AES-128-CBC Support Coming To Fscrypt
AES-128-CBC support is coming to fscrypt, the generic file-system crypto code in the Linux kernel that's currently in use by F2FS and EXT4 for offering native file-system encryption support.
Fscrypt currently makes use of AES-256-XTS/AES-256-CBC-CTS but the fscrypt design allows for supporting multiple encryption standards. Support for AES-128-CBC in file contents and AES-128-CBC-CTS for file names is being added namely for mobile/embedded hardware that may provide crypto accelerators for these standards.
From this fscrypt commit:
Fscrypt currently makes use of AES-256-XTS/AES-256-CBC-CTS but the fscrypt design allows for supporting multiple encryption standards. Support for AES-128-CBC in file contents and AES-128-CBC-CTS for file names is being added namely for mobile/embedded hardware that may provide crypto accelerators for these standards.
From this fscrypt commit:
This patch adds support for using AES-128-CBC for file contents and AES-128-CBC-CTS for file name encryption. To mitigate watermarking attacks, IVs are generated using the ESSIV algorithm. While AES-CBC is actually slightly less secure than AES-XTS from a security point of view, there is more widespread hardware support. Using AES-CBC gives us the acceptable performance while still providing a moderate level of security for persistent storage.This addition to fscrypt should be merged during the upcoming Linux 4.13 merge window.
Especially low-powered embedded devices with crypto accelerators such as CAAM or CESA often only support AES-CBC. Since using AES-CBC over AES-XTS is basically thought of a last resort, we use AES-128-CBC over AES-256-CBC since it has less encryption rounds and yields noticeable better performance starting from a file size of just a few kB.
2 Comments