On Wed, Jan 16, 2013 at 11:06 PM, Zhen Kong <[email protected]> wrote: > > Android 3.0 use dm-crypt to support 128 AES with CBC and ESSIV:SHA256, I'd > like to ask if current version can support "aes-xts-plain" mode? I've never looked at the specific Android dm-crypt implementation, but I'm going to venture out and say NO. This is because of write leveling on SSDs and Flash Memory. See, for example, "Reliably Erasing Data >From Flash-Based Solid State Drives," http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf.
Also note that key independence may be lost if dm-crypt is using the same key for encryption and ESSIV derivation. A loss of key independence could make key recovery an easier task for an adversary. See Chapter 13 of the Handbook of Applied Cryptography (available online at http://cacr.uwaterloo.ca/hac/). Also related: AES/XTS only provides confidentiality, and does not provide authenticity. Your program will be consuming untrusted data unless you take measures to add an authenticator or redundancy function. See, for example, IEEE's P1619TM: "Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices," http://grouper.ieee.org/groups/1619/email/pdf00086.pdf. Jeff -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
