On Fri, 30 Oct 2009, Darren J Moffat wrote: > The SHA256 checksums are used even for blocks in the pool that aren't > encrypted and are used for detecting and repairing (resilvering) block > corruption. Each filesystem in the pool has its own wrapping key and > data encryption keys. > > Due to some unchangeable constraints I have only 384 bits of space to > fit in all of: IV, MAC (CCM or GCM Auth Tag), and the SHA256 checksum, > which best case would need about 480 bits. > > Currently I have Option 1 below but I the truncation of SHA256 down to > 128 bits makes me question if this is safe. Remember the SHA256 is of > the ciphertext and is used for resilvering.
If you use hash only to protect against non-malicious corruptions, when why you use SHA-2? Would not MD5 or even CRC be enough? -- Regards, ASK --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com