Re: Status in 2007 of: loop-aes VS dm-crypt VS truecrypt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Christian Kujau wrote:
> On Mon, 28 May 2007, Jari Ruusu wrote:
> > Last time I looked at dm-crypt it wasn't fixed.
> >
> > If backing storage is at some remote server, and adversary can see
> > ciphertext read/write traffic, he can get snapshots of old and new
> > ciphertexts and extract some information from that.
> 
> Hm, I thought this has been addressed with the introduction of ESSIV in
> 2.6.10, or is this a different issue?

It is different issue.

You can test this yourself:
1)  Set up a small dm-crypt essiv AES encrypted device
2)  Write some data to to plaintext device
3)  Save copy of ciphertext
4)  Write same data again, but with first byte of some 512 byte sector
    altered.
5)  Compare previous and current ciphertexts. You will notice ciphertexts
    will differ on first cipherblock within that 512 byte sector. This
    leaked that there was plaintext change within first plaintext block
    inside that 512 byte sector.
6)  Save copy of ciphertext
7)  Now modify plaintext data again, alter 130th byte of some 512 byte
    sector.
8)  Compare previous and current ciphertexts. You will notice ciphertexts
    will differ on 9th cipherblock within that 512 byte sector. This leaked
    that there was plaintext change within 9th plaintext block inside that
    512 byte sector.
9)  Save copy of ciphertext
10) Modify plaintext data again, alter last byte of some 512 byte sector.
11) Compare previous and current ciphertexts. You will notice ciphertexts
    will differ on last cipherblock within that 512 byte sector. This leaked
    that there was plaintext change within last plaintext block inside that
    512 byte sector.

If you do above test with loop-AES version 2 or 3 on-disk format, you will
notice that all cipherblocks within the 512 byte sector change regardless of
where changed plaintext data is, thus hiding what location was changed.
loop-AES still leaks what 512 byte sectors have been modified, because full
512 byte sector ciphertexts will be different, but such significantly lower
resolution is much better than adversary being able to pinpoint changes
inside 512 byte sector.

-- 
Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/
[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]
  Powered by Linux