On Mon, 28 May 2007, markus reichelt wrote:
"Loop-AES is more secure than dm-crypt (and possibly faster),
although it requires a custom kernel module and is more work to
install than dm-crypt." => But no justification given regarding
the security aspect.
in that example they use kernel 2.6.8 (hint hint)
Since no justification regarding the security aspect was given, I don't
see how the kernel version would matter at all. Did youd have a certain
bug with 2.6.8 in mind? (Debian oldstable is still using 2.6.8).
http://mail.nl.linux.org/linux-crypto/2006-09/msg00008.html ->
"Both cryptoloop and dm-crypt in kernels prior to 2.6.10 are
vulnerable, and even recent dm-crypt still suffers from a weak
crypto implementation." => I will be using 2.6.20, which allows
for LRW mode and thus solve the watermark problem. -> "dm-crypt...
which leaks location of changed data in some unusual situations."
" ... not a big problem." = dont worry about this.
Here the kernel version *does* matter, IOW the watermark attacks have
been fixed in 2.6.10 (see "dm-crypt: new IV mode ESSIV" changelog
entry). So "not a big problem" should read "not an issue any more since
12/2004", no?
=> What exactly consists this leak and has it been fixed?
This means that loop-aes hides the position of changed ciphertext
better than dm-crypt. A change of one byte in a 512 byte sector will
cause 16 bytes to change in dm-crypt and 512 bytes (the whole sector)
in loop-aes. if an attacker has access to changed ciphertext this
could be a problem.
Hm, "changed ciphertext": but that means that the attacker has already
access to the underlying device and can read the encyrpted and
*currently changing data". But I think "changing ciphertext"
happens only when the device is mounted (so someone unlocked the
partition) in which case the attacker would be better off to just read
the plaintext.
However, I am not sure what's "better" from the attackers' POV to get
the (password to) the key: known (changing) ciphertext or known
plaintext. My guess would be "a combination of both"...
But in case an attacker has access to your
ciphertext you already got a bigger problem.
Yes, indeed :)
C.
--
BOFH excuse #197:
I'm sorry a pentium won't do, you need an SGI to connect with us.
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
