Sarath or maybe Mike Rosing wrote:
If the IV is not a secret how are we going to prevent block replay attacks on cipher text?
If you look at the usage models and threat models, it's simply not a problem. This is a disk drive. Anybody who has access to disk drive transactions sufficient to try replay attacks already has deep-level access to your hardware, so you're toast anyway because they can see the unencrypted data before it's written. What this kind of system is normally good for is making sure that anybody who steals your hardware when it's not running can't read your disk's data. (Steals includes thieves with and without warrants or subpoenas...) There's not really a risk of replay attacks there. However, there's an emerging application for which disk drives are more vulnerable, which is remote storage. Some of the new disk interface standards, like Fibre Channel, and probably some of the flavors of iSCSI, can operate over distances of 20km and longer over fiber, leading to businesses like colocation centers in New Jersey providing big disk drive farms for New York City financial businesses which have their mainframes in Manhattan. For applications like that, it is important to do good IVs, because control of the disk drive doesn't imply control of the machine.