Christian Kujau wrote: > # cmp -b test1.loop0 test1.loop0.altered > test1.loop0 test1.loop0.altered differ: byte 790529, line 373 is 234 M-^\ 201 M-^A cmp command treats offset 0 as byte 1, ok. AES has 128 bit data block size, so each 512 byte sector has 32 cipher blocks. First change at offset 0xC1000, first cipher block (offsets 0x000...0x00F) within 512 byte sector. This leaks that there was a plaintext change in offsets 0x000...0x00F of that sector. > > 7) Now modify plaintext data again, alter 130th byte of some 512 byte > > sector. > > Hm, a bit trickyer for me, I used dd/vi to alter the "words" file: > > # vi words > [...] > # gpg -d /tmp/k.gpg 2>/dev/null | sudo cryptsetup luksOpen /dev/loop0 test1 > # dd if=words 2>/dev/null | sudo dd of=/dev/mapper/test1 You wrote two changes compared to previously written plaintext data. First change at first byte, and second change at 130th (or whatever) byte. That is because you didn't update that 's/^Abelard$/9belard/' change to 'words' file. > # cmp -b test1.loop0.altered test1.loop0.altered.130 > test1.loop0.altered test1.loop0.altered.130 differ: byte 790529, line 373 is 201 M-^A 234 M-^\ First change at offset 0xC1000, first cipher block (offsets 0x000...0x00F) within 512 byte sector. This leaks that there was a plaintext change in offsets 0x000...0x00F of that sector. This is correct. For multiple changes within one sector you only see the first one. You will see change at 0xC1080, 9th cipher block (offsets 0x080...0x08F) within 512 byte sector if you compare test1.loop0 and test1.loop0.altered.130 files. Their plaintexts have difference at 9th plaintext block (offsets 0x080...0x08F). > > 10) Modify plaintext data again, alter last byte of some 512 byte sector. > > Again, with vi(1): > > # vi words > [...] > # gpg -d /tmp/k.gpg 2>/dev/null | sudo cryptsetup luksOpen /dev/loop0 test1 > # dd if=words 2>/dev/null | sudo dd of=/dev/mapper/test1 This time only one change compared to previously written plaintext data. > # cmp test1.loop0.altered.130 test1.loop0.altered.512 > test1.loop0.altered.130 test1.loop0.altered.512 differ: char 791025, line 376 First change at offset 0xC11F0, last cipher block (offsets 0x1F0...0x1FF) within 512 byte sector. This leaks that there was a plaintext change in offsets 0x1F0...0x1FF of that sector. > > If you do above test with loop-AES version 2 or 3 on-disk format, > I'll do this tomorrow, after getting some sleep. Following test is using loop-AES version 1 on-disk format (single-key mode), which has same changed location leak problem as dm-crypt: # dd if=/dev/zero of=/tmp/test1 bs=1024 count=1 2>/dev/null # head -c 15 /dev/urandom | uuencode -m - | head -n 2 | tail -n 1 | losetup -e AES256 -p 0 /dev/loop7 /tmp/test1 # losetup /dev/loop7 /dev/loop7: [0703]:16 (/tmp/test1) encryption=AES256 # dd if=/dev/zero of=/dev/loop7 conv=notrunc bs=1024 count=1 2>/dev/null # sync # od -Ax -tx1 /tmp/test1 >/tmp/hex1 # echo -n X | dd of=/dev/loop7 conv=notrunc bs=1 seek=0 count=1 2>/dev/null # sync # od -Ax -tx1 /tmp/test1 >/tmp/hex2 # echo -n X | dd of=/dev/loop7 conv=notrunc bs=1 seek=129 count=1 2>/dev/null # sync # od -Ax -tx1 /tmp/test1 >/tmp/hex3 # echo -n X | dd of=/dev/loop7 conv=notrunc bs=1 seek=255 count=1 2>/dev/null # sync # od -Ax -tx1 /tmp/test1 >/tmp/hex4 # losetup -d /dev/loop7 # diff /tmp/hex1 /tmp/hex2 | head -n 2 1,32c1,32 < 000000 8e 24 91 57 d0 7a 38 75 98 85 40 de d8 8b 4a c0 # diff /tmp/hex2 /tmp/hex3 | head -n 2 9,32c9,32 < 000080 cc 1a f9 d3 71 6f e6 99 d6 74 0d 10 63 91 5c 99 # diff /tmp/hex3 /tmp/hex4 | head -n 2 16,32c16,32 < 0000f0 95 59 ad 6e 46 b3 0d 1e 81 57 44 35 56 fb 68 31 First plaintext block (offsets 0x000...0x00F) changed -> First ciphertext block (offsets 0x000...0x00F) changed. 9th plaintext block (offsets 0x080...0x08F) changed -> 9th ciphertext block (offsets 0x080...0x08F) changed. 16th plaintext block (offsets 0x0F0...0x0FF) changed -> 16th ciphertext block (offsets 0x0F0...0x0FF) changed. Following test is using loop-AES version 3 on-disk format (multi-key mode), which does not have changed location leak problem: # dd if=/dev/zero of=/tmp/test1 bs=1024 count=1 2>/dev/null # head -c 2925 /dev/urandom | uuencode -m - | head -n 66 | tail -n 65 | losetup -e AES256 -p 0 /dev/loop7 /tmp/test1 # losetup /dev/loop7 /dev/loop7: [0703]:16 (/tmp/test1) encryption=AES256 multi-key-v3 # dd if=/dev/zero of=/dev/loop7 conv=notrunc bs=1024 count=1 2>/dev/null # sync # od -Ax -tx1 /tmp/test1 >/tmp/hex1 # echo -n X | dd of=/dev/loop7 conv=notrunc bs=1 seek=0 count=1 2>/dev/null # sync # od -Ax -tx1 /tmp/test1 >/tmp/hex2 # echo -n X | dd of=/dev/loop7 conv=notrunc bs=1 seek=129 count=1 2>/dev/null # sync # od -Ax -tx1 /tmp/test1 >/tmp/hex3 # echo -n X | dd of=/dev/loop7 conv=notrunc bs=1 seek=255 count=1 2>/dev/null # sync # od -Ax -tx1 /tmp/test1 >/tmp/hex4 # losetup -d /dev/loop7 # diff /tmp/hex1 /tmp/hex2 | head -n 2 1,32c1,32 < 000000 c9 a4 d9 03 a6 fd 37 a5 8e e7 8c a7 4d 82 a6 bc # diff /tmp/hex2 /tmp/hex3 | head -n 2 1,32c1,32 < 000000 fd b3 c1 17 4e 5c c4 5d 87 24 8d e6 de 19 5d 2a # diff /tmp/hex3 /tmp/hex4 | head -n 2 1,32c1,32 < 000000 58 ba c8 f6 0e 99 74 73 f7 69 2c ad 03 bb 82 8d In above loop-AES version 3 on-disk format cases, regardless of where plaintext changes are, all 32 cipher blocks within 512 byte sector are changed. Above 'diff' commands show only one line of hex data, but if you read it carefully, that '1,32c1,32' string says that 32 lines of 16 bytes each are different. -- Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/