*Max Vozeler* wrote:
>> Please add aes-lrw-benbi and aes-xts-plain to the list of available
>> mode of operation. XTS is the upcoming standard.

> Thanks for the suggestion. I think offering those modes
> in partman-crypto is very desirable.
>
> Before we can do it we will need to make some non-trivial
> code changes though to account for the different key sizes
> that are valid in combination with those modes.
>
> The kernel Kconfig help suggests that for LRW we'd need to
> add 128 bits and for XTS to double the key size:
>
> aes-lrw-benbi: 256/320/384 bits
> aes-xts-plain: 256/384/512 bits

[cut]
> The latter seems more flexible, but may be surprising for
> people who are aware of the different requirements. They may
> wonder why they can select 128-bit AES with aes-lrb-benbi,
> for example. Do you think this could be a problem?


I don't think it's a nice idea to change/double the key size which
the user selected.
Anyway, I have to admit I didn't aware of that Kconfig suggestion.
I have to make a careful study to it.

It would be very nice to offer the user the option to choose the
cipher and all the options related to it separately.
E.g.
1) algorithm -> AES, Blowfish etc.
2) mode of operation -> CBC, LRW, XTS etc.
3) key size -> 128, 192, 256, 384, 512 (based on the selected
algo+mode)
4) IV algorithm -> plain, essiv, benbi (only for LRW)
5) ivmode (only for CBC) -> sha1, sha256, sha512
But probably it is difficult to realize and in practice not so
useful.
So the best way is to offer only few predefined possibilities,
which nowdays are considered secure.
I suggest:
- aes-cbc-essiv:sha1 (with various keysize)
- aes-cbc-essiv:sha256 (with various keysize)
- aes-cbc-essiv:sha512 (with various keysize)
- aes-xts-plain (with various keysize)
The default choice would be the last one.

> Another question comes to mind: Since XTS is considered to
> be the successor to LRW (at least for IEEE P1619 standard),
> are there reasons to offer any LRW modes? Are you aware of
> any practical advantages over XTS?


In fact no, as I stated just few lines before.

P.S.: why version 36 is not in testing?

--
Alberto