Re: geli - selecting cipher
On Thu, 26 Jul 2012 17:47:10 +0200 Ivan Voras wrote: On 26/07/2012 04:14, RW wrote: I asked a similar questions to the OPs in the geom list and didn't get an answer. Geli doesn't need or isn't using any advantages of XTS. And CBC in geli is actually equivalent to ESSIV (see the previously linked wikipedia page). Hi, You didn't get an answer because in security, the answer depends on exact circumstances of use. The short answer is that if you don't have a specific adversary you need to protect your data from, I'd say that GELI's CBC is good enough for you. Actually the reason I asked is that I wanted to check whether I was ovelooking some key advantage of XTS that justified its being the default. AES-XTS was chosen to provide the best protection against modified ciphertext without using authentication which would expand the size of the data. It seem to me than anyone that worries about attackers tampering with a drive should use authentication in geli, and anyone that doesn't should leave it off and use CBC. If you run geli init without -a or -e options, you get AES-XTS without authentication, a default that doesn't seem right for anyone. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli - selecting cipher
RW rwmailli...@googlemail.com wrote: On Thu, 26 Jul 2012 17:47:10 +0200 Ivan Voras wrote: On 26/07/2012 04:14, RW wrote: I asked a similar questions to the OPs in the geom list and didn't get an answer. Geli doesn't need or isn't using any advantages of XTS. And CBC in geli is actually equivalent to ESSIV (see the previously linked wikipedia page). You didn't get an answer because in security, the answer depends on exact circumstances of use. The short answer is that if you don't have a specific adversary you need to protect your data from, I'd say that GELI's CBC is good enough for you. Most answers depend on the circumstances. At least to me this doesn't seem like a good reason to completely ignore questions, even if they are related to security. Saying that geli's CBC implementation is good enough for someone seems to imply that it's somehow worse than XTS in general. Could you please clarify in which scenario you think XTS offers better protection? Actually the reason I asked is that I wanted to check whether I was ovelooking some key advantage of XTS that justified its being the default. The rationale of the change isn't clear to me either. Until recently I wasn't aware of the performance impact, though. AES-XTS was chosen to provide the best protection against modified ciphertext without using authentication which would expand the size of the data. It seem to me than anyone that worries about attackers tampering with a drive should use authentication in geli, and anyone that doesn't should leave it off and use CBC. If ZFS is used and checksums aren't disabled, I don't see any advantage of additionally enabling geli's authentication whose protection seems a lot weaker. For tampering resistance I would thus recommend ZFS on geli without authentication in geli. Fabian signature.asc Description: PGP signature
Re: geli - selecting cipher
Saying that geli's CBC implementation is good enough for someone seems to imply that it's somehow worse than XTS in general. Could you true. i still don't really understand the difference. I don't need actually anything other that inability to read data from my disk for a potential thief. The rationale of the change isn't clear to me either. Until recently I wasn't aware of the performance impact, though. It is huge 5-8 times depending if you have hardware acceleration or not. AES-CBC is fast enough so encrypting SSD drives make sense. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli - selecting cipher
'CBC' -- [C]ypher [B]lock [C]hainig -- is well-suited for strictly -sequential- data access. Try reading the blocks of a large (say 10gB) file in *reverse* order and see what kind of performance you get. how about randomio test on geli encrypted ramdisk? AES-CBC still 3 times faster ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli - selecting cipher
RW rwmailli...@googlemail.com wrote: On Wed, 25 Jul 2012 19:52:39 -0500 (CDT) Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Wed Jul 25 14:00:27 2012 Date: Wed, 25 Jul 2012 20:57:30 +0200 (CEST) From: Wojciech Puchar woj...@wojtek.tensor.gdynia.pl To: freebsd-questions@freebsd.org Subject: geli - selecting cipher i need high speed disk encryption (many disks running in parallel, lots of data movement). i have processor with AES-NI. geli give 150MB/s performance (tested from/to md ramdisk) using default and recommended AES-XTS and ca 400MB/s read and 700MB/s write using AES-CBC. I'm not cryptography expert, is CBC somehow less secure, and if so is it really a problem? If you don't know what strength encryption you need, and/or the difference between the methods, you need to hire a data-security professional to examine your situation and make recommendations appropriate for _your_ needs. 'CBC' -- [C]ypher [B]lock [C]hainig -- is well-suited for strictly -sequential- data access. Try reading the blocks of a large (say 10gB) file in *reverse* order and see what kind of performance you get. Exactly the same, in geli the encryption is done per sector. I asked a similar questions to the OPs in the geom list and didn't get an answer. Geli doesn't need or isn't using any advantages of XTS. And CBC in geli is actually equivalent to ESSIV (see the previously linked wikipedia page). In the end I went with 128 bit aes-cbc since it's the fastest setting and Bruce Schneier recommends 128 over 256 AES as being more secure. Can you provide the source for the as being more secure part? I'm aware of the following recommendation: | And for new applications I suggest that people don't use AES-256. | AES-128 provides more than enough security margin for the forseeable | future. But if you're already using AES-256, there's no reason to change. http://www.schneier.com/blog/archives/2009/07/another_new_aes.html But (the way I interpret it) there's no claim that AES-128 is more secure either in general or in the context of disk encryption. Fabian signature.asc Description: PGP signature
Re: geli - selecting cipher
On 26/07/2012 04:14, RW wrote: I asked a similar questions to the OPs in the geom list and didn't get an answer. Geli doesn't need or isn't using any advantages of XTS. And CBC in geli is actually equivalent to ESSIV (see the previously linked wikipedia page). Hi, You didn't get an answer because in security, the answer depends on exact circumstances of use. The short answer is that if you don't have a specific adversary you need to protect your data from, I'd say that GELI's CBC is good enough for you. signature.asc Description: OpenPGP digital signature
Re: geli - selecting cipher
On Thu, Jul 26, 2012 at 8:47 AM, Ivan Voras ivo...@freebsd.org wrote: You didn't get an answer because in security, the answer depends on exact circumstances of use. The short answer is that if you don't have a specific adversary you need to protect your data from, I'd say that GELI's CBC is good enough for you. The specific adversary that XEX / XTS etc. is designed to protect against is probably unrealistically strong - someone who can write arbitrary data to raw disk sectors and ask to have them decrypted (chosen ciphertext attack), etc. If you don't need to detect modifications/insertions/deletions that don't go through the GELI layer, I would be perfectly comfortable with AES-CTR mode - it is many times faster than any of the above methods. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli - selecting cipher
If you don't need to detect modifications/insertions/deletions that yes i don't. i just want data to be unreadable for thieves in case of robbery. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli - selecting cipher
On Thu, 26 Jul 2012 15:49:00 +0200 Fabian Keil wrote: RW rwmailli...@googlemail.com wrote: In the end I went with 128 bit aes-cbc since it's the fastest setting and Bruce Schneier recommends 128 over 256 AES as being more secure. Can you provide the source for the as being more secure part? More likely to remain secure, if you prefer. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
geli - selecting cipher
i need high speed disk encryption (many disks running in parallel, lots of data movement). i have processor with AES-NI. geli give 150MB/s performance (tested from/to md ramdisk) using default and recommended AES-XTS and ca 400MB/s read and 700MB/s write using AES-CBC. I'm not cryptography expert, is CBC somehow less secure, and if so is it really a problem? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli - selecting cipher
On Wed, Jul 25, 2012 at 11:57 AM, Wojciech Puchar woj...@wojtek.tensor.gdynia.pl wrote: i need high speed disk encryption (many disks running in parallel, lots of I'm not cryptography expert, is CBC somehow less secure, and if so is it really a problem? XTS-AES is a standard devised specifically for disk encryption - it supports operations on sectors that aren't divisible by the cipher block size. See http://en.wikipedia.org/wiki/Disk_encryption_theory#XEX-based_tweaked-codebook_mode_with_ciphertext_stealing_.28XTS.29 I personally would be fine with AES-CTR mode, since I don't see the need to defend against the mythical strong adversary who can write arbitrary bits to unused sectors and then ask to have them decrypted. AES-CTR doesn't (by itself) have any integrity check. AES-CBC is fine, but the ciphertext is larger than the plaintext. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli - selecting cipher
From owner-freebsd-questi...@freebsd.org Wed Jul 25 14:00:27 2012 Date: Wed, 25 Jul 2012 20:57:30 +0200 (CEST) From: Wojciech Puchar woj...@wojtek.tensor.gdynia.pl To: freebsd-questions@freebsd.org Subject: geli - selecting cipher i need high speed disk encryption (many disks running in parallel, lots of data movement). i have processor with AES-NI. geli give 150MB/s performance (tested from/to md ramdisk) using default and recommended AES-XTS and ca 400MB/s read and 700MB/s write using AES-CBC. I'm not cryptography expert, is CBC somehow less secure, and if so is it really a problem? If you don't know what strength encryption you need, and/or the difference between the methods, you need to hire a data-security professional to examine your situation and make recommendations appropriate for _your_ needs. 'CBC' -- [C]ypher [B]lock [C]hainig -- is well-suited for strictly -sequential- data access. Try reading the blocks of a large (say 10gB) file in *reverse* order and see what kind of performance you get. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli - selecting cipher
On Wed, 25 Jul 2012 19:52:39 -0500 (CDT) Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Wed Jul 25 14:00:27 2012 Date: Wed, 25 Jul 2012 20:57:30 +0200 (CEST) From: Wojciech Puchar woj...@wojtek.tensor.gdynia.pl To: freebsd-questions@freebsd.org Subject: geli - selecting cipher i need high speed disk encryption (many disks running in parallel, lots of data movement). i have processor with AES-NI. geli give 150MB/s performance (tested from/to md ramdisk) using default and recommended AES-XTS and ca 400MB/s read and 700MB/s write using AES-CBC. I'm not cryptography expert, is CBC somehow less secure, and if so is it really a problem? If you don't know what strength encryption you need, and/or the difference between the methods, you need to hire a data-security professional to examine your situation and make recommendations appropriate for _your_ needs. 'CBC' -- [C]ypher [B]lock [C]hainig -- is well-suited for strictly -sequential- data access. Try reading the blocks of a large (say 10gB) file in *reverse* order and see what kind of performance you get. Exactly the same, in geli the encryption is done per sector. I asked a similar questions to the OPs in the geom list and didn't get an answer. Geli doesn't need or isn't using any advantages of XTS. And CBC in geli is actually equivalent to ESSIV (see the previously linked wikipedia page). In the end I went with 128 bit aes-cbc since it's the fastest setting and Bruce Schneier recommends 128 over 256 AES as being more secure. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
