"Steven M. Bellovin" <smb@cs.columbia.edu> writes:

[About how gcd selecs IVs (for CBC) when a modified block gets
reencrypted.]

> I believe it's the same IV; anything else either requires an extra pass or
> extra space.

There seem to be two ways to work around this problem: 

(1) Integrate the IVs in the filesystem (that is, the IVs are somehow
    part of the metadata of the filesystem).  Then you would have a
    natural place to store the IVs.

(2) Use a tweakable block cipher with the same block size as the block
    size used on the disk (the ``tweak'' would be the block number or
    something similar).  This might be the cleanest solution, but
    tweakable block ciphers with, say, a 512 byte block length are not
    particularly common (if I recall correctly, Rogaway had a nice
    paper at Asiacrypt maybe 2004 about this).  But this still suffers
    from the problem that modifications can be detected (that is, you
    can tell which blocks on the disk have been modified).

Active attacks on disk encryption seem to be hard to protect against.

-- Johan