On 06.02.2013 11:06, Stavros Kousidis wrote: > > One essential issue that concerns full disk encryption on SSDs, that I > have not seen in a mail discussion here so far (might be there and I > simply missed it), is the distribution of an uncontrollable amount of > copies of SSD-page contents (~4096 Bytes) where only a limited number > of blocks (~16 Bytes) have changed. This is initiated by local changes > in userspace data and technically due to the complex nature of the > flash translation layer (mainly wear leveling techniques), the > narrow-block encryption modes (here: XTS) and sector-wise constant > IVs. In Cipher-block chaining mode the position where a bit-flip > happened is visible in principle. Let me paraphrase, you are worried about someone physically ripping the SSD out of your computer, desoldering the chips and reverse engeneering the wear-leveling. In the off-change that there actually are several generations of a somehow vulnerable block (or several) and the changes would tell the attacker "something". With the slight variatians: a) Somone with root-priviles making full-copies of the device at different points in time b) Somone with root-priviledes and the SSD containing some vendor specific commands to read the RAW contents of the flash and/or possibility to get older versions of blocks (at different points in time) c) Taking the SSD out and making full copies at different points in time. d) c in variant b e) Things that don't come to my mind In short: I would worry about these things, before i worry about POTENTIAL information leakage of several generations of a specific block. In all cases you already need a vulnerability to even get to the information. I don't say the theoretical vulnerability doesn't exist, but there are things much more serious before worrying about such theoretical things. Among the first i would worry about: The so called "cold-boot attack". At least for cases were you worry about someone with physical access. I would call this is a typical case for the: "Law Of Diminishing Returns" There is a gain, but the amount of work is disproportional. -- Matthias _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
