For fast file-system crypto, you really want to implement the ciphers so that you encrypt several blocks at a time. ... I'd like to know how this method compares to using an interleaved cbc mode - for example 8-way interleaved cbc. The n-way interlaved cbc-mode works by chaining each n'th block together instead of each block. [...] Am I missing something?
In either case, you need to be sure that changed data is always encrypted with different parameters -- that is, a changed file should be encrypted with a new IV or different offset into S1 and S2. Otherwise, the attacks used to recover badly wiped information could be used to look back in time, so to speak, and figure out which portions of the file were changed. It's more of a problem if you're using ofb o ecb o ofb (i.e., the CFS mode) than an interleaved CBC mode. The 8-way interleaved CBC mode should have different IVs for each "lane" (that is, a monster 512-bit IV) -- otherwise, files data types with repetitions in the headers could be identified. The IV should be secret to completely rule out leakage. However, there are some important restrictions on how you can use the key in making an IV -- I suggest something like this to ensure nothing is messed up: hash the passphrase into K0, use nDES-OFB with K0 to make a K1 and K2, then nDES-OFB with K1 for making the IVs which nDES-interleaved-CBC uses with K2 for the actual encryption.
astor
-- Alexander Kjeldaas, Guardian Networks AS, Trondheim, Norway http://www.guardian.no/