* Phil Grundig <wdef200@xxxxxxxxxxx> wrote: > That doesn't help the attacker much (at all?) in attempting to > break the encryption though, but it does negate plausible > deniability? Given that plausible deniability is very hard to achieve, I'm curious about the specific setup you had in mind. > > 16 bytes of known plaintext starting at any (except first) 16 > > byte boundary on a disk sector allows adversary to try brute > > force attack for one AES key. > > And, if successful, an attacker only gets a single line of the > multiline key, yielding a "venetian blind" view of the data. Unless > they repeat the attack on other known plaintext sectors to get more > lines of the multiline key. Is that a correct understanding? Well, "only" is already too much: The advantage of loop-AES over dm-crypt f.e. is that the key can be stored on a seperate medium. Even the knowledge of which encryption algorithm used can be withheld from the attacker. Keep in mind that an attacker, always, must be prevented from gaining ANY information at all about the crypto implementation used, because any information about it helps the attacker, to some extend. Also, the question always is if the information obtained is of practical use to the attacker. > How many bytes is each single slice on the disk that is encrypted > with one line of the key? (Is is 512?). As I understand it, loop-AES just encrypts sectors. Usually they are 512-byte sized but if you look at CDs and exotic media, there's other sizes. > > But 128/192/256 bits of key space is too much to brute > > force. > > Would "brute forcing" be the correct terminology here? Yes. > If the plaintext and ciphertext are known, then the key for that > sector can be deduced? It would be very bad if that were the case. If the cipher is weak, if a known/chosen-plaintext attack was successful, then the key could be deduced with justifiable effort. Keep in mind that a considerable amount of time and effort has been spent on breaking ciphers like AES, twofish, serpent, ..., including utilizing both known cipher- and plaintexts. So far no public knowledge exists of a successfull attack. Still, the best (fastest) way to break any encryption is rubber-hose cryptanalysis. > I thought brute forcing meant simply trying keys > on the ciphertext (without knowing the plaintext) until the > ciphertext decrypted. So far, to my knowledge, the AES algorithm can withstand attacks you describe in a way that a brute force attack is the way to go. Of course we don't know about the knowledge of the NSA, but recently there was an intriguing attack published, read more about it at http://en.wikipedia.org/wiki/Cube_attack I don't fully understand it, but the nature of the attack itself seems to be worthwhile to pursue (there was some excited chatter about it on crypto mailinglists). -- left blank, right bald loop-AES FAQ: http://mareichelt.de/pub/texts.loop-aes.php#faq
Attachment:
pgpgSFIx79LDn.pgp
Description: PGP signature
