Security levels of different implementations of block crypto

["Jim MacBaine" <jmacbaine@xxxxxxxxx>]

Hello linux-crypto,

After a complete failure of my laptop's harddrive, I'm planning the
setup of the new system.  Two years ago, when I set up the old system,
I chose loop-AES, because of its apparent better security in
comparison to dm-crypt and cryptoloop.  The main points were the
possibility of a watermark attack and the possible use of precomputed
dictionaries, which are quite understandable even to me as a
non-expert on cryptography.  And for convinience, loop-AES came with a
nice script that allowed me to create a working initrd in no time.

Since then, dm-crypt has obviously caught up.  There is a cbc-essiv
mode with a secure iv generation, and with luks there is even a
standard disk format and a salted, iterated key setup which should
protect against precomputed dictionaries.  Another advantage is, that
dm-crypt is in mainline and should even work with the distribution's
kernel.  And since I use a custom initrd to allow me to suspend to
encrypted swap anyway, I see all advantages of loop-AES gone.

So here I am, not knowing which method to choose. Are there important
differences regarding the security?  I'd welcome all kind off
comments.

Regards, Jim

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/