In message <Pine.BSO.4.61.0505102117470.6013@af.pbqrshfvbavf.pbz>, Ted Unangst 
writes:
>it's my understanding that cgd doesn't provide any protection against 
>replay or other injection attacks.  this wasn't really addressed in the 
>paper, except in passing.  was it considered and rejected as outside 
>problem space?  too difficult?  essentially, does anybody care and how 
>much?  if i wanted to authenticate the data on the disk, what's the best 
>approach?
>
>attack scenario is kinda like this.  some kind of network where the users 
>trust their laptops, but possibly not the large usb drive left in the 
>office over night, and want to detect tampering. 
>

The best scheme I've seen for integrity protection of encrypted disks 
is described in

# Space-efficient block storage integrity
A. Oprea, M. K. Reiter and K. Yang
In Proceedings of the 2005 ISOC Network and Distributed System Security
Symposium, pages 17-28, February 2005.
http://www.ece.cmu.edu/~reiter/papers/2005/NDSS.pdf

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb