Hello Richard,
On Sun, Jan 17, 2010 at 11:02:34PM +0100, Richard Zidlicky wrote:
> > diff --git a/Documentation/crypto/lmk.txt b/Documentation/crypto/lmk.txt
> > new file mode 100644
> > index 0000000..91ca7f7
> > --- /dev/null
> > +++ b/Documentation/crypto/lmk.txt
> > @@ -0,0 +1,102 @@
> > +Loop-AES compatible cipher block chaining modes
> > +-----------------------------------------------
> > +
> > +The following table shows the Loop-AES name of the mode, the
> > +Loop-AES version first supporting it, and the equivalent cipher
> > +specification string for dm-crypt:
> > +
> > + single-key Loop-AES v1.x cbc-plain
> > + multi-key-v2 Loop-AES v2.x lmk2-plain64-multi:64
> > + multi-key-v3 Loop-AES v3.x lmk3-plain64-multi:64
> > +
> > +This text describes the multi-key-v2 and multi-key-v3 modes and
> > +their implementation in the Linux kernel.
>
> pointer to alternative implementation with loop-AES?
OK, I will point to Loop-AES itself.
> > +The multi-key modes describe a combination of CBC using a
> > +specific IV derivation function with the use of multiple
> > +independent encryption keys.
> > +
> > +The IV derivation and block chaining are implemented as
> > +blkciphers named "lmk2" and "lmk3". The support for multiple
> > +encryption keys is implemented in dm-crypt.
> > +
> > +Multiple keys:
> > +
> > + Each sector is encrypted/decrypted with one of 64 independent
> > + keys selected by the following rule:
> > +
> > + key = keys[sectornum % 64]
> > +
> > +IV derivation:
> > +
> > + IVs are derived from an MD5 digest of the sector number, parts
> > + of the plaintext data and a mode specific format constant. The
> > + multi-key-v3 mode additionally uses a 128-bit IV seed.
> > +
> > + v2IV = MD5(plaintext[16..511] ||
> > + le64(truncated-sector-number) ||
> > + le32(format-magic))
> > +
> > + v3IV = MD5(ivseed ||
> > + plaintext[16..511] ||
> > + le64(truncated-sector-number) ||
> > + le32(format-magic))
>
> ivseed = key_table[64] is nowhere declared.
This is an implementation detail of Loop-AES, so I don't consider it
belonging to the description of the modes here. Loop-AES v3 keyfiles
contain 65 keys of which the last key is used as IV seed.
> Also "||" should be explained, it is probably conatenation like in
> Jari's description? Hard to think of a really intuitive notation.."o"
> or "<<" might be intuitive for many but does not look too good in this
> case, especially in ASCII.
OK, I agree this needs pointing out. The "||" for concatenation is
what I'm familiar with, I don't think I would understand "o" or "<<"
as well. I will explain what it does.
> > + The input IV supplied to lmk2 or lmk3 is expected to be the
> > + sector number in 64-bit little endian as supplied by the
> > + plain64 dm-crypt IV generator. It gets truncated to 56 bits
> > + with the most significant byte set to 0x80:
>
> I believe preceding paragraoh can be completely omitted, is not easier to
> understand than the pseudocode.
OK. I'll drop the last sentence, the first one describing where the
IV is expected to come from seems relevant.
> > + truncated-sector-number =
> > + (sectornum & 0x00ffffffffffffff) | 0x8000000000000000
>
> would be better above the IV derivation descriptions.
Noted.
> > +Mode multi-key-v2 (lmk2-plain64-multi:64):
> > +
> > + key = keys[sectornum % 64]
> > +
> > + encrypt:
> > + IV = MD5(plaintext[16..511] ||
> > + le64(truncated-sector-number) ||
> > + le32(format-magic))
>
> no need to repeat the IV description here, could use the v2/v3IV in the
> pseudocode
> bellow.
I think repeating it makes it clearer which parts happen at
which time, so I'd leave this as is.
> For the decryption IVs it would be then better to use some more distinct
> names because eg IV2 is fairly close to v2IV.
Good point, thanks. Will change.
> Btw did you send the other parts of the patch to the list? I did only
> ever receive the description part so feel free to email me the other
> parts.
I did send them all to linux-cry...@vger. I'm not sure why you
didn't receive them. I'll send you the missing parts and CC you
on the next submission.
Thanks again for your comments,
Max
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
