Re: Loop-AES and Twofish on 64-bit CPU

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Peter_22@xxxxxx wrote:
> "Gisle Sælensminde" <Gisle.Salensminde@xxxxxxxxxxx> wrote:
> >[...] One such weak link in earlier versions of
> > loop-aes (and as far as I know, still in cryptoloop) was the way each
> > block were encrypted, that allowed an attacker to see the the location
> > of the first change in each disk block when it changed. In that case, it
> > would not have helped with several loop devices or double encryption.
> > While the seriousness of the attack can be argued about, it shows that
> > several layers of encryption may not help if an attack is on a different
> > part of the system.
> 
> Oh, that just reminds me of some guy called "Clemens Fruhwirth".
> (http://clemens.endorphin.org/aboutme)
> Maybe you want to visit his page. "I brought an 586/686 assembler version
> of AES to the kernel, then started to work on dm-crypt. I invented and
> implemented ESSIV for dm-crypt, and tried to implement another nice
> encryption mode, called LRW."
> I wondered what LRW might be ever since he mentioned it here.

LRW mode is more vulnerable to changed location disclosure than CBC mode.
That is because each ciphertext block depends on only one plaintext block
and the encryption keys. In CBC mode, ciphertext also depends on preceeding
plaintext blocks. The way IV is computed in loop-AES makes all ciphertext
blocks depend on all plaintext blocks in 512 byte sector.

IOW, loop-AES provides better protection against changed location disclosure
than dm-crypt, cryptoloop, or ecryptfs.

-- 
Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/



[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]
  Powered by Linux