> From: Tomas Vondra [mailto:tomas.vondra@2ndquadrant.com]
> On 05/25/2018 01:41 PM, Moon, Insung wrote:
> > BTW, I want to support CBC mode encryption[3]. However, I'm not sure
> > how to use the IV in CBC mode for this proposal. I'd like to hear
> > opinions by security engineer.
> >
>
> I'm not a cryptographer either, but this is exactly where you need a
> prior discussion about the threat models - there are a couple of
> chaining modes, each with different weaknesses.
Our products uses XTS, which recent FDE software like BitLocker and TrueCrypt uses instead of CBC.
https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS
"According to SP 800-38E, "In the absence of authentication or access control, XTS-AES provides more protection than
theother approved confidentiality-only modes against unauthorized manipulation of the encrypted data.""
> FWIW it may also matter if data_checksums are enabled, because that may
> prevent malleability attacks affecting of the modes. Assuming active
> attacker (with the ability to modify the data files) is part of the
> threat model, of course.
Encrypt the page after embedding its checksum value. If a malicious attacker modifies a page on disk, then the
decryptedpage would be corrupt anyway, which can be detected by checksum.
Regards
Takayuki Tsunakawa