Re: Disk encryption best practices?

[Gisle Sælensminde <gisle@xxxxxxxxxx>]

Jens Lechtenboerger wrote:

> Hi there,
>
> I'm about to encrypt my disk with loop-aes, and I'm wondering
> whether this is a clever move:
>
> 1. The introduction (in German) at
>   http://wiki.chaostreff.ch/index.php/Festplattenverschl%C3%BCsselung
>   recommends not to use AES but to prefer Twofish.
>   In addition, GnuPG uses CAST5 as default for symmetric
>   encryption.
>
>   What is the state-of-the-art here?
>
>  
AES has no known weaknesses, is quite fast, and is the most analyzed of 
those algorithms, so
most cryprographers would recommend AES. Twofish was one of the five 
final algorithms in
the AES competition, and is quite well analyzed as well, but less than 
AES (or Rijndael, as it was
known as during the competition). Twofish has gained some popularity in 
the open source circles,
and can as well be used instead of AES, but there is no reason to 
recomend it over AES/Rijndael.
CAST5 was also a candidate for AES, but did not make it to the final, 
and is thus less well analyzed
than the other. That is not saying that it is broken in any way, but I 
would prefere AES or Twofish.

> 2. The text at http://mareichelt.de/pub/texts.cryptoloop.php
>   warns against mainline cryptoloop:
>   "Both cryptoloop and dm-crypt in kernels prior to 2.6.10 are
>    vulnerable, and even recent dm-crypt still suffers from a weak
>    crypto implementation."
>
>   What is weak here?
>
>  
A weak IV scheme made it possible for an attacker with access to the raw 
storage to see
which bytes of a block that was the first modified, but not see what the 
change was. Newer loop-aes
implementations has fixed this problem.


-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/