Re: Vulnerability in encrypted loop device for Linux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 19 Dec 2001, Gisle S{lensminde wrote:

>
> Yes, this is a problem with loopback crypto. The problem is that the
> loopback interface assume that it's length preserving, and that make
> insertion of a MAC difficult.

The problem can partially be solved in a length preseving way. Before
the data is encrypted a so called 'all or nothing transform' is applied
to the data. That is a length preseving function f(x) -> y such that
modification to any block in y to y', will make f-1(y') be different
from x in all blocks. Ronald Rivest have made a paper on this.

Ronald Rivest himself propose one such mode based on a block cipher.
Another possible transform is to use DFFT (discrete fast Fourier transform
as f, and IDFFT (the inverse) as f-1. If E(k,v,P) encrypts a block with IV v,
and D(k,v,C) decrypts it, encryption is changed to  C = E(k,v,f(P)),
and decryption to P = f-1(D(k,v,C)). This transform will make it
hard to insert chosen ciphertexts, like  Jerome Etienne's paper describes.

It will not solve all problems. That is teoretically impossible
without adding redundancy.

--
Gisle Sælensminde ( gisle@xxxxxxxxx )

With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea. It is hard to be sure where they are going
to land, and it could be dangerous sitting under them as they fly
overhead. (from RFC 1925)

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/



[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]
  Powered by Linux