On Thu, Jul 14, 2011 at 09:17:33AM +0300, Yaron Sheffer wrote: > Hi Arno, > > I agree that most practical considerations point towards encrypt-over-RAID. > > But in fact from a security point of view, it seems to me the > situation is reversed. Looking at RAID-over-encryption, I disagree > that having the same plaintext encrypted over multiple keys is a > concern with modern ciphers. You have to take into account that this is a non-moving target, i.e. disk encryption. Still, the security-loss should be small. > The real concern with most full disk > encryption (and dm-crypt in particular) is integrity protection: the > ability of an attacker to change the ciphertext undetected. This > ability is greatly hampered when the attacker needs to coordinate > the attacks on two mirrored blocks, otherwise the two copies would > not be consistent. You possibly think that not having access to the RAID superblock (as it is encrypted) will make this manipulation much harder. My take is that as soon as the attacker is on your device, he/she can patch cryptsetup and then waut until you enter your passphrase. Disk-encryption really only protects against attackers that only have access once and not while you are working on or opening the device. This applies mostly to the case whre your device is stolen. I don't agree that integrity protection has any role in ordinary scenarios. And if you have a special scenario where it plays a role, you should not use LUKS or dm-crypt anyways, as it does not offer integrity protection, plain and simple. > I haven't researched all figerprinting attacks and the interaction > with various ways of generating IVs, so my intuition may still be > proven wrong. I thing your risk model is wrong. Basically it covers attacks were the attacker has access to only the storage and at the same time can actually do something serious with data manipulation. That is a rather unlikely scenario for disk encryption. Note that for communication encryption, this is a real and valid scenario. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
