You Don't Want XTS

I don&#x27;t get the title.<p>The title tells me I don&#x27;t want XTS.<p>Then the post explains that I don&#x27;t want FDE, for sundry reasons. Then it tells me, sure, go ahead and use FDE, but be aware of the limitations.<p>At that point it looks like I want XTS, after all.<p>Then it shows how XTS works and where cryptographers are seeing problems.<p>And then... well, there is no &quot;then&quot;. The recommendations don&#x27;t deal with FDE at all.<p>I think the post would be much stronger, if it either had some alternative mode to present or (I&#x27;d be more interested in that) it showed other ways to achieve what people usually try to achieve with FDE. And usability is a big one there. Bitlocker is huge. FileVault is huge. People can actually use it.<p>An aside: Has anyone ever seriously used XTS mode for anything but FDE? I&#x27;ve only encountered it in Truecrypt and the part of Boneh&#x27;s Crypto I where he&#x27;s talking about FDE. But that doesn&#x27;t mean much, I admit.

If anyone&#x27;s interested in a fun project:<p>It&#x27;s apparently pretty common for people to create virtual Truecrypt volumes and stick them on Dropbox, as a sort of poor-hacker&#x27;s encrypted Dropbox.<p>Someone should bone up on the &quot;Evil Maid&quot; attack and do a proof-of-concept of it on a Dropbox-backed volume. Call it &quot;Evil Maid In The Cloud&quot;, or &quot;The Mallory Poppins Attack&quot;.<p>My intuition is that the Evil Maid attack is much more powerful vs. Dropbox-backed volumes.

I don&#x27;t want XTS? Yes I do, for the purpose it was designed - block device level encryption. The title is misleading, and potentially dangerously so - I could see somebody switching to some CBC-like mode in TrueCrypt &quot;coz tptacek said so&quot; (even if that&#x27;s not what he said).<p>And I think several statements are, well, let&#x27;s say disputable. OK, XTS has the unnecessary complication of two keys, introduced in the standardization process. But the security in storage group (whatever it&#x27;s called) has apparently seen the light is working on essentially allowing just one again.<p>Furthermore, XTS is denounced for having &quot;unclear security goals&quot;, and the post leaves the impression that wide-block schemes are so much better. Yet their goals are essentially exactly the same as those of XTS, just on a sector as opposed to a (cipher) block level. And do correct me if I&#x27;m wrong, but I believe they are pretty clear: essentially ECB encryption of every cipher block on the disk, with a different key. In more concrete terms, I believe those translate to security under deterministic chosen-plaintext attacks, and non-malleability.<p>Finally Evil Maid attacks (at least the ones presented so far) have absolutely nothing to do with any cipher mode you&#x27;re using, and everything to do with the trusted platform problem. Maybe in a Dropbox setting the attacker could benefit from the cut-n-paste abilities, but I&#x27;m not sure how realistic&#x2F;severe those attacks would be (presumably you wouldn&#x27;t have your system partition on Dropbox). I&#x27;m having a hard time imagining them, but then again there exist much smarter people than myself in this world.<p>Not to be only critical of the article, I do believe that the basic messages are sound: be aware of the limitations of FDE and don&#x27;t use XTS in the contexts outside of FDE (unless you really know what you&#x27;re doing, I guess). But the rest of it I could do without.

So why can&#x27;t we authenticate all the sectors? Is the performance really that bad, even with AES-NI and such? Chrome OS and Android devices that use dm-verity already do this (albeit for read only), so that&#x27;s hard to believe...<p>With SSDs, seek time shouldn&#x27;t be an issue. You can argue that if an attacker can modify your disk, they can probably run code to steal your password, but this does not apply to Dropbox-stored disk images, and AFAIK you can try to secure a PC against modified code seeing the keys using TXT.

I primarily like XTS because it&#x27;s very fast and can be efficiently pipelined on x86 platforms with AESNI. I can get 215 Gbps throughput on 8 cores of a modern Intel CPU.<p>Also, if XTS is used in a length-preserving fashion, it can encrypt standard block devices without significant changes.<p>However, length-preserving means that it&#x27;s either not going to be authenticated or you need to keep authentication material elsewhere. In the latter case, I&#x27;d rather use GCM.

Authors recommendations seem bit &quot;handwavy&quot; to me. I understand that this article probably is not intended for end-users, but still it would have been nice to have more concrete advice. Eg dm-crypt is usually used with XTS mode, what would the author (or the good crowd of HN) say to be &quot;better&quot; solution (not necessarily at block layer) for eg. protecting laptop?

Man I&#x27;ve been having a run around recently with a notebook I just ordered.<p>First intuition is to just LUKs both disks. Ok, that might work, and then I see the horrible performance degradation from FHDing an SSD.<p>Second intuition is SED, and I got a Crucial m550 to hopefully satisfy that, but then I find out there is no documentation on if the ATA password is stored in the firmware. If it is, I&#x27;m just wasting my time, and I kind of just have to hope Crucial does the right thing and doesn&#x27;t store the AES key anywhere. I also have to hope the marketing &quot;hardware encryption&quot; is true like on my 840 Pro, where I don&#x27;t see any performance loss.<p>And even userspace level encryption of config files that use plaintext passwords is terrible (and lets be honest, way too many different programs hide credentials in plaintext somewhere for me to find all of them easily with a full desktop - off the top of my head, networkmanager, KDE-PIM, Telepathy, Firefox, and Steam all have their own independent unrelated credential stores).<p>In general I would just want to encrypt all of base ~, &#x2F;var, and &#x2F;etc, since that is where personal data can end up (and maybe &#x2F;opt, because random stuff ends up there) - but then I&#x27;m still losing most of the reason of having an SSD, especially one with a hardware AES accelerator that would go unused.<p>And don&#x27;t get me started on the mechanical drive, which I&#x27;m going to have to part bin when I get the thing and see if it has working hardware encryption. At least on that it isn&#x27;t too bad to use LUKs, because then the overhead isn&#x27;t as bad - but having overhead at all kind of sucks.

As someone who uses dropbox to store encrypted VirtualBox vdi virtual hard disk files using XTS encryption, can someone tell me what I should be using instead of XTS?

TL;DR For random-seek block encryption, don&#x27;t use XTS, <i>use CTR.</i><p>It&#x27;s simple. I like simple maths and code, it&#x27;s less to screw up <i>and less for implementations to screw up</i>. For example, I don&#x27;t trust EC or GCM, even if some people thinks they&#x27;re the new hotness, because complexity creates more opportunities for obfuscation and puts the code further out of reach of the already few eyeballs actually (or not) looking at it.<p>Maybe &#x27;cpervica explain why