Hacker News new | past | comments | ask | show | jobs | submit login

AES-CTR can be used instead. AES-CTR generates a pseudo-random sequence of bits which is xored with the data to encrypt. The pseudo random bit sequence is generated by encrypting a counter that is incremented. This allows to encrypt or decrypt any randomly chose segment of data by using the data offset as encrypted counter value.

Homework: after encrypting a file, I edit it, and the block is changed and re-encrypted with the same block number as a counter.

Question: can you discover something about ciphertext which allows you to guess plaintext? If so, what?

Completing this homework will introduce you to disk encryption theory and will help understand the need for XTS-like modes.

Is it a realistic threat though? You're not supposed to use your device after it has been compromised. If you don't _know_ your device has been compromised you are totally fucked anyway.

Yes, thread model for full disk encryption is defined for an attacker that has ability to read the encrypted contents of disk at any point in time.

CTR mode is also malleable at bit level, while XTS is less so (this matters when an attacker can modify the encrypted contents).

What if you're using a hosting provider and using full-disk encryption to stop the hosting provider from having access to your data by yanking the drives?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact