On Tue, Dec 29, 2009 at 02:46:39AM +0100, Max Vozeler wrote:
> On Mon, Dec 28, 2009 at 08:37:43PM +0100, Milan Broz wrote:
> > But anyway, I see that the reason for this is to introduce multikey feature
> > (compatible with loop-AES mode). That's interesting idea.
> >
> > But please can you add more explanation into documentation about this mode?
>
> Sure, let me see what I can do.
>
> The most detailed description I know of is [1]. Besides the
> description in the Loop-AES documentation there are also some
> notes I took while doing the reimplementation.
>
> I'll see if I can put all these bits together into a document
> to have one mode and format specification.
This adds a short document detailing the two multi-key modes. I
think it covers all important points.
Review much appreciated. Thanks,
Max
--
diff --git a/Documentation/crypto/lmk.txt b/Documentation/crypto/lmk.txt
new file mode 100644
index 0000000..cb7d9da
--- /dev/null
+++ b/Documentation/crypto/lmk.txt
@@ -0,0 +1,72 @@
+Loop-AES compatible cipher block chaining modes
+-----------------------------------------------
+
+There are three modes supported by loop-AES at the time of this
+writing:
+
+ Loop-AES v1.x single-key cbc-plain
+ Loop-AES v2.x multi-key-v2 lmk2-plain64-multi:64
+ Loop-AES v3.x multi-key-v3 lmk3-plain64-multi:64
+
+This text describes the multi-key-v2 and multi-key-v3 modes and
+their implementation in the Linux kernel.
+
+These modes have two main characteristics compared to regular CBC
+with sector IV. The first is implemented in dm-crypt, the second
+is implemented in the lmk2 and lmk3 blkciphers.
+
+1) Use of 64 independent keys which are alternatingly applied to
+different sectors.
+
+ key = keys[sectornum % 64]
+
+2) IV derivation from an MD5 digest of the sector number, parts
+of the plaintext data and a mode specific format constant. The
+multi-key-v3 mode additionally uses a 128-bit IV seed.
+
+ v2IV = MD5(plaintext[16..511] ||
+ truncated-sector-number ||
+ format-magic)
+
+ v3IV = MD5(ivseed ||
+ plaintext[16..511] ||
+ truncated-sector-number ||
+ format-magic)
+
+The sector number is obtained from the plain64 dm-crypt IV
+generator. It is converted to 64-bit little endian and then
+truncated to 56 bits:
+
+ truncated-sector-number =
+ (sectornum & 0x00ffffffffffffff) | 0x8000000000000000
+
+The format-magic for both modes is fixed at the value 4024
+encoded as 32-bit little endian.
+
+Encryption:
+
+ IV = IVFUNC(optional-ivseed,
+ plaintext[16..511],
+ truncated-sector-number,
+ format-magic)
+
+ ciphertext[0..511] = CBC-ENCRYPT(key, IV, plaintext[0..511])
+
+Decryption:
+
+ IV1 = ciphertext[0..15]
+
+ plaintext[16..511] = CBC-DECRYPT(key, IV1, ciphertext[16..511])
+
+ IV2 = IVFUNC(optional-ivseed,
+ plaintext[16..511],
+ truncated-sector-number,
+ format-magic)
+
+ plaintext[0..15] = DECRYPT(key, IV2, ciphertext[0..15])
+
+References:
+
+ Mode description by the author of Loop-AES, Jari Ruusu:
+ http://mail.nl.linux.org/linux-crypto/2006-01/msg00006.html
+
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
