[cryptography] [zfs] SHA-3 winner announced

Nico Williams nico at cryptonector.com
Wed Oct 3 11:42:51 EDT 2012

On Wed, Oct 3, 2012 at 7:41 AM, David McGrew (mcgrew) <mcgrew at cisco.com> wrote:
> Are the requirements for the security of ZFS and the use of cryptography
> in that filesystem documented anywhere?
> <https://blogs.oracle.com/bonwick/entry/zfs_end_to_end_data> mentions a
> Merkle tree of checksums, where the checksum function can be either
> Fletcher or SHA-256.  A collision-resistant hash of an entire system is
> indispensable if asymmetric authentication is needed, but are there common
> scenarios where that is needed?   If encryption is used in ZFS, then there
> is necessarily a symmetric encryption key that is being managed; why not
> use symmetric message authentication as well, and take advantage of the
> performance gain?

Encrypted ZFS has a requirement that it must be possible to check pool
integrity without having access to the keys.  This means that even if
encrypted ZFS used MACs (it does) it still needs to hash ciphertext in
a Merkle hash tree fashion for the purpose of un-keyed integrity
checking.  Since a MAC is also used I think one could argue that the
hash function needn't be all that strong: it's primarily needed for
error detection.


More information about the cryptography mailing list