1

I am building an encrypted NAS with 4 x 4TB hard drives and was wondering what the limit of 256 bit AES is when implemented via cryptsetup and luksFormat. As I understand it, the maximum plaintext size for 256 bit AES is 2^39 - 256 bits, but I'm not sure what that means in relation to how cryptsetup works. At face value my interpretation is that if you're dealing with a drive any larger than 68 GB's then you need something stronger than AES 256. However I'm sure there's reasons that's not the case considering bitlocker uses 128 and 256 bit regardless of volume size. Any insight on this is appreciated as I only thought of this AFTER establishing my NAS and am dreading the process of re-encrypting the drives.

Nuvious
  • 121
  • 4
  • 3
    *"the maximum plaintext size for 256 bit AES is 2^39 - 256 bits,"* - where did you get this number from? I think you misunderstood something. There is no such limit. – Steffen Ullrich Feb 20 '18 at 17:01
  • 2
    You seem to have a few misconceptions. The only reference I found for that limit in a quick search is for [GCM mode](https://crypto.stackexchange.com/a/44166), whereas LUKS uses XTS by default. AES by itself doesn't run into problems until [many exabytes](https://security.stackexchange.com/a/30172). – AndrolGenhald Feb 20 '18 at 17:03
  • 2
    [RSA maximum bytes to encrypt, comparison to AES in terms of security?](https://security.stackexchange.com/questions/33434/rsa-maximum-bytes-to-encrypt-comparison-to-aes-in-terms-of-security) describes some limits for AES too. To cite: *"This means a limit of more than 250 millions of terabytes..."* – Steffen Ullrich Feb 20 '18 at 17:03
  • 3
    Also worth noting that there is no such thing as AES-512. Also, drives are not encrypted in one continuous plaintext. Each block is separately encrypted. – David Feb 20 '18 at 17:05
  • @David - does it matter that each disk block is separately encrypted? For one, I think what matters is the total number of AES blocks encrypted under the same key. Second, even if that's wrong, the disk block address/number, which I think is used as an input to compute a unique IV for that disk block, is known, so it seems to me that the fact that you only encrypt between 512 bytes and a few KB at once (depending on the block size) shouldn't make a difference unless LUKS changes the key for each disk block. Or am I making a stupid logical mistake? – Out of Band Feb 20 '18 at 19:28
  • Nuvious, you are perfectly fine to leave everything as-is. Without going into technical details, AES in Feb 2018 does not have any known vulnerabilities that would allow for a feasible bruteforce attack even on AES 128. – Kirill Sinitski Feb 20 '18 at 19:33
  • @Pascal perhaps what David was trying to say was that even if drive encryption _did_ use GCM, that 2^39 bit figure applies to a single key/IV pair, so that limit would apply to block size rather than total size. – AndrolGenhald Feb 20 '18 at 19:41

1 Answers1

4

AES is a block cipher. Wikipedia says:

The winner of the AES contest, Rijndael, supports block and key sizes of 128, 192, and 256 bits, but in AES the block size is always 128 bits. The extra block sizes were not adopted by the AES standard.

So AES 256 means Rijndael with a 128 bit block size and a 256 bit key.

The maximum size of data a block cipher can safely encrypt under the same key depends on it's block size, because the more blocks you encrypt with it, the larger the chance that two blocks will be the same. This will start leaking information the more it happens, so you want to avoid it.

However, the key size does not affect the number of blocks you can safely encrypt. So even if there was an AES-512, it wouldn't do anything to increase the maximum size of the plaintext you can encrypt.

Since AES block size is 128 bits (16 bytes) and thanks to the birthday paradox you can expect an identical block appearing after having encrypted about 2^64 (the square root of 2^128) blocks, so you might start to worry when you get in the region of encrypting 2^64 * 16 bytes with the same key.

Of course, that's not a hard limit. It's just that the likelihood that you're leaking information useful in breaking the encryption increases. You might be totally fine encrypting way more than that, or you might want to worry much earlier than that. But AES is completely fine for encrypting 4 or even 16 TB of data.

As for AES 512, maybe you're refering to a 512 bit key that gets split into two 256 bit parts for LUKS in aes-xts-plain mode? The man page of cryptsetup states:

For XTS mode you can optionally set a key size of 512 bits with the -s option. Key size for XTS mode is twice that for other modes for the same security level.

This means that in order to get the security of a 256 bit key, you need to specify a key size of 512 bits for XTS. You need double sized keys because in XTS mode AES is used twice, and each invocation uses one half of the key (see Explanation of the XTS Encryption Mode).

Out of Band
  • 9,150
  • 1
  • 21
  • 30