On Jul 15, 2004, at 7:28 PM, Andrew Johnson wrote:
Hi All,
I've been reading a lot of information regarding dm-crypt and crytoloop vulnerability to known-plaintext and watermark attacks. I was wondering if the following dm-crypt setup method would solve the known-plaintext attack:
1. Encryption key generation and encryption using GPG:
head -c 32 /dev/urandom > secure.key gpg -c --cipher-algo AES256 secure.key
2. Secure volume creation using dm-crypt:
/usr/bin/gpg -q --cipher-algo AES256 --decrypt secure.key.gpg | \ /usr/local/bin/cryptsetup create secure_dev /dev/hdaX
This sort of password set-up is exactly what I proposed in my disk encryption write-up for Gentoo users ( http://www.sdc.org/~leila/usb-dongle/ ).
I think that a random password is a good idea in any event, and probably protects from one of the attacks mentioned recently.
I do NOT yet have a firm grasp of the issue, but:
But probably would NOT protect against watermark (which is chosen-plaintext attack). Problem there is the treatment of the per-sector password for the block encryption: loop-AES runs through a number of iterations, dm-crypt and cryptoloop do not.
I started to become concerned with the cryptoloop implementation earlier this week when I was looking at how OpenBSD and FreeBSD do disk encryption -- they take some pains to obfuscate the "sector-ID-ness" of the block encryption. (GBDE of FreeBSD seems that it would be particularly strong against watermark attack.)
Bottom line is that dm-crypt is better with the pure-random password that you propose, but probably still not the best implementation available. But I am clueless, really. I do hope that we get more comments on this!
~ boyd
Boyd Waters National Radio Astronomy Observatory Socorro, New Mexico http://www.aoc.nrao.edu/~bwaters
- Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
