*Max Vozeler* wrote: >> Please add aes-lrw-benbi and aes-xts-plain to the list of available >> mode of operation. XTS is the upcoming standard. > Thanks for the suggestion. I think offering those modes > in partman-crypto is very desirable. > > Before we can do it we will need to make some non-trivial > code changes though to account for the different key sizes > that are valid in combination with those modes. > > The kernel Kconfig help suggests that for LRW we'd need to > add 128 bits and for XTS to double the key size: > > aes-lrw-benbi: 256/320/384 bits > aes-xts-plain: 256/384/512 bits [cut] > The latter seems more flexible, but may be surprising for > people who are aware of the different requirements. They may > wonder why they can select 128-bit AES with aes-lrb-benbi, > for example. Do you think this could be a problem?
I don't think it's a nice idea to change/double the key size which the user selected. Anyway, I have to admit I didn't aware of that Kconfig suggestion. I have to make a careful study to it. It would be very nice to offer the user the option to choose the cipher and all the options related to it separately. E.g. 1) algorithm -> AES, Blowfish etc. 2) mode of operation -> CBC, LRW, XTS etc. 3) key size -> 128, 192, 256, 384, 512 (based on the selected algo+mode) 4) IV algorithm -> plain, essiv, benbi (only for LRW) 5) ivmode (only for CBC) -> sha1, sha256, sha512 But probably it is difficult to realize and in practice not so useful. So the best way is to offer only few predefined possibilities, which nowdays are considered secure. I suggest: - aes-cbc-essiv:sha1 (with various keysize) - aes-cbc-essiv:sha256 (with various keysize) - aes-cbc-essiv:sha512 (with various keysize) - aes-xts-plain (with various keysize) The default choice would be the last one. > Another question comes to mind: Since XTS is considered to > be the successor to LRW (at least for IEEE P1619 standard), > are there reasons to offer any LRW modes? Are you aware of > any practical advantages over XTS? In fact no, as I stated just few lines before. P.S.: why version 36 is not in testing? -- Alberto
