.com>; Herbert Xu
> <herbert@...dor.apana.org.au>; David S. Miller <davem@...emloft.net>
> Cc: linux-crypto@...r.kernel.org; linux-kernel@...r.kernel.org
> Subject: Re: [RFC] crypto: xts - limit accepted key length
>
> <<< External Email >>>
> On 02/03/2020 09:33, Van Leeuwen, Pascal wrote:
> > Hmm ... in principle IEEE-1619 also defines XTS *only* for AES. So by that  same
> > reasoning, you should also not allow any usage of XTS beyond AES. Yet it is
> > actually being actively used(?) with other ciphers in the Linux kernel.
> Just FYI - yes, it is actively used with other ciphers.
>
> There is a lot of LUKS devices that use Serpent or Twofish with XTS mode.
>
> The same for TrueCrypt/VeraCrypt, here sometimes it is used also in cipher chain
> (both native binaries or cryptsetup code use dm-crypt with crypto API here).
>
> XTS mode is designed for storage encryption only - and at least for disk encryption
> I have never seen request for 192bit keys...
>
Me neither ... but I was just pointing out that referring to the IEEE spec (for supporting
only 128 and 256 bit keys) makes no sense if you also support other blockciphers not
mentioned in that same IEEE spec.

The mode itself can obviously work with any 128 bit blockcipher, with any keysize.
So any limitation on that would be purely artificial IMHO.

Regards,
Pascal van Leeuwen
Silicon IP Architect Multi-Protocol Engines, Rambus Security
Rambus ROTW Holding BV
+31-73 6581953

Note: The Inside Secure/Verimatrix Silicon IP team was recently acquired by Rambus.
Please be so kind to update your e-mail address book with my new e-mail address.

** This message and any attachments are for the sole use of the intended recipient(s). It may contain information that is confidential and privileged. If you are not the intended recipient of this message, you are prohibited from printing, copying, forwarding or saving it. Please delete the message and attachments and notify the sender immediately. **

Rambus Inc.<http://www.rambus.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ